Chris et. al.,
Perhaps the subject might shift towards a definition of the quality of the
proxies that specific vendors ship. Which vendors actually ship more then
a plug for application level proxies and how effective are specific
vendors tools in dealing with content?
Thanks,
Ron DuFresne
On Mon, 24 Jul 2000, Chris Brenton wrote:
> On Mon, 24 Jul 2000, mouss wrote:
>
> > >UDP is not as _reliable_ as TCP, but IMHO its no more difficult to
> > >secure unless you are talking static packet filters. With any other
> > >firewall technology, its no worse or better.
> >
> > uhum?! You're getting too generc here, no? and generic is generally false...
> > A service is not secure simply because it uses TCP instead of UDP.
>
> Hummm, isn't that what I said? No better or worse...
>
> > many firewall vendors, just because they have nothing to sell for UDP, simply
> > say "heh, but UDP cannot be secured anyway. let's talk about our super TCP
> > filter/proxy".
>
> Actually, don't really agree here. For example FW-1 maintained state on
> UDP long before they where stateful for TCP. Also, I think its more of a
> service thing. TCP is sexy because so many services rely on it. Need
> drives the market and all of that.
>
> > and after all, what will a stateful packet filter like the one in FW1 will
> > do against an http tunnelled content attack?
>
> Actually, you are beyond the ability of statful filtering and would need
> to kick in Steteful Inspection. FW-1 _does_ have the ability to screen
> HTTP however:
> 1) Its not very flexible
> 2) Its easy to fool
>
> > what will the Gauntlet's proxies do against things like the
> > I love you" attack?
>
> This goes back to my earlier argument. An app proxy has the _ability_ to
> check content and spit out everything you don't want to let
> through. Limitations are:
> 1) What did the vendor deploy
> 2) How good is the code
>
> For example if the mail proxy is based on an old version of Sendmail your
> going to have a difficult time screening attachments. ;)
>
> > UDP certainly introduces some programming problems, but these are
> > programming problems,
>
> Actually, the problems revolved around how some of the UDP based services
> where implemented. For example DNS servers using a source _and destination
> port of UDP/53. In the static packet filter days, this was a b*tch because
> you had to open UDP/53 inbound to receive replies. This also meant that
> external people could poke your DNS server. Maintaining state eliminates
> this problem.
>
> > anyway, there is no point in suppressing UDP, unless one suppresses the
> > whole IP.
>
> Agreed. This needs to be handled on a service by service basis.
>
> Cheers,
> Chris
> --
> **************************************
> [EMAIL PROTECTED]
>
> * Mastering Cisco Routers
> http://www.amazon.com/exec/obidos/ASIN/078212643X/
> * Mastering Network Security
> http://www.amazon.com/exec/obidos/ASIN/0782123430/
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
