Daniel Salenger wrote:
>
>
> (original problem solved but......) Mark I would tend to agree with
> you here. From what I have seen at a design level (not the code
> level) of both Eagle and Sidewinder I am impressed with the detailed
> look at the SMTP packets (search for buffer overflow?) over other
> proxies however, I think that screening http traffic may be like
> attempting to make the perfect 'hardened' UNIX kernel all over again.
The whole problem with firewalls is that their effectiveness depends on
their ability
to make decisions based on very limited information. We have a
reasonable confidence
(I think) that services on internal hosts will be listening on well
known ports. So rejecting inbound ftp is pretty easy. But
collaboration between an internal client and an
external server can make port/protocol based decisions ineffective.
Its always been that way. Building more intelligence into proxies or
dynamic filters helps, but is never complete, although with sufficient
hurdles in place perhaps an application vendor would hesitate to try to
evade the policy. On the other hand, as mjr pointed out you can tx
files out with email very easily. Email can be used to implement
entire protocols. A recent book I read about software agent technology
used email as the transport for agents and their results.
Its frustrating to the firewall user to see the effectiveness of their
costly and well
thoughtout solution so easily evaded. I think that the implications for
firewall vendors
users are clear: either the firewall grows in functionality to allow
secure access for what users want, or users will evade the firewall. I
guess the other stance that they can take is to build so much
intelligence into the proxies that evading them becomes too problematic
for vendors to plan on. It will be interesting to see what comes next
in the case of Java RMI over port 80. I suppose that firewall vendors
will likely find a way to block it.
Is anybody working on that?
Mark Riggins
References:
|
|
