Paul makes a couple of valid points. Application proxies are pretty secure,
assuming that they are written properly. There are certain advantages to
having a system between your workstation or server and a machine on an
untrusted network like the Internet. There are also some
significant disadvantages to this approach, which you glossed over.
First, let me talk about the ActiveX example. What makes ActiveX inspection
easy for an application proxy? Nothing I can think of. This is a hard
problem to solve regardless of where one tries to implement the solution.
Firewall-1 makes no attempt to examine ActiveX or
Java applets--it sends this out to other programs (via CVP) so that they can
do this job. This makes Firewall-1's code a lot smaller and a lot faster.
Programs that provide this function are quite large and need to be
maintained by a staff of programmers who do much the same job as people in
the anti-virus business. You seem to think that a proxy server will
simultaneously decide whether or not to permit a given type of traffic and
inspect it's payload. This is asking a great deal of the programmers in my
opinion, since most advanced services have a lot of exploits that are not
immediately obvious. Check Point would prefer to let someone else do that
job the same way that they let anti-virus companies write virus checkers. I
seriously doubt you would argue that a company like Axent does a better job
of anti-virus coding than McAfee or Symantec.
Another significant disadvantage to proxies are that they are limited with
regard to the services that they can offer. Most proxy servers only work for
HTTP, FTP, Telnet and a few other services (12-14 for a good one). If you
want to use a more unusual service (like H.323 videoconferencing, for
example) a proxy has to be written specifically for this purpose. Check
Point support this out of the box, and when new services appear on the
scene, a Check Point user is able to add them in about 10 seconds (although
Check Point usually beats a user to the punch on this). Should one of these
services require content inspection, Check Point is able to send this out
via CVP so that they don't have to be in the business of writing checkers
for all new services. In the H.323 example, a part of the spec is PC to PC
whiteboarding and collaboration. One can but imagine the nasties that are
possible with this type of activity--and Check Point's philosophy is that
they would prefer to let someone else (who specializes in it) deal with that
part of the problem.
I can't say that I am familiar with the "MSG_OOB" exploit that you
mentioned. However, in general you are correct in that if your machine's
operating system is written so that it is vulnerable to exploits using
certain services, there is some risk in letting these through the firewall.
For example, if your firewall is configured to allow ICMP inbound (a
terrible idea), your Windows machines are susceptible. You also talked quite
a bit about how certain services (such as RIP) are permitted by default in
Firewall-1's configuration. It is pretty well known that there are some
default settings in FW-1 that should be turned off. However, the product is
about security AND usability, and as such some of those services make
initial installation and debugging easier.
You gave the following example:
>Scenario 2: Proxy firewall where the proxy's OS is vulnerable.
>
>Result 2: Proxy is dead, clients are alive but unable to communicate
>through the proxy.
This is always the case because the proxy's OS is always vulnerable. A proxy
allows traffic up to layer 3 or above before it pays any attention to it. As
a result, it is inherently vulnerable to layer 3 exploits. For example, an
MS Proxy server can be Ping-of-Deathed into the ground. Having this machine
throw itself on its sword does not make the internal network
more secure, it just makes it cut off from the outside world.
You concluded by challenging me to provide and example of how Stateful
Inspection is more secure than a proxy. I would respond by saying that for
those services that a proxy can offer, it provides excellent security and
Stateful Inspection is perhaps not more inherently secure. However, I will
say that Firewall-1 is a lot faster, more configurable, more scalable and
less vulnerable to operating system exploits.
Let me conclude my response to this issue by saying that, all things
considered, I find FireWall-1 a more desirable enterprise solution, than any
of the application gateway products. Having said that, I cannot deny that
an application proxy is a highly secure option. But, I can suggest that it
is an option which will provide unnecessary headaches to the corporate
firewall administrator.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Nathan A. Long
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
