Firewall Wizards mailing list archives

Re: Firewall best practices

From: ArkanoiD <ark () eltex net>
Date: Wed, 28 Apr 2010 20:45:36 +0400

There is one, and it is aggressively marketed as "next generation" firewall (again).
I was thinking about this idea as well, but found its practical value insufficient
to match the effort. Marketing hypes have little to do with practical value, though.
(another comment inline, scroll down ;-)

On Tue, Apr 27, 2010 at 04:41:04PM -0500, Carson Gaspar wrote:

Once upon a time I did some serious thinking about a signature based 
firewall, that cared only a little about port numbers, and a lot about 
packet content. It would necessarily involve an update cycle similar to 
anti-virus signature updates.

I've seen some work on this, mostly from a traffic shaping / IPS / IDS 
slant, but I haven't seen anything serious from the firewall front. But 
then I haven't been doing firewalls for several years, so I may just be 
behind the times.

You're completely right about the "if the application
emulates HTTPS traffic" problem. I don't have an answer
to that one other than "we warned everyone that that
was going to be a problem." At this point, it's less
of technical problem than a social one. It seems to me that
an organization cannot claim to be concerned about
security while allowing user-oriented encrypted outgoing
links to any target. That's just foolishness. The fact
that "everyone does it" doesn't make it any less foolish.
Back in the proxy days we advocated tying outgoing
connections to an authenticated user; that's another
important aspect of the problem that gets short shrift.


Well, we are already capable of inspecting web mail just like traditional
email messages (well, exactly. and it works both ways, so all limitations
apply)

See my previous (or possibly next, post moderstion...) post re: SSL MITM 
proxies. Of course that just puts you back at the first problem, except 
you may detect rogue apps by their non-acceptance of your magic CA cert.

-- 
Carson
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

email protected and scanned by AdvascanTM - keeping email useful - 
www.advascan.com


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Firewall best practices, (continued)
- - - Re: Firewall best practices John Morrison (Apr 15)
    - Re: Firewall best practices Darden, Patrick S. (Apr 15)
    - Re: Firewall best practices Marcus J. Ranum (Apr 15)
    - Re: Firewall best practices Morty (Apr 16)
    - Re: Firewall best practices Darden, Patrick S. (Apr 22)
    - Re: Firewall best practices Martin Barry (Apr 22)
    - Re: Firewall best practices Marcus J. Ranum (Apr 22)
    - Re: Firewall best practices Martin Barry (Apr 23)
    - Re: Firewall best practices Marcus J. Ranum (Apr 26)
    - Re: Firewall best practices Carson Gaspar (Apr 27)
    - Re: Firewall best practices ArkanoiD (Apr 28)
    - Re: Firewall best practices david (Apr 26)
    - Re: Firewall best practices John Morrison (Apr 27)
    - Re: Firewall best practices Harrell, Matthew (Apr 27)
    - Re: Firewall best practices Marcus J. Ranum (Apr 27)
    - Re: Firewall best practices Paul D. Robertson (Apr 27)
    - Re: Firewall best practices ArkanoiD (Apr 30)
    - Re: Firewall best practices Andre Lima (Apr 30)
    - Re: Firewall best practices Dave Piscitello (Apr 28)
    - Re: Firewall best practices ArkanoiD (Apr 28)
    - Re: Firewall best practices Nate Itkin (Apr 27)

(Thread continues...)