> If the netowkr architecture was done correctly and the underlying
> operating system was hardened to only allow that particular application's
> protocol to be the only service enabled then it would be very hard to
> actually get in.. Marcus's assumption is that every firewall admin or
> firewall admin wannabe misconfigures their firewall on a general basis.
Hmm, well that's not how I interpet Marcus's "assumption". I think he is talking about
bugs/vulnrabilities in the server(service) listening, that the proxy/application
gateway does not know about, and thus is not able to block (The packet filter(s) can
do nothing, since to them this is legal traffic); So even if this is the only service
listening (and the OS is otherwise hardend) the server will be compromised. (So to
minimize the effect the server should be run with the least possible priveliges, and
chrooted, but the server will/could still be compromised)
> So I would take his statement with a grain of salt and state that if a
> security network architecture is setup securely and applications that
> possible are vulnerable are placed strategically things will not get
> broken into as fast as he claims..
Well, his point made sense to me (if I interpeted him correctly). I think we could do
everything by the book, and still not be safe, becoz new exploits are sure to surface
even if we block (either make the proxy aware of them, or fix the bug in the server
(demon) itself) all the currently known ones.
Regards,
Per
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
