Firewall Wizards mailing list archives
RE: FW appliance comparison - Seeking input for the forum
From: "Paul D. Robertson" <paul () compuwar net>
Date: Wed, 18 Jan 2006 20:23:12 -0500 (EST)
On Wed, 18 Jan 2006, Paul Melson wrote:
A recent real-life example is our guest network. To accommodate visiting contractors, auditors, etc. without just letting them plug into the internal network, we have a WEP-enabled wireless network that they can use. This network only allows access to a handful of ports and protocols, essentially enough for basic web browsing (80/443), VPN (PPTP and IPSec), and DNS (they get a DHCP lease that gives them a DNS server address outside of our network). That's moderately restrictive, but we still regularly detect peer-to-peer and IM traffic coming from that subnet. And that's the
Peer-to-peer and IM are about controlling what someone does, not really security. Both of those are controllable by local machine policy, especially in the Windows case- so an IDS is a pretty expensive thing to manage just so your visitors don't do something you don't want them to do- and QoS would be about as effective in the P2P space.
unencrypted stuff. Many of these apps will work over ports reserved for other common protocols or in the case of at least two IM clients, they will work over HTTP and even through our proxies via GET/POST/POLL methods (blocking CONNECT is no longer enough).
Yep, but I can certianly block the servers those clients connect to at my gateway. I can tunnel everything over DNS too- that doesn't work in a proxy environment.
The moral of the story is that if you don't force all traffic through an application proxy, you can stand to implement an IDS. Even still, you probably have traffic passing through your proxy that you think you're stopping.
Actually, I think the moral of the story is it's still good to use a proxy... Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." http://fora.compuwar.net Infosec discussion boards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- FW appliance comparison - Seeking input for the forum Roy Duperret (Jan 17)
- RE: FW appliance comparison - Seeking input for the forum Paul Melson (Jan 17)
- Re: FW appliance comparison - Seeking input for the forum sai (Jan 18)
- Re: FW appliance comparison - Seeking input for the forum Paul D. Robertson (Jan 18)
- RE: FW appliance comparison - Seeking input for the forum Paul Melson (Jan 18)
- RE: FW appliance comparison - Seeking input for the forum Paul D. Robertson (Jan 18)
- RE: FW appliance comparison - Seeking input for the forum Paul Melson (Jan 19)
- Re: FW appliance comparison - Seeking input for the forum sai (Jan 18)
- Re: FW appliance comparison - Seeking input for the forum Devdas Bhagat (Jan 18)
- Re: FW appliance comparison - Seeking input for the forum Paul D. Robertson (Jan 18)
- RE: FW appliance comparison - Seeking input for the forum Paul Melson (Jan 17)
- Re: FW appliance comparison - Seeking input for the forum david_harris (Jan 20)
- Re: FW appliance comparison - Seeking input for the forum sai (Jan 20)
- Re: FW appliance comparison - Seeking input for the forum Paul D. Robertson (Jan 20)
- Re: FW appliance comparison - Seeking input for the forum Devdas Bhagat (Jan 23)
- Re: FW appliance comparison - Seeking input for the forum Paul D. Robertson (Jan 23)
- RE: IDS (was: FW appliance comparison) Ben Nagy (Jan 24)
- Re: RE: IDS Chuck Swiger (Jan 24)