Frederick M Avolio wrote:
>
> At 10:35 AM 11/23/99 +0100, Mikael Olsson wrote:
[snip!]
> > A proxy with application level filtering capabilities (let's not
> > start
> > on plug-gw here) can only protect against attacks known to the
> > developer
> > of the proxy. MJR posted a note on this recently.
> >
>
> Specifically, yes, but there are a whole set of threats that cannot
> easily (or at all in some cases) be exploited if there is no direct
> network connection. All of this has been written up in the literature
> going back 6 years, so I won't rehash it here. A packet filter may
> make the internal network more vulnerable to attack than an
> application gateway. This hasn't changed over the years.
Let's be a bit more specific.
An Application gateway makes your network more vulnerable to *some*
kinds of attack, and a packet filter makes your network more vulnerable
to *some* kinds of attack (Each compared to the other).
If security was a 100% business this discussion wouldn't be as futile.
> > If your server is sitting on the internal network, this also means
> > that
> > your entire internal network is toast.
> >
>
> Your entire internal network may be toast. :-)
Mind you, I have yet to hear of any part-burned bread product exploits.
Possibly a whole new security paradigm.
> > Having the data passed from the external network to the server is
> > "direct connection enough" for these kinds of attacks; they're not
> > network-layer based any more.
>
> Absolutely. But there are threats that are network based. An
> application gateway can provide more protection.
And less. It all depends on the attack.
> > > ... The outside user
> > > actually talks directly with your server. Most people use a DMZ
> > because the
> > > outside user is actually connected to your server and if he can
> > compromise
> > > it (s)he is IN your network.
> >
> > As I showed above, this holds equally true in the case of proxies.
> >
>
> While it is true that some attacks work whether there is a direct
> network connection, there are attacks that will not, or are more
> difficult. Making some attacks "more difficult" is often sufficient.
The old fashioned "Make 'em go for someone easier..."
The major difference between bastion host and packet filter is to do
with network design. I like packet filters and a DMZ because it makes
*my* current network design "fit" easier. We have hosts we want the net
to have access to, and it's simply easier for me to use a DMZ, and
rebuild the box if/when it gets trashed.
It also (IMHO) adds another layer to any prospective attack, because
(Firewall compromise excluded, and since it's impossible to connect to
the firewall that's a *hard* thing to do) and cracker that want's to get
in has to go through a two-stage process.
That's *usually* enough to make them go somewhere else.
> > I'm not trying to endorse fw-1 over gauntlet or the other way
> > around,
> > I'm just saying that proxies with application filtering capabilities
> > doesn't buy you as much as a lot of people like to think.
>
> And all I am injecting into the discussion is that application
> gateways can provide more security than a filter. That is to say, I
> agree with Mikael in spirit, but I think he's gone to far in the
> opposite direction. :-)
All I'd like to say is that *neither* is better than the other (Design
wise, I'm not trying to argue the product vs product point)
For most applications I would chose the packet filter/DMZ approach. BUT
a bastion host setup requires less design, and less extraneous hardware,
than a packet filter setup.
It's also less easy to make a really stupid mistake.
> Fred
> Avolio Consulting
> 16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US
> +1 410-309-6910 (voice) +1 410-309-6911 (fax)
> http://www.avolio.com/
Gav
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
