Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: IPS vs. Firewalls (why vs. ?)
From: Dave Piscitello <dave () corecom com>
Date: Tue, 07 Feb 2006 14:53:42 -0500

Marcus J. Ranum wrote:

This is exactly what I meant about whether a device is internally designed
around 'default permit' or 'default deny'.   A device that is aimed toward
default deny would know what totally vanilla HTTP looked like and would
discard anything that was not exactly plain HTTP.

I made a similar comment.

Protocol-over-protocol tunnelling is nothing new. But step back and ask
yourself "why tunnel protocol over protocol"?? There is actually no real
reason for tunnelling except to make it easier to bypass controls, right?
After all, if we use SSL on port 443 for "https" and SSL on port 993
for "imap" etc, it's clear that we can use protocol layering without
trying to violate policy... So I, frankly, I feel that if I see instant messenger
traffic on my HTTP service that I've caught someone with their hand in
the cookie jar, so to speak. Time to cut it off...


Remember, a lot of these tunnelled protocols are billed as being
"firewall friendly."

The marketing euphemism is "firewall aware" not "firewall friendly".

To truly understand what firewall administrators are up against, read the Skype firewall FAQ at http://www.skype.com/help/guides/firewall.html

One statement that stands out among all others as most onerous:

"Ideally, outgoing TCP connections to all ports (1..65535) should be opened. This option results in Skype working most reliably. This is only necessary for your Skype to be able to connect to the Skype network and will not make your network any less secure."

I think I've identified candidate skulss for those .50 BMG SLAP rounds you mentioned.

Attachment: dave.vcf

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]