Firewall Wizards mailing list archives
Re: IPS vs. Firewalls (why vs. ?)
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 07 Feb 2006 14:42:09 -0500
Gabriele Buratti wrote:
let's say our knowledgebase is the definition of http protocol as it should be. So, if you find malformed http (=non compliant) you drop it. What if you find some instant messaging traffic (you don't want in your network) that is http compliant ?
This is exactly what I meant about whether a device is internally designed around 'default permit' or 'default deny'. A device that is aimed toward default deny would know what totally vanilla HTTP looked like and would discard anything that was not exactly plain HTTP. Protocol-over-protocol tunnelling is nothing new. But step back and ask yourself "why tunnel protocol over protocol"?? There is actually no real reason for tunnelling except to make it easier to bypass controls, right? After all, if we use SSL on port 443 for "https" and SSL on port 993 for "imap" etc, it's clear that we can use protocol layering without trying to violate policy... So I, frankly, I feel that if I see instant messenger traffic on my HTTP service that I've caught someone with their hand in the cookie jar, so to speak. Time to cut it off... Remember, a lot of these tunnelled protocols are billed as being "firewall friendly." In the same sense that a .50 BMG SLAP round is "skull friendly" - it's designed to zip right through whether you want it to or not, with virtually no performance degradation on the bullet's trajectory. Implicit in the very design of a tunnelled protocol is the idea that it is trying to violate policy. That, of course, makes it commercially attractive! For some reason, people _like_ firewalls that are more permeable to '"firewall friendly" protocols, but they shy away from "skull friendly" bullets. I just can't figure it out. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Management vs. IT staff (was: Re: IPS vs. Firewalls), (continued)
- Re: Management vs. IT staff (was: Re: IPS vs. Firewalls) ArkanoiD (Feb 03)
- Re: IPS vs. Firewalls Kevin (Feb 02)
- RE: IPS vs. Firewalls Paul Melson (Feb 07)
- Re: IPS vs. Firewalls Gabriele Buratti (Feb 03)
- Message not available
- Re: IPS vs. Firewalls Marcus J. Ranum (Feb 02)
- Re: IPS vs. Firewalls (why vs. ?) Gabriele Buratti (Feb 03)
- Re: IPS vs. Firewalls (why vs. ?) Marcus J. Ranum (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Dave Piscitello (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Gabriele Buratti (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Dave Piscitello (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Marcus J. Ranum (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Dave Piscitello (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Marcus J. Ranum (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Dave Piscitello (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Richard Stiennon (Feb 08)
- Re: IPS vs. Firewalls (why vs. ?) Gabriele Buratti (Feb 08)
- Re: IPS vs. Firewalls (why vs. ?) Chris Byrd (Feb 08)
- RE: IPS vs. Firewalls (why vs. ?) Ben Nagy (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Gabriele Buratti (Feb 08)
- Re: IPS vs. Firewalls Julian M D (Feb 03)