On Tue, 5 Dec 2000, Ng, Kenneth (US) wrote:
> So far we've been able to hold the line at work, but there are more and more
> idiotic applications coming on line every day. One application actually
> wanted ftp to work on port 80 (http)! Told them it couldn't be done because
> we use real firewalls, application gateways (IMO, yours may vary).
Yep, there's a *lot* of phenonimally bad crud out there. It's a difficult
line to hold, seems like most people just don't care anymore. That's
tragic, since we don't have a better paradyne at the moment, even if
firewalls mostly suck.
> Personally I think this kind of insanity really needs to be stopped. It
I've advocated for years that firewall users need to get together and as a
collective organization beat vendors with the cluebat. It's difficult for
pockets of people in companies to get anywhere, but easier if it were an
organized group.
> Another reason we give for not opening undocumented ports is the
> diagnostics. We can't perform independent tests to verify the operation or
> lack of operation of port of an undocumented component.
The probelem becomes vendors wanting you to do their protocol debugging
and design after the fact when you keep a hard stance. I can't count the
number of vendors who've wanted me to spec thier protocols for them so
that they'd be firewall-friendly.
The best defense is a well-written security policy that outlines all of
that. I never thought about the independent test and verify thing, that's
a good clause to add.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
