Firewall Wizards mailing list archives

Re: Firewalls that generate new packets..

From: "Marcus J. Ranum" <mjr () ranum com>
Date: Fri, 30 Nov 2007 00:27:53 -0500

Timothy Shea wrote:

I would add to your comments that  
an outgoing proxy (such as squid or bluecoat) allows you to eliminate  
the dreaded "completely open outbound default" rule found on many  
corporate firewalls and allows a higher degree of auditing.


You raise a really interesting point - and the next big problem.
Namely, that's going to be malcode that tunnels over SSL. It's
already a problem, but it's still at the "tip of the iceberg" stage.

I like asking my clients what they have in place to deal with
that when it comes. By the way, I don't think that border
decryptor/MITM proxies are the answer; they'll get DDOS'd
by malcode traffic from within if the floodgates open the
way I expect them to. The right answer would be to white-list
sites that are business critical for SSL and deny all the
rest. I predict a long period of denial, thrashing, hand-wringing,
duct-tape, and band-aids before reality sets in. Although
with the new high-speed silicon-based band-aids the race
will be neck and neck for a while.

#include <obligatory/itoldyouso.h>

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Firewalls that generate new packets.., (continued)
- - - Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
    - Re: Firewalls that generate new packets.. AMuse (Nov 28)
    - Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 28)
    - Re: Firewalls that generate new packets.. Marcin Antkiewicz (Nov 27)
    - Re: Firewalls that generate new packets.. ArkanoiD (Nov 28)
    - Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
    - Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
    - Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 29)
    - Re: Firewalls that generate new packets.. Timothy Shea (Nov 29)
    - Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 30)
    - Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 30)
    - Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 27)
    - Re: Firewalls that generate new packets.. Anton Chuvakin (Nov 27)
    - Message not available
    - Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)
    - Re: Firewalls that generate new packets.. Anton Chuvakin (Nov 28)
    - Re: Firewalls that generate new packets.. jason (Nov 27)
    - Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 28)
    - Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
    - Re: Firewalls that generate new packets.. Timothy Shea (Nov 28)
    - Re: Firewalls that generate new packets.. Paul Melson (Nov 28)
    - Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 28)

(Thread continues...)