On Tue, 30 May 2000, Mikael Olsson wrote:
> Well, one thing we should have learned from the recent Web-based
> E-mail filtering failures (Hotmail has received most coverage,
> but the same problems apply to all of them), is that it is near
> impossible for a firewall to filter active content. There's always
> some new way of injecting scripts in an HTML document.
There are always new viruses, but virus definition files still contain the
old ones too. IOW, there is some merit to blocking "old" methods of doing
bad things if they still work to do bad things.
It may not help with the absolute latest thing, but it'll bring some
positive value.
> So, in light of that, I think that all network filters, be it
> SPFs or proxies, should be considered to have no protection
> against embedded active content.
"No protection" is too harsh. Several less-than-perfect synergistic
controls can negate a great deal of the daily risk dealt to clients and
networks.
The bigger question (to me) is why the *hell* people running these
networks don't do the *obvious* thing and mandate a client that doesn't
support all the active crap? There are very good, perfectly useful,
perfectly functional electronic mail clients that don't have the "zero
security feature" built in. Heck, ones like Pegasus are zero cost too.
Once Mozilla stabalizes, it'll also be possible to yank all the crap out
of a browser. Hopefully that'll be around the time the RSA patent expires
and then we can do all sorts of cool authenticated client stuff at the
gateway.
If your pain threshold is low enough that even a 5% chance is too high,
you really shouldn't connect that critical stuff to a network that can hit
the Internet at all, firewall or not.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
