Mikael Olsson <[EMAIL PROTECTED]> writes:
> Peter Bruderer wrote:
> > To give you the statement you want: In March 2000 it was
> > possible to connect to a HTTPS server through Firewall-1 and to
> > get administrative privileges on that server.
> Then let us suppose for a moment that we were using a
> proxy firewall. What would it be able to do here that
> a dumb stateless packet filter couldn't?
> A proxy cannot examine what goes on inside HTTPS, since
> it is encrypted.
>
> I'm not saying that stateless packet filters are good
> enough for everything. I'm just saying that this was
> a bad example.
As soon as you let traffic pass your firewall from the outside
to the inside even if it is just one single service, it does not
matter what kind of firewall you have. The firewall can just
reduce the number of ports you are allowed to connect to. But if
the server you are connecting to is vulnerable on the
application layer, the firewall cannot stop an attacker.
As Bernd Eckenfels states, a stateful device can prevent you
from low level attacks while a stateless device cannot.
A big lack of a stateless device is the need to configure both
ways of the packet flow which can be very tricky, specially in
the case of UDP. The advantage of a stateful device is more in
this area. You can connect to any system to any port, but the
reply is only allowed if there is an entry in the connection
table.
have fun ...
--
===============================================================
Peter Bruderer mailto:[EMAIL PROTECTED]
Bruderer Research GmbH Tel ++41 52 620 26 53
IT Security Services Fax ++41 52 620 26 54
CH-8200 Schaffhausen http://www.bruderer-research.com
===============================================================
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
