On Tue, 25 May 1999, Marcus J. Ranum wrote:
> There's this problem that I like to refer to as "The Incoming
> Traffic Problem" -- it's basically the Achilles' heel of
> firewalls. Firewalls typically do _not_ perform any security
> checks on data they let back and forth; they simple let it
> back and forth, once they are told to.
In many cases you _can't_ check the content because it's encrypted. I
expect from a firewall reliable protection at lower levels. I don't want
that an attacker crashes my protected systems with malicious IP
packets and TCP streams. And I'm doing a first level of authentication at
the firewall. Everything else has to be done at the end systems.
If you are using Middleware (DCOM, CORBA) you can't reliably protect the
end systems at the firewall even if the data is not encrypted. On the
network the _content_ of an IIOP request is just an octet stream you can't
decode further. The firewall can't protect against a buffer overflow in
the server ORB or application.
Too many people think that a firewall protects them from all risks.
That's nonsense.
Rudi
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
