Security Basics: Re: Application Firewall

[Paul Wong <wongpk () starhub net sg>]

yes, I fully agreed with you, I have seen such configuration before, is very 
neat.
Cheers
----- Original Message ----- 
From: "Adriel Desautels" <adriel () netragard com>
To: "Bryan S. Sampsel" <bsampsel () libertyactivist org>
Cc: <ams.sec () gmail com>; <security-basics () securityfocus com>
Sent: Friday, July 18, 2008 11:50 PM
Subject: Re: Application Firewall


> Honestly,
> Apache with mod_security setup as a reverse proxy is quite good. I've
> used that particular configuration in many instances and I have no
> complaints what so ever. You can build it yourself, or you can get an
> appliance from the ModSecurity folks. I HIGHLY recommend this solution.
>
> http://www.modsecurity.org/
>
>
> Regards,
> Adriel T. Desautels
> Chief Technology Officer
> Netragard, LLC.
> Office : 617-934-0269
> Mobile : 617-633-3821
> http://www.linkedin.com/pub/1/118/a45
>
> Join the Netragard, LLC. Linked In Group:
> http://www.linkedin.com/e/gis/48683/0B98E1705142
>
> ---------------------------------------------------------------
> Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
> Penetration Testing, Vulnerability Assessments, Website Security
>
> Netragard Whitepaper Downloads:
> -------------------------------
> Choosing the right provider : http://tinyurl.com/2ahk3j
> Three Things you must know  : http://tinyurl.com/26pjsn
>
>
> Bryan S. Sampsel wrote:
> > Sidewinder from Secure Computing is an excellent application-proxy 
> > firewall.
> > So is Borderware.
> >
> > IPCOP has aspects that qualify.
> >
> > No, the ASA is a packet filter only firewall.  It's quite good at what it
> > does, but it does not handle the application layer.  And no, deep packet
> > inspection does not qualify.
> >
> > O'Reilly made an awesome firewall book that you should read.  It's a
> > little dated, but the concepts are solid: Building Internet Firewalls.
> >
> > For most of 'em, you'll need some coin.  Neither Sidewinder nor 
> > Borderware
> > come cheap.  IPCOP is ok for a SOHO setup, perhaps as many as 25
> > users...not sure beyond that.  But it's not engineered to be an 
> > enterprise
> > solution...though I'm sure someone has created a flavor of it that is.
> >
> > Application proxy firewalls do give you some additional protection over
> > straight packet filter firewalls.  If you're talking a massive 
> > enterprise,
> > it takes more hardware to drive it as well, as there is some footprint
> > increase because of the proxies themselves.  However, when a user goes 
> > out
> > through a proxy, a hardened IP stack protects them, as no direct
> > connections are made between client and remote end.  With a packet 
> > filter,
> > the client talks directly to the remote end.
> >
> > Hope that helps a bit.
> >
> > Sincerely,
> >
> > Bryan S. Sampsel
> > LibertyActivist.org
> >
> >
> > ams.sec () gmail com wrote:
> > > Hi everyone,
> > >
> > > Can anyone please list out some name of application level firewalls. 
> > > Would
> > > Cisco ASA qualify as a application firewall? I have heard it needs 
> > > certain
> > > addons to provide application screening functionality. Thanks a zillion.
> > >
> > > Ams
> ----------------------------------------------------------
> This email has been scanned for viruses by StarHub e.Scan.

----------------------------------------------------------
This email has been scanned for viruses by StarHub e.Scan.