Re: FW appliance comparison - Seeking input for the forum

["Marcus J. Ranum" <mjr () ranum com>]

I wrote:
Anyhow, in firewalls, the design switched from conservative
> default deny AT LAYER 7 to default permit. No longer did
> your HTTP traffic have to look like HTTP - now it could look
> like *anything* as long as it had a URL in front of it. Thus
> the firewall became permeable to spyware, SOAP, trojans,
> etc, etc.

A comment to my comment, which I forgot to make!!

Of course if the firewalls of the mid-late 1990s had constrained
the HTTP protocol's growth by only allowing a strictly controlled
format through, spyware and trojans would still happen. The
bad guys would be controlling their remote systems, or exporting
data by coding it into images or encoding it into URLs (let alone
SSL!) - so retarding protocol expansion is not a panacea, it's
always a temporary measure. The interesting thing, however, is
that it makes it a lot harder for the bad guys to get their data
through, and it makes it a lot easier to detect when they do.
For example, back in the early days of proxy firewalls for HTTP,
some proxies allowed you to do nice things like permit incoming
GIFs less than size X and incoming JPEGs less than size Y and
deny incoming .EXE, etc. Again, such properties can be used to
implement default deny, or default permit, depending on the IQ
of the administrator.

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards