Firewall Wizards mailing list archives
Re: Proxy advantage
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 16 Apr 2013 11:46:17 -0400
Kevin Kadow wrote:
Does this only apply to an explicit proxy server? Does anybody deploy a transparent proxy server and not pass DNS down to the client?
My friend Ron Dilley wrote a passive DNS collector/logger - it's: http://www.uberadmin.com/ Back in the day he used it as a data source into our "overwatch" system, which is here: http://www.ranum.com/security/computer_security/code/overwatch_final_draft.pdf
Can you call it a "best practice" when it is impossible to maintain in a large diverse network?
If your premise is that your network is impossible to secure, then it's impossible to secure.
Aside from applications which are just not proxy aware, even when the application correctly uses OS proxy settings for HTTP/HTTPS/FTP/etc, it may still rely on being able to resolve external names; result is an unmanageably large whitelist for DNS lookups.
If your premise is that your network should accept bad/dodgy/suspicious/inappropriate
traffic then it's impossible to secure.
Same goes with "not advertising a default route" or restricting default route HTTP/HTTPS with ACLs. Great idea, but one which quickly becomes difficult to manage on a large scale network.
If your premise is that your network allows all kinds of stuff in and out, then
it's impossible to secure.
Once you have any unproxyable applications needing connectivity to Akamai or a similar CDN, these controls are usually abandoned as unmaintainable.
When you abandon security as "unmaintainable" don't whine when you discover your network is insecure. mjr. -- Marcus J. Ranum CSO, Tenable Network Security, Inc. http://www.tenable.com _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Proxy advantage Paul D. Robertson (Apr 15)
- Re: Proxy advantage Marcus J. Ranum (Apr 16)
- Re: Proxy advantage Kevin Kadow (Apr 16)
- Re: Proxy advantage Marcus J. Ranum (Apr 16)
- Re: Proxy advantage Paul D. Robertson (Apr 16)
- Re: Proxy advantage Dave Piscitello (Apr 16)
- Re: Proxy advantage Kevin Kadow (Apr 16)
- Re: Proxy advantage Paul Robertson (Apr 16)
- Re: Proxy advantage Marcus J. Ranum (Apr 16)
- Re: Proxy advantage Magosányi Árpád (Apr 16)
- Re: Proxy advantage David Lang (Apr 30)