On Sun, 10 Dec 2000, Roy G. Culley wrote:
> > Active FTP is a problem period. I've never allowed it for the generic
> > user population behind any gateway I've run.
>
> Sorry for the late follow up but I've been away from the office.
>
> Your arrogant dictatorial stance is the reason for the increasing
> momentum behind SOAP and even worse the move to use SSL for most
> connections. From having some control over what is allowed through
> your firewall you will have none. Security is a compromise between
My "arrogant and dictatorial stance" has also stopped some vendors from
producing _even worse_ protocols. Rolling over and playing dead doesn't
fix the problem either.
There's a point where you have to draw a line and say "This won't ever
meet my security policy." My users never had any-to-any SSL either FWIW.
More importantly, it's protected my users from literally thousands of
potential exploits over the years. The fact that, for instance SSL is in
a "blanket allow" mode for most organizations makes the tunneling risk a
given. FWIW, I always thought SHTTP was a better protocol than HTTPS,
but there's no way I'd have let either out blanketly at this stage in the
game.
> giving your users behind the firewall the access they need and
> stopping entry to your network from the Internet. If all firewall
My users have _never_ *needed* active FTP from their desktops to the
Internet at large- they've needed to move files between machines using
popular and easy to support clients. There are *lots* of ways to do that,
some of them even use FTP clients _without_ taking the increased risk of
allowing a stupid protocol to traverse from the desktop to the outside or
back in, for example intermediate proxy hosts that forward FTP requests.
Heck, even PASV FTP to a proxy beats active FTP.
> administrators had your attitude then most s/w developers of Internet
> applications would be tunnelling everything already. When that day
> comes you and I are out of a job as firewalls will be useless.
*Newsflash*
Most software developers are _already_ tunneling everything over HTTP.
Firewalls are increasingly less useful as traffic control devices because
too many firewall administrators equate what a user thinks they want to
use with what they need to use. Worse yet, firewall designers themselves
have moved to tunneling protocols. SSL is the perfect case in point. You
might _feel_ better about your firewall "supporting" SSL, but that doesn't
make it better.
If my career were predicated soley on gateway access devices and my
continued employment didn't take into consideration the fact that their
usefulness and protection modes didn't scale forward, I'd deserve to be
out of a job. Firewalls are less useful by themselves than they were 5
years ago. In 5 more years, they'll be less useful still, it's (a)
obvious, and (b) not my fault.
I've said it before, and I'll say it again:
*All* firewall protection mechanisms are based on *BLOCKING* traffic.
The more you block the more protection the device provides. Not blocking
insane protocols lowers your security posture, sometimes significantly.
Those of us who have been talking about how bad a protocol FTP is for
years weren't surprised by the relatively recent round of FTP exploits
through firewalls, and we weren't vulnerable either.
Hell, if everyone else had held the line on HTTP tunneling clients and
plug-ins we'd still be a lot better off, but tunneling was going to happen
anyway, security doesn't scale well and is labor-intensive on a
per-protocol basis.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
