Bernd Eckenfels wrote:
>
> On Mon, Jun 28, 1999 at 10:22:21PM -0700, Jerald Josephs wrote:
> > Are you absolutely convinced about that?
> > Taking into the consideration of the numerous network services that
> > technology has
> > created over the past few years, wouldn't it be realistic to state that a
> > screening router is not
> > robust enough to allow such services to enter an enterprise securely?
>
> No it is the other way around. The flood of new protocols leads to the point
> that the firewall vendors are not able to keep track and provide "secure"
> proxies for most of the protcols. They merly are able to rename their plug
> GW and use it for marketing "we support protocol X". Therefore a packet
> filter is not much less security.
>
I agree with this, with the complexity of new protocols and firewall
plug-gw's, you actually increase the chance of having a security problem
with the firewall software itself. A "dumb" router acl restricting all
traffic but X, Y, and Z simplifies this system and allows the
administrator to have much tighter control over the services allowed
through. While using filtering firewalls, router acl's, and application
layer proxies together is my system of choice, any single access control
method has its own inherent weaknesses. Inside-to-outside attack
techniques invloving trojans using outbound http sessions to communicate
are still almost impossible to stop unless you are looking for them.
Forcing people to use application layer proxies for http blocks these
nicely, used in conjunction with outbound traffic filtering and a
deny-all allow-some router ACL's you should be able to stop almost
anything. In the end the component that poses the most risk is the one
between the chair and the monitor ;)
-HD
http://nlog.ings.com
http://www.trinux.org
http://www.opensec.net
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
