I try to stay out of these "theological" debates, but I felt
I had to add my $.02 this time.
>From a theory standpoint, proxies ought to be "more secure" since
they indeed rewrite all the TCP and IP level data by forming a
separate connection to each peer. However, in my experience, this
buys you nothing today (feel free to disagree). Attacks against
systems protected by "real" firewalls today aren't about playing
tricks on the network level; they are about data-driven attacks.
Sure, we had a bit of TCP layer fun with the original FTP PASV server
vulnerability two months ago, but that's more the result of a flawed
protocol design than anything else. There's more fun with FTP going on
now that no firewall, proxy or SPF, can stop. <vuln-dev plug>For those
that are interested, read the recent vuln-dev posts about FTP.</plug>
Anyhow, my point is that neither technology used alone can be trusted.
Used alone to secure a network, they suck equally bad. Host level
security has to be raised.
Now, if I know both proxies and SPFs to be inadequate in and of themselves,
I for one rather choose the SPF approach since it's faster and more
flexible (yes, I know, easier to shoot yourself in the foot with aswell
if you don't know what you're doing). The work with hardening all
attached hosts remains, and is equally messy no matter what firewall
technology you choose.
<soapbox height=above-normal>
Proxies can't provide the same level of protection that they could
ten years ago. Back then you _could_ actually ensure that common
network services such as SMTP and NNTP followed protocol specs
and were indeed "secure". With the advent of the WWW and the plethora
of new protocols and networked apps, this simply doesn't hold true
anymore.
Sure, you can ensure that noone attempts to speak POP3 to your HTTP
server by enforcing compliance HTTP to the specs. But then what? It's
not like POP3 is dangerous to your web server. The danger is someone
speaking HTTP but making requests that the CGIs/scripts/whatever
didn't quite expect, etc... And firewalls can't protect against that
unless they actually mimic the entire process of the web server, scripts
and all, but without the security flaws. So why not just secure the web
server to begin with?
</soapbox>
Flames are welcome although it is very unlikely that I will respond to them.
I think I've said my bit now.
/Mike
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46 (0)660 105 50 Fax: +46 (0)660 122 50
Mobile: +46 (0)70 66 77 636
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
