Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: FW appliance comparison - Seeking input for the forum

From: "Paul Melson" <pmelson () gmail com>
Date: Thu, 19 Jan 2006 10:10:51 -0500
-----Original Message-----
Subject: RE: [fw-wiz] FW appliance comparison - Seeking input for the forum



Peer-to-peer and IM are about controlling what someone does, not really

security.  Both of 

those are controllable by local machine policy, especially in the Windows

case- so an IDS is 

a pretty expensive thing to manage just so your visitors don't do

something you don't want 

them to do- and QoS would be about as effective in the P2P space.


I categorically disagree with your first statement.  To illustrate my point,
fire up your favorite Kazaa or Gnutella client and search for 'ntuser.dat'
And there's always: http://isc.sans.org/diary.php?storyid=917

There are more reasons why it's a bad idea to allow these things across your
Internet border, and since it's an issue of crossing that border, it's
easier to manage detection and enforcement at those points than it is to do
it directly at each desktop.



Actually, I think the moral of the story is it's still good to use a

proxy...

But not just any proxy.  There are lots of proxies out there that simply
don't deliver the type of protocol control that is needed.  In fact, I would
say that none of the top 3 border proxies out there can stop IM tunneling
from clients like MSN or Yahoo.  

PaulM


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: