mailing list archives
Re: IPS vs. Firewalls (why vs. ?)
From: Dave Piscitello <dave () corecom com>
Date: Tue, 07 Feb 2006 14:53:42 -0500
Marcus J. Ranum wrote:
This is exactly what I meant about whether a device is internally designed
around 'default permit' or 'default deny'. A device that is aimed toward
default deny would know what totally vanilla HTTP looked like and would
discard anything that was not exactly plain HTTP.
I made a similar comment.
Protocol-over-protocol tunnelling is nothing new. But step back and ask
yourself "why tunnel protocol over protocol"?? There is actually no real
reason for tunnelling except to make it easier to bypass controls, right?
After all, if we use SSL on port 443 for "https" and SSL on port 993
for "imap" etc, it's clear that we can use protocol layering without
trying to violate policy... So I, frankly, I feel that if I see instant messenger
traffic on my HTTP service that I've caught someone with their hand in
the cookie jar, so to speak. Time to cut it off...
Remember, a lot of these tunnelled protocols are billed as being
The marketing euphemism is "firewall aware" not "firewall friendly".
To truly understand what firewall administrators are up against, read
the Skype firewall FAQ at http://www.skype.com/help/guides/firewall.html
One statement that stands out among all others as most onerous:
"Ideally, outgoing TCP connections to all ports (1..65535) should be
opened. This option results in Skype working most reliably. This is only
necessary for your Skype to be able to connect to the Skype network and
will not make your network any less secure."
I think I've identified candidate skulss for those .50 BMG SLAP rounds
Description: S/MIME Cryptographic Signature
Re: IPS vs. Firewalls Mark Teicher (Feb 03)