Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Dark Reading: Firewalls Ready for Evolutionary Shift

From: Dave Piscitello <dave () corecom com>
Date: Mon, 10 Dec 2007 12:37:25 -0500
Sorry to rez this thread but I am curious.

david () lang hm wrote:

> what you need to be able to do is to enforce valid HTTP,

This would indeed be a positive step but:

What is "valid HTTP"?
Who defines it (not being naive here but it does not seem that W3C is the answer when tens of millions of browsers will do HTTP according to what the vendor releases, which becomes de facto "valid"). 

Who asserts/certifies that client and server software comply with it?


and work to detect the common ways of tunneling other things across it.
I don't quite know how to interpret "common ways of tunneling". Tunneling apps in HTTP seriously broken. The logic behind an application developer reaching the conclusion that the best way to assure that his application port is not blocked by a firewall egress traffic policy is to employ firewall evasion techniques is way broken. That this "clever workaround" became common practice not only for HTTP, but that certain apps go so far as to port probe for any open outbound path is even more broken.
Yes, this is common, but frankly, common sucks. What makes it "beyond sucking" is that common has become *accepted*.

Attachment: dave.vcf
Description: 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: