Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: How automate firewall tests

Re: How automate firewall tests

From: Marcus J. Ranum <mjr_at_ranum.com>
Date: Mon, 21 Aug 2006 09:38:57 -0400

Tim Shea wrote:
>And you can equally argue that proxies were never good to begin
>with. Really - the majority of applications out there have no real
>layer 7 level proxy so you have to tackle the problem from other
>directions.

That's exactly what I mean. It goes deeper than that, really. Most
applications out there today have no layer 7 *specification* -- never
mind a proxy. They're simply a bunch of poorly-understood stuff
going back and forth on a connection. Nobody can filter it for
correctness because nobody even knows what correctness
*means* in that case. Or, you get protocols like the VOIP suite,
which are an amalgamation of poorly-designed and over-designed
standards and features; there's no sensible way to go through
and apply protocol minimization because there's no real
protocol, just a feature set driven by a bunch of commands
that are executed in an arbitrary order.

Insecurity is a problem of complexity and trust. We can't fix
trust with technology, and the complexity of current applications
software has completely escaped our grasp. Until such a time
when app protocols are well-designed and specified (ain't gonna
happen!) we're not going to have meaningful progress in security,
we'll just have the "band aid of the month club." For the record,
I never felt firewalls were a solution to the problem (proxy or
otherwise) they're simply a centralizable band aid. The reason
that packet-oriented firewalls suck is because they're locked
into the permit/deny-packet model and that means it's impossible
to do protocol minimization. I don't think anyone does that any
more, anyhow, so it's largely a moot point.

On the other hand, the customers of the "computer security
industry" are spending about $1 billion annually on all the
computer security "solutions" yet the sitation is getting worse.
What does that tell you? It tells me the "conventional
wisdom" isn't.

mjr.

_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Aug 21 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos