On Thu, 5 Jun 1997, Cy Ardoin wrote:
> On Thu, 5 Jun 1997, Jonathan M. Bresler wrote:
> > >I don't think there is anything an application firewall can
> > >do that can't also be done by a "packet filter" firewall. The
> > trivial example:
> > a smtp application level proxy can disable the "debug" command
> > for every sendmail behind that firewall.
> Finding and removing the "debug" command from smtp connections at the
> packet layer isn't much different than finding and altering the PORT and
> PASV part of the FTP command and all the NAT style packet filters
> modify the FTP commands. It's not something packet filters do, but
> it is no more difficult than many of the things they already do.
Uhm, how about provide authentication at the firewall, like SecureID
(yuck) or CryptoCard, or even just APOP for a POP3 proxy?
How about provide a SMTP deamon capable of accepting mail, but not
requiring anything more than putting it into a directory for another, non
priveledged deamon to forward toa full features MTA that is unnaccesable
to the outside world? This SMTP deamon on the firewall being a very
simple beast and leaving much less room for fuckup in code, deisgn, then
let's say, letting packets go thru to a full featured MTA, like uhm,
sendmail maybe or Exchange, or Netscape's Mail Server, and having to
modify your packet to block out attacks as they are published. Surely
alot more work than putting SMAPD on your firewall and not having to
worry about tracking bugs in your full MTA (or at least a very large
class of bug).
Or filter HTTP based on MIME type and response size.
Hand waving and 'well it could' doesn't get you much of anywhere tho, not
to imply that this is what your doing, but just pointing out that theory
is wonderful and very useful, but when it comes to 'capabilities'
assesments like this, it's often better to stay within the somewhat
agreed upon realm of reality.
Craig Brozefsky craig @
onShore Inc. http://www.onshore.com/~craig
Development Team p_priority=PFUN+(p_work/4)+(2*p_cash)