On Wed, 8 Mar 2000, Ng, Kenneth (US) wrote:
> You want the truth? I caught one major firewall vendor in a big lie over
> this one. Their so called proxy was nothing more than a transparent
> connection, yet when I asked them if I put a telnet daemon on another
Very few firewalls actually check that the protocol travelling over a
particular port -really is- what the port is supposed to be used for.
Anyhow, I see this as an easily spoofable scenario, and building a
firewall to do protocol analysis would also have to support resetting the
connection if the protocol should ever deviate from the established norm.
It seems like this would be an incredible amount of work for the firewall
to do on each packet, as it would now have to maintain state for each
conversation (per protocol).
Consider this, an inside employee sets up an ftp server on port 80 of
their home machine, and you don't want anyone using ftp because they might
ftp out your super seekrit widget plans. You say that outbound port 80
should only be web, but I blast a bunch of packets before my ftp
connection setup to fool the firewall (even better, I just forget the
whole FTP thing and perform an HTTP PUT...)
IMHO, It's just too complex and not a real solution to security.
-john
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
