Firewall Wizards mailing list archives
Re: Firewalls that generate new packets..
From: Marcin Antkiewicz <firewallwizards () kajtek org>
Date: Tue, 27 Nov 2007 21:19:10 -0600 (CST)
I am well aware that Squid does not do all of the previous-- it is an application proxy. Application level proxies, or the equivalent, are the best form of deep packet inspectors. The rest of the Stateful with deep packet inspection would be what is more traditionally thought of as a firewall. They would not substitute for one another, but instead complement each other.
I would not look at Squid as a security device - I cannot imagine a security proxy written for HTTP as it stands today. In order to have any install base, HTTP proxy can, at most, implement ACLs/user auth with content filtering and some spam, maybe some cookie encription/info leakage prevention, but cannot really limit the protocol. Squid and most popular http proxies are http caches/load balancers but not security devices. I am not the authority on the subject but, if I am correct, the first firewalls did not even have packet filters - traffic went through a proxy, and protocols that were not supported/proxy friendly were transfered via some kind of authenticated IP replay thingey (or was it decnet to IP bridge?). DMZ was for housing computers used to connect to the outside (shellboxes), as they were "tainted". Now - that's secure design! Same for traffic leaving the network. Caveat: I may be wayyy incorrect here, I cannot find much info available about the history of firewalls. (I will gladly take beating, just point me to the docs..). And now, we slap a NATing router with some ACLs, AV, caching proxy, sieve-like egress filtering and call it a firewall. Everyoen loves war stories: I do consulting sometimes, and last time it was for a place with IDS, IPS, 3 AV subscriptions, HTTP proxy, split horizon DNS, 2 (!) layers of firewalls (statefull), encrypted and unencrypted wireless, NAC and traffic shaper. The bad guys still got in! How you ask? Easy: via HTTP/s, dns, smtp (traffic on all the protocols was proxied, in and out). -- Marcin Antkiewicz _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewalls that generate new packets.., (continued)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 28)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 28)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 29)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 29)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 30)
- Re: Firewalls that generate new packets.. AMuse (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. AMuse (Nov 28)
- Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 28)
- Re: Firewalls that generate new packets.. Marcin Antkiewicz (Nov 27)
- Re: Firewalls that generate new packets.. ArkanoiD (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 29)
- Re: Firewalls that generate new packets.. Timothy Shea (Nov 29)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 30)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 30)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 27)
- Re: Firewalls that generate new packets.. Anton Chuvakin (Nov 27)
- Message not available
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)