|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Firewall RISKS
Paul D. Robertson (proberts
clark.net)
Thu, 3 Jun 1999 08:13:22 -0400 (EDT)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Andrew Brown: "Re: Anybody have a clue why..."
- Previous message: Chris Brenton: "Re: Firewall-Wizards Digest V1 #311"
- In reply to: Ryan Russell: "Re: Firewall-Wizards Digest V1 #311"
- Next in thread: Andrew Gilbert: "Re: Firewall RISKS"
On Tue, 1 Jun 1999, Robert Graham wrote:
> I just posted this e-mail to the RISKS list, but I thought I'd copy it
> here, too.
A minor point:
>
> Explanation: Firewall technology is based on "port filters". The
Not all firewalls are packet filtering firewalls.
> average web server has many ports open for a variety of reasons, but
> needs only port 80 in order to serve web pages. However, ColdFusion
> runs as part of the web server reachable at port 80. QED, placing a
> firewall in front of web server provides no protection against the
> ColdFusion hack.
In the case of a firewall that has the ability to examine the HTTP
method, the PUT method could be disabled from a range of pages. IMNSHO,
that should be done at the Web server level anyway and "firewalls" beyond
screening routers are fairly moot for public-access machines - host security
wins every time.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
probertsclark.net which may have no basis whatsoever in fact."
PSB#9280
- Next message: Andrew Brown: "Re: Anybody have a clue why..."
- Previous message: Chris Brenton: "Re: Firewall-Wizards Digest V1 #311"
- In reply to: Ryan Russell: "Re: Firewall-Wizards Digest V1 #311"
- Next in thread: Andrew Gilbert: "Re: Firewall RISKS"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:59 CDT