> >To sum up with a klisje' : We can never be 100% safe, but we can limit
> >the threats.
>
> Right. That's what I was saying. :)
Well, I'm listening :) To me this *IS* security (not just computer security, but any
kind). I might define security as; reducing threats. The fascinating or frustrating
(depends on how you look at it) thing about it is that I don't think one can never
reach the goal one is striving for; One can never reach the state where one is totaly
safe/secure. To do that one would have to foresee EVERY possible threat, AND take
countermeassures. My guess is that this "problem of security" is valid for pretty much
all security, not just Firewalls.
> Too many people think that firewalls are doing a whole lot more than
> mere flow control. Most of the firewalls are just dynamic stream
> gateways;
And why do they think that? $$ that's why! Companies (FW makers) & security
consultants market themselves as selling "the state of being safe/secure". Either they
do not know enough about security (i.e. their ego is too big), or they know their
limitation but choose to lie about it (again the reason is of'coz the $$) But really
the way I see it they are just in the buisness of reducing risk; And only by admitting
that & explaning why, are they acting proffesional and responsible.
I'd much rather buy a FW from you Marcus, than from someone who claims(or "guarantee")
that their product is secure.
IMHO: "Guarantees" in the field of (any type of) security should ring loud alarm bells
(unless they are backed up with a signed paper granting you some $ if so, and so.
*Then* you might be ok :)
> very few do content and protocol parsing, and even those
> are limited based on the designers' knowledge of attacks in the
> protocols that are being analysed and proxied.
Actually, I am shocked! :/ When you say very few; Does that include the Proxies?
What's the point with a proxie then? Has it become so that ppl. write proxies simply
as a means for certain traffic to travel across a dualhomed host with IP forwarding
disabled (with no thought to security; no effort at blocking buffer overflows, known
bugs, etc. at all)? Is this mostly new type of applications, or are we talking about
proxies for the traditional internet protocols as well? Ouch, lots of questions, I
guess what I mean is could you elaborate some more on this, please?
Also in your debate on FW's (obsolete or not), you state: "Some firewalls perform
application specific security on data streams. -Others do not -Sometimes you can't"
What do you mean by the last one ("... you can't")? Why not? :)
BTW: Is the *.ps version available? :)
> Take a look at the new stuff that's tunnelling over HTTP. The
> developers of applications have discovered that if you look like
> HTTP you can get around 99% of the firewalls that are already
> installed. Who knows about specific weaknessess in those application
> protocols? Nobody.
Ah, is this what the distributed.net (http://www.distributed.net) client does? Anybody
know? Examples?
[....]
> The reality of the matter is that a large number of firewalls have
> been installed to buy comfort for upper management, not to implement
> security. Many sites simply do not understand, or choose to ignore,
> the incoming traffic problem. They don't upgrade the software on
> their critical servers behind their firewalls, or they freely download
> and run code from wherever users feel appropriate. Those are the
> points of attacks that work against firewalls and will continue to
> work in the future. Anyone who has ever done a security audit of a
> firewall will know that it's not the firewall that has the holes,
> it's the machines behind it. The bad guys know this, too.
It really seems like many computer security proffesionals don't understand the
incoming traffic problem either :/ Many act more like firewall pushers than real
security experts. (Pls. misinterpret me correctly: Not saying that they shouldn't
recomend firewalls of'coz ;)
I certainly needed this disscusion. I never thought a firewall was "perfect", and even
though that is an excelent start I guess: It is also a good thing to know what the
threats are, and some possible solutions.
Regards,
Per
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
