Firewall Wizards mailing list archives
Re: How automate firewall tests
From: Tim Shea <tim () tshea net>
Date: Mon, 21 Aug 2006 00:13:22 -0500
And you can equally argue that proxies were never good to begin with. Really - the majority of applications out there have no real layer 7 level proxy so you have to tackle the problem from other directions. And the off the shell proxies (smtp, dns, http, etc) don't offer much value since these applications have been tested to death or the application isn't anymore "protected". What is the point of recommending a solution that doesn't exist? I am a fan of proxies but the reality is the firewall - whether it be proxy or other - is only a small part of the equation. t.s On Aug 20, 2006, at 10:35 PM, Marcus J. Ranum wrote:
Isaac Van Name wrote:You have referred to packet-based firewalls as being outdated.I'm not sure if they're "outdated" as much as "never were particularly good to begin with" Remember: popularity is not a reliable gauge of quality. The fact that most of the firewalls that are fielded today are packet-based (with a smidgeon of state-tracking thrown in) should concern anyone, when the vast majority of attacks currently being fielded are above the packet layer. If you want to look at things from my (admittedly weird) perspective, the current fondness for "patch your software constantly" is proof positive that packet- based firewalls don't (and never did) work except for at a very gross level. The architecture of a "good firewall" would be some kind of layer-7 processor that did application protocol correctness verification and minimization, as well as come content analysis and filtering. Of course it'd have to do it extremely fast, or nobody'd want it. Which is why it doesn't exist. To get that much layer-7 processing done at high speeds you'd need silicon, and since silicon isn't particularly mutable (not the fast kind, anyhow) you'd be constantly bumping against application incompatibilities and that wouldn't sit well. I guess what I'm saying is "hardly anyone actually WANTS a good firewall." mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- How automate firewall tests Strabla Ruggero (Aug 17)
- Re: How automate firewall tests Marcus J. Ranum (Aug 17)
- Re: How automate firewall tests Durga Prasad (Aug 18)
- Re: How automate firewall tests Marcus J. Ranum (Aug 18)
- Re: How automate firewall tests Isaac Van Name (Aug 20)
- Re: How automate firewall tests Marcus J. Ranum (Aug 20)
- Re: How automate firewall tests Tim Shea (Aug 21)
- Re: How automate firewall tests Paul D. Robertson (Aug 21)
- Re: How automate firewall tests ArkanoiD (Aug 21)
- Re: How automate firewall tests Marcus J. Ranum (Aug 21)
- Re: How automate firewall tests Chris Blask (Aug 22)
- Re: How automate firewall tests Patrick M. Hausen (Aug 22)
- Re: How automate firewall tests Chris Blask (Aug 23)
- Re: How automate firewall tests Crispin Cowan (Aug 28)
- Re: How automate firewall tests Marcus J. Ranum (Aug 28)
- Re: How automate firewall tests Marcus J. Ranum (Aug 28)
- Re: How automate firewall tests Cat Okita (Aug 29)
- Re: How automate firewall tests Durga Prasad (Aug 18)
- Re: How automate firewall tests Marcus J. Ranum (Aug 17)