|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: firewalls and the incoming traffic problem
Darren Reed (darrenr
cyber.com.au)
Mon, 29 Sep 1997 12:06:50 +1000 (EST)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Marcus J. Ranum: "Re: FW-1 running on Trusted Solaris 2.5 ?"
- Previous message: Itai Dor-on: "RE: firewalls and the incoming traffic problem"
- Maybe in reply to: Marcus J. Ranum: "firewalls and the incoming traffic problem"
- Next in thread: Bennett Todd: "Re: firewalls and the incoming traffic problem"
- Reply: Bennett Todd: "Re: firewalls and the incoming traffic problem"
In some mail I received from Marcus J. Ranum, sie wrote
[...]
> - Firewalls are poor at providing access control
> on "unsolicited" incoming traffic to generic
> services that are "required" as part of being on
> the Internet
Hmmm, you didn't mention that they're poor for providing access control
on WWW surfingso I assume you're okay with this ;) You might want to
add that they're good for political status inside some companies - the
only ones to have access approved are those closest to the relevant
managers.
> - The number of generic services is increasing
> slowly
> - The number of implementations of the generic
> services is increasing dramatically
Hmmm, I'm not sure either of these has a direct impact except in terms of
the complexity of the firewall. Where before you only need to worry about
(say) IP over email, now you need to worry about IP over HTTP and others.
Curiously, although the number of generic services are increasing, it is
the same sort of problem, in each case, which the firewall must deal with
and nearly all of these are related to `rich content'.
It would seem that the "ultimate" firewall is one in which you can safely
and accurately emulate the backend handling of some data, observe what
happens as a result of that handling and then decide what to do with it.
I don't know how useful that is for _all_ services that people want to
push through firewalls, but it does handle those not so easily addressed
(in security terms) by packet filtering.
In the mail example you gave, there would be some sort of simulation for
handling mail to unix system (and thus correct handling of /bin/sh) as
well as emulating NT (the C:\autoexec.bat example). If I've defined my
mail delivery emulation such that it should only expect data to be saved
to a certain file but in delivery a program is run, an exception flag
would be raised and the mail dropped. Hmmmm, anyone want to write a
firewall in java ? ;)
However, I think this i just a nice dream for a lot of us as it'd be
immensely complex to configure and keep upto date - never mind program!
Darren
- Next message: Marcus J. Ranum: "Re: FW-1 running on Trusted Solaris 2.5 ?"
- Previous message: Itai Dor-on: "RE: firewalls and the incoming traffic problem"
- Maybe in reply to: Marcus J. Ranum: "firewalls and the incoming traffic problem"
- Next in thread: Bennett Todd: "Re: firewalls and the incoming traffic problem"
- Reply: Bennett Todd: "Re: firewalls and the incoming traffic problem"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:08:58 CDT