If the netowkr architecture was done correctly and the underlying
operating system was hardened to only allow that particular application's
protocol to be the only service enabled then it would be very hard to
actually get in.. Marcus's assumption is that every firewall admin or
firewall admin wannabe misconfigures their firewall on a general basis.
So I would take his statement with a grain of salt and state that if a
security network architecture is setup securely and applications that
possible are vulnerable are placed strategically things will not get
broken into as fast as he claims..
/my .02
/cheers
On Sun, 14 Nov 1999, Marcus J. Ranum wrote:
>
> Per Gustav Ousdal" <[EMAIL PROTECTED]> asks:
> >Does anyone have any information on, or pointers to resources documenting
> >successful attacks on "good" (can't be to good, huh?) firewall
> >implementations?
>
> The biggest problems I've seen with firewalls (even "good" ones)
> have to do with the "incoming traffic problem" - in which some
> kind of traffic is allowed to a system behind the firewall, which
> is then compromised via that traffic. See:
>
> http://www.clark.net/pub/mjr/pubs/debate/sld012.htm
>
> for an illustration of what's going on. With the way that most
> firewalls work, and most sites deploy them, breaking into the
> firewall itself would be unnecessarily hard compared to the
> difficulty of breaking into a web server, exchange server, notes
> server, whatever behind it.
>
> mjr.
> --
> Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
> work - http://www.nfr.net
> home - http://www.clark.net/pub/mjr
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
##########################################################
'Turn on, Boot Up, Jack in'
#########################################################
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
