On Tue, 12 Dec 2000, Roy G. Culley wrote:
> > > <snipped>
> > >
> > > If I remember correctly, this thread started out with you saying
> > > that stateful inspection on firewalls was useless. 'active' ftp is
> >
> > You don't remember correctly. I stated that the incremental gain added by
> > state keeping in packet filters isn't very large. I don't recall ever
> > saying that keeping state was useless (indeed, I remember pointing out its
> > use in stateless protocols.)
>
> I think I remember quite well. You stated that as TCP connections are
> stateful there is no need to keep state on the firewall. I replied
What I said was that there wasn't a great deal of value from keeping state
in a packet filter given that TCP was stateful. I typo'd "not" and ended
up with "no", but the intent was obvious.
I also said (before you were in the conversation) that state was only
really useful for protocols that didn't maintain state themselves and for
passing protocols "that you really shouldn't be passing if they're that
bad."
http://lists.gnac.net/firewalls/mhonarc/firewalls.200012/msg00072.html
if you want to reread it.
> with protocols where stateful inspection on the firewall is necessaary.
> You even implied that netmeeting wasn't so bad. I replied with a link
No, I said that all of the other examples you cited were definitely
opening a huge hole, and that I wouldn't put that much trust in Netmeeting
either (it happens to the the only one of the group that I've ever seen a
good business case for- we still made them get off their butts and go to
a machine outside the firewall though.)
http://lists.gnac.net/firewalls/mhonarc/firewalls.200012/msg00075.html
> that showed it is one of the worst. Your method of security policy no
> doubt works but can your users work? With a stateful inspection firewall
My users have always been able to complete their tasks, and my employers
have always been increasingly profitable. My last employer went from
about a USD 2.6 Billion to a USD 4.5B company while I was there. I'm sure
the firewall retarded our growth significantly. ;)
> active and passive ftp are the same. Clear text user name and password is
> bad news but we have to live with it.
No, we don't *have* to live with it. That's like saying that auto
manufacturers shouldn't insist on air bags and seatbelts in cars, because
auto accidents are supposed to create critical injuries. If you accept
that argument for every protocol, you have a fireseive, not a firewall.
> I never said that the protocols I mentioned which benefit from stateful
> inspection on the firewall were good. I was just stating that having a
> firewall which could perform stateful inspection was better than nothing.
And I said that not passing broken protocols was better than anything. I
even prefaced it with something along the lines of "For security."
>
> I'm talking about the real world where user requirements must be taken
> into consideration. As I said before your dictatorial attitude forces
> these users to find other ways of getting their work done.
I'm talking about the real world where security is about protecting real
assetts.
> interfaces. The ability to monitor what is being passed through our
> firewalls is one of the most important functions of my job. This is not
> snooping on users but making sure that we are not open to attack.
Some of us tend to think that our companies are better served by
pre-planning and providing sound architectures rather than during or
after-the fact monitoring. I'm sure the IDS vendors appreciate the
business though. It's a different approach than mine, and obviously I
think it's not a good one.
> As I said before your attitude to security is one of the main reasons
> why SOAP exists. How many of your users are already tunnelling through
As I said before, you're mistaken, the main reason that tunneling is so
ubiquitous is probably that TIS couldn't roll out proxy code fast enough
to please the market. Once the first three apps got tunneling over HTTP
working, it was pretty-much game over.
> HTTP because of your security policy? They sure ain't going to tell you
If they have to tell you, you're not doing very well. Tunneling over HTTP
was allowed for some cases with a business justification at my last
employer. I had the ability to strip most tunnels at my proxy, but we
made business decisions not to in most cases.
> that they are doing it. In my company they know who to ask for Internet
> access and I assess each case on its merits. Me thinks you just say no.
No, I assess each case, give them a dirty look, and *then* say no ;)
You shouldn't forget the dirty look, the effect is much better with it.
Funnily enough, each time I explained a "we shouldn't pass that" to my
CIO, he was happy to back that to the hilt. If you're in a place where
you have to be political instead of efficient, or where funding or time
for solidly designed alternatives isn't available, then you have to
adjust. I've never put myself in that position without being able to
uphold my network's integrity.
There's a reason that most security texts and experts adhere to a default
deny policy, perhaps you should ponder that.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
