this thread is becoming too hot!
Paul's word went too "hard" and I don't think he meant to be as
"hard" as he said. He was only showing his angriness about
that nightmare transfer protocol.
As I said before, active ftp is a problem for non-stateful FWs. In
particular, it is not a problem for proxies, cos' they maintain state.
I've used the ftp-gw for long and never had problems to get asleep.
I wouldn't accept that on a stateless FW.
I agree that passive ftp is the way, but until lately, MS IE were
unable to work it out. one can say, ok, don't use IE, but heh, I can't
just ask all my coworkers to switch to another OS/browser. besides,
the only viable alternative seems netscape and it is too buggy...
some guys went the scp way. I don't see why scp would be more secure.
where do I put my keys so that people can download software from my
machine? on Yahoo? Whatever a honest guy can do, a malicious one can
do too, and even more:)
encryption? that's utopia! not so long before the only keys that were
exported fom the US were those laughable 40bits ones. 40 bits doesn't
make your more secure, scp, https, shttp, or whatever you use.
cheers,
mouss
At 23:12 10/12/00 -0500, Paul D. Robertson wrote:
>On Sun, 10 Dec 2000, Roy G. Culley wrote:
>
> > > Active FTP is a problem period. I've never allowed it for the generic
> > > user population behind any gateway I've run.
> >
> > Sorry for the late follow up but I've been away from the office.
> >
> > Your arrogant dictatorial stance is the reason for the increasing
> > momentum behind SOAP and even worse the move to use SSL for most
> > connections. From having some control over what is allowed through
> > your firewall you will have none. Security is a compromise between
>
>My "arrogant and dictatorial stance" has also stopped some vendors from
>producing _even worse_ protocols. Rolling over and playing dead doesn't
>fix the problem either.
>
>There's a point where you have to draw a line and say "This won't ever
>meet my security policy." My users never had any-to-any SSL either FWIW.
>
>More importantly, it's protected my users from literally thousands of
>potential exploits over the years. The fact that, for instance SSL is in
>a "blanket allow" mode for most organizations makes the tunneling risk a
>given. FWIW, I always thought SHTTP was a better protocol than HTTPS,
>but there's no way I'd have let either out blanketly at this stage in the
>game.
>
> > giving your users behind the firewall the access they need and
> > stopping entry to your network from the Internet. If all firewall
>
>My users have _never_ *needed* active FTP from their desktops to the
>Internet at large- they've needed to move files between machines using
>popular and easy to support clients. There are *lots* of ways to do that,
>some of them even use FTP clients _without_ taking the increased risk of
>allowing a stupid protocol to traverse from the desktop to the outside or
>back in, for example intermediate proxy hosts that forward FTP requests.
>Heck, even PASV FTP to a proxy beats active FTP.
>
> > administrators had your attitude then most s/w developers of Internet
> > applications would be tunnelling everything already. When that day
> > comes you and I are out of a job as firewalls will be useless.
>
>*Newsflash*
>
>Most software developers are _already_ tunneling everything over HTTP.
>Firewalls are increasingly less useful as traffic control devices because
>too many firewall administrators equate what a user thinks they want to
>use with what they need to use. Worse yet, firewall designers themselves
>have moved to tunneling protocols. SSL is the perfect case in point. You
>might _feel_ better about your firewall "supporting" SSL, but that doesn't
>make it better.
>
>If my career were predicated soley on gateway access devices and my
>continued employment didn't take into consideration the fact that their
>usefulness and protection modes didn't scale forward, I'd deserve to be
>out of a job. Firewalls are less useful by themselves than they were 5
>years ago. In 5 more years, they'll be less useful still, it's (a)
>obvious, and (b) not my fault.
>
>I've said it before, and I'll say it again:
>
>*All* firewall protection mechanisms are based on *BLOCKING* traffic.
>The more you block the more protection the device provides. Not blocking
>insane protocols lowers your security posture, sometimes significantly.
>Those of us who have been talking about how bad a protocol FTP is for
>years weren't surprised by the relatively recent round of FTP exploits
>through firewalls, and we weren't vulnerable either.
>
>Hell, if everyone else had held the line on HTTP tunneling clients and
>plug-ins we'd still be a lot better off, but tunneling was going to happen
>anyway, security doesn't scale well and is labor-intensive on a
>per-protocol basis.
>
>Paul
>-----------------------------------------------------------------------------
>Paul D. Robertson "My statements in this message are personal opinions
>[EMAIL PROTECTED] which may have no basis whatsoever in fact."
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
