> On Mon, 11 Dec 2000, Roy G. Culley wrote:
>
> > Paul D. Robertson wrote:
> >
> > <snipped>
> >
> > If I remember correctly, this thread started out with you saying
> > that stateful inspection on firewalls was useless. 'active' ftp is
>
> You don't remember correctly. I stated that the incremental gain added by
> state keeping in packet filters isn't very large. I don't recall ever
> saying that keeping state was useless (indeed, I remember pointing out its
> use in stateless protocols.)
I think I remember quite well. You stated that as TCP connections are
stateful there is no need to keep state on the firewall. I replied
with protocols where stateful inspection on the firewall is necessaary.
You even implied that netmeeting wasn't so bad. I replied with a link
that showed it is one of the worst. Your method of security policy no
doubt works but can your users work? With a stateful inspection firewall
active and passive ftp are the same. Clear text user name and password is
bad news but we have to live with it.
> > a case which proves you wrong. With stateful inspection 'active' ftp
> > is as secure as passive mode. Thus stateful inspection is useful
>
> Passive mode FTP still isn't a _good_ protocol. Bad protocol versus worse
> protocol still doesn't win the game, it just loses it less badly. Kind of
> like dying from a sucking chest wound versus dying from a head shot-the
> result is the same, it's just how you get there and how much pain is
> involved. Active FTP from a proxy server is probably still better than
> passive mode straight to a client, but neither of them is "good."
I never said that the protocols I mentioned which benefit from stateful
inspection on the firewall were good. I was just stating that having a
firewall which could perform stateful inspection was better than nothing.
I'm talking about the real world where user requirements must be taken
into consideration. As I said before your dictatorial attitude forces
these users to find other ways of getting their work done.
> > when a server doesn't support passive mode (they do exist). Firewalls
> > are an after thought for most organisations. The firewall policy is
> > a compromise between what users had before security became important
> > and the need to protect their internal network. As I said previously
>
> Maybe _your_ policy works that way, but my policies have always been a
> compromise between what the business needs to do and how well-protected
> the businesses assets need to be. Taking responsibility for securing an
> organization makes you automatically go into a mode where being able to
> explain a security policy and justify the expense for making exceptions
> more secure instead of just clicking the checkbox for "allow braindead
> protocol #47 right through" is important. Thousands of users have lived
> daily with my security policies, and they've been mostly happy.
Perhaps. There are over 25,000 hosts on my companies Intranet. There
have been no known security breeches (famous last words I know but it
is a fact). We constantly monitor our firewall logs, in real time, and
have intrusion detection systems checking our our sensitive network
interfaces. The ability to monitor what is being passed through our
firewalls is one of the most important functions of my job. This is not
snooping on users but making sure that we are not open to attack.
As I said before your attitude to security is one of the main reasons
why SOAP exists. How many of your users are already tunnelling through
HTTP because of your security policy? They sure ain't going to tell you
that they are doing it. In my company they know who to ask for Internet
access and I assess each case on its merits. Me thinks you just say no.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
