Firewall Wizards: Re: IPS vs. Firewalls (why vs. ?)

[Dave Piscitello <dave () corecom com>]

Marcus J. Ranum wrote:

> This is exactly what I meant about whether a device is internally designed
> around 'default permit' or 'default deny'.   A device that is aimed toward
> default deny would know what totally vanilla HTTP looked like and would
> discard anything that was not exactly plain HTTP.
I made a similar comment.

> Protocol-over-protocol tunnelling is nothing new. But step back and ask
> yourself "why tunnel protocol over protocol"?? There is actually no real
> reason for tunnelling except to make it easier to bypass controls, right?
> After all, if we use SSL on port 443 for "https" and SSL on port 993
> for "imap" etc, it's clear that we can use protocol layering without
> trying to violate policy... So I, frankly, I feel that if I see instant messenger
> traffic on my HTTP service that I've caught someone with their hand in
> the cookie jar, so to speak. Time to cut it off...
Yep.

> Remember, a lot of these tunnelled protocols are billed as being
> "firewall friendly."  
The marketing euphemism is "firewall aware" not "firewall friendly".

To truly understand what firewall administrators are up against, read 
the Skype firewall FAQ at http://www.skype.com/help/guides/firewall.html
One statement that stands out among all others as most onerous:

"Ideally, outgoing TCP connections to all ports (1..65535) should be 
opened. This option results in Skype working most reliably. This is only 
necessary for your Skype to be able to connect to the Skype network and 
will not make your network any less secure."
I think I've identified candidate skulss for those .50 BMG SLAP rounds 
you mentioned.

Attachment: dave.vcf
Description:

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature