> Everybody knows that a good firewall includes a Proxy Server,
> right? Well, I'm talking to a vendor who firmly states that
> their product eliminates this need by barring address spoofing
> and terminal hijacking as described in a Cert advisory of
> January 23.
> I'd like input on this. Is the above problem the only one
> addressed by proxy servers, or are there other vulnerabilities
> that a proxy server is the only solution to?
Undertake the following Gedankenexperiment:
Somebody discovers a massive new security hole that is present
in virtually all ftp *clients*: hackers, not necessarily
running on the system you're ftp-ing to, can erase a user's
files while that user is on the client-side of an ftp
connection. The hole is easy to fix, but you have a site with
700 hosts, many of which have poor vendor support, and all of
which have the bug. Turning off ftp to the outside world is not
acceptable to the organization.
Now, imagine that all ftp clients in your organization connect
to the outside world via a simple ftp proxy server, for which
you have the source ....
Jim Shankland
Flying Fox Computer Systems, Inc.
|
|
