Great Circle Associates Firewalls
(October 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: sex, lies, and firewall code
From: Ryan Russell/SYBASE <Ryan . Russell @ sybase . com>
Date: 20 Oct 97 17:27:23 EDT
To: Frank Darden <fdarden @ locked . com>
Cc: Joe Loiacono <jloiacon @ csc . com>, Richard Trott <trott @ remus . rutgers . edu>, firewalls <firewalls @ GreatCircle . COM> 
Checkpoint's recommendation on how to pass 
Sybase TDS originally came from me.  So, if it's
not good enough, that's my fault.  Looks like I should
learn inspect.  Or, you can use the encrypted version,
then you have to use it as described.

    Ryan






fdarden @
 locked .
 com (Frank Darden) on 10/20/97 04:06:03 PM
To: jloiacon @
 csc .
 com (Joe Loiacono) @ smtp, trott @
 remus .
 rutgers .
 edu (Richard 
Trott) @ smtp
cc: firewalls @
 GreatCircle .
 COM @ smtp (bcc: Ryan Russell/SYBASE)
Subject: Re: sex, lies, and firewall code

At 10:24 AM 10/20/97 -0400, Joe Loiacono wrote:
>Richard Trott wrote:
>
>> The author gives very relevant and important pieces of information.  For
>> example, the author points out that FireWall-1 cannot verify "Sybase
>> header field format and content."  Instead, the "solution" for getting
>> Sybase across the firewall is to poke a hole for that particular port.
>
>But isn't this within the capabilities of the INSPECT language? Maybe
>Checkpoint hasn't figured out the Sybase protocol yet; but the user can.
>Is the argument that this is too sophisticated for the average security
>guy? With the INSPECT language caveat omitted, the claim (see above)
>could be considered misleading - but I'd say within bounds for
>technical/marketing papers and not preposterous.
>
>Joe
>--
>Joe Loiacono                         (301) 415-6153
>Computer Sciences Corporation    http://www.csc.com

Joe,
Yes Sybase can be set up within inspect. And yes, you have the ability to
compose your own inspect scripts. This is one of the many points that I
make in my rebuttal to Freds paper. While many people on this list see only
proxy based firewalls, or have only been exposed to one type of technology,
I have the rather nice pleasure of having had experience on several
different firewall products, including (but not limited to) Gauntlet and
Firewall-1.  So I can address both technologies from real field experience,
having installed these types of products in many large, corporate network
enviornments. I suspect many of you have brand or product loyalty, which is
admirable. But until you have tested both technologies, and clearly
understand both, it is difficult to say whether Freds paper is accurate, or
misleading. I will be posting my rebuttal to Freds paper as soon as I am
sure that I dont violate anyones copyright.

Frank 
http://www.locked.com
Indexed By Date Previous: RE: sex, lies, and firewall code
From: Rick Murphy <rick @ paimail . com>
Next: Re: sex, lies, and firewall code
From: Bernd Eckenfels <lists @ lina . inka . de>
Indexed By Thread Previous: Re: sex, lies, and firewall code
From: Bernd Eckenfels <lists @ lina . inka . de>
Next: Re: sex, lies, and firewall code
From: Ryan Russell/SYBASE <Ryan . Russell @ sybase . com>
Google
 
Search Internet Search www.greatcircle.com