Hello Mikael, I like your opening comment,
I am not saying that Proxy is the only answer, If you don't harden
your server software then neither solution is good. Both have advantages
but I have found from experience that most 'beginners' or part-time
security people install the FW as directed and then walk away from it
thinking that they will update it next year. In my opinion the general
statements I made hold. I never said that because the outside user couldn't
get direct contact that we where safe. neither solution will stop the data
attack.
I see too many people set things up in a DMZ and then for
operational reasons create tunnels from the private net to the DMZ thinking
this is safe.
Gary B
At 10:35 AM 11/23/1999 +0100, Mikael Olsson wrote:
>OOOohhhh man I've got a bunch of bones to pick with you now...
>
>"Baribault, Gary" wrote:
> >
> > The two firewalls use different technologies, Gauntlet is a Proxy type of
> > firewall that intercepts all requests for resources inside your network and
> > makes those requests for the outside user. That way, the outside user never
> > has actual contact with the WEB (FTP, SMTP) server. Some (myself included)
> > find this more secure. You never have to use a DMZ with this configuration.
>
>So you feel that proxies provide 100% security just because the
>outside user never has "direct" contact with the internal server?
>
>WRONG.
>
>A proxy with application level filtering capabilities (let's not start
>on plug-gw here) can only protect against attacks known to the developer
>of the proxy. MJR posted a note on this recently.
>
>The problem here is that the Bad Guys(tm) are not likely to drop a note
>to the fw developers saying "hey, here's a hole that needs to be patched".
>What we're seeing today is a huge increase in data driven attacks, that is,
>it doesn't matter if your HTTP request is delivered via proxy, floppy
>or singing telegram, if it contains unexpected data, malicious scripts or
>whatnot, your server is toast.
>If your server is sitting on the internal network, this also means that
>your entire internal network is toast.
>
>Having the data passed from the external network to the server is
>"direct connection enough" for these kinds of attacks; they're not
>network-layer based any more. I think the discussion about the e-gap
>product (url shuttle), which actually is a physical air gap according
>to the producer, came to much the same conclusion.
>
>Do not underestimate the value of network segmentation, which, to my mind,
>is the only way to limit damages in the case of intrusion.
>
> > FW1 on the other hand is more of a traditional FW in that, once it has
> > found that the request from this user is allowable (passes all your rules)
> > it forwards the packet to the WEB (FTP OR SMTP) server. The outside user
> > actually talks directly with your server. Most people use a DMZ because the
> > outside user is actually connected to your server and if he can compromise
> > it (s)he is IN your network.
>
>As I showed above, this holds equally true in the case of proxies.
>
> > The other reason I chose Gauntlet is it's integration with McAfee
> > Anti-virus and CyberCop software.
>
>This might be a good reason to pick gauntlet though.
>
>I'm not trying to endorse fw-1 over gauntlet or the other way around,
>I'm just saying that proxies with application filtering capabilities
>doesn't buy you as much as a lot of people like to think.
>
>Regards,
>/Mike
>
>--
>Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
>Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
>Mobile: +46-(0)70-248 00 33
>WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
