Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: FW appliance comparison - Seeking input for the forum

Re: FW appliance comparison - Seeking input for the forum

From: Patrick M. Hausen <hausen_at_punkt.de>
Date: Wed, 18 Jan 2006 23:29:54 +0100

Hi!

On Wed, Jan 18, 2006 at 03:27:20PM -0500, Paul Melson wrote:

> > Why would you want a signature based IDS at all? They don't work.
> > Period. Enumerating badness is a silly idea.
>
> Sure they do. The premise may be flawed, but the technology works, even if
> it falls into the "better than nothing" category. They're smoke detectors
> for a small subset of possible fires. Using one is still better than
> letting the house burn to the ground each and every time there's a fire.

You are correct and I oversimplified the issue. They are useful.
They don't increase the "security" of flawed firewall
designs, though.

> See my previous post. Just because you enforce HTTP over TCP/80 with a
> proxy doesn't mean you're keeping all of the garbage out... or in.

I'm not talking about enforcing HTTP. I'm talking about enforcing
application data. I know of a firewall vendor actively developing
an Active Directory proxy enforcing which side of the proxy is
allowed which methods and objects on the other side of the proxy.

There are products that let you configure a positive list of
URLs that your web application uses. Everything else will be
denied. This catches _all_ of "GET /../../../WINDOWS/SYSTEM32/CMD.EXE ..."
and the like. If configured correctly.

Mechanism is nothing without policy. And firewalls are mechanism.

> Not to
> mention that there are plenty of standard, known protocols out there (think
> SQL protocols) that lack a good proxy to manage the actual behavior of the
> connections that cross them.

The very same vendor has got an MS SQL proxy that actually understands
MS SQL.

> Not to mention that the real bad guys are tunneling across the
> allowed ports while you sleep.

Firewalls have never been about ports. Most current commercial
offerings are, but I hardly call _these_ firewalls.

Kind regards,
Patrick 

-- 
punkt.de GmbH         Internet - Dienstleistungen - Beratung
Vorholzstr. 25        Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe       http://punkt.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Jan 18 2006
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos