Augh. I know that Paul is perfectly capable of defending himself, but I
can't sit still for this kind of distortion and outright inaccuracy.
> -----Original Message-----
> From: Roy G. Culley [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, 12 December 2000 11:39
> To: [EMAIL PROTECTED]
> Subject: Re: Simple Pimple firewalls
[...]
> > You don't remember correctly. I stated that the
> incremental gain added by
> > state keeping in packet filters isn't very large. [...]
>
> I think I remember quite well. You stated that as TCP connections are
> stateful there is no need to keep state on the firewall. I replied
> with protocols where stateful inspection on the firewall is
> necessaary.
> You even implied that netmeeting wasn't so bad. I replied with a link
> that showed it is one of the worst.
Which is pure distortion. You mentioned netmeeting amongst IIOP, RPC and
FTP. Netmeeting not being as bad as those protocols is not saying much.
> [...]With a stateful
> inspection firewall
> active and passive ftp are the same.
[...]
> With stateful inspection
> 'active' ftp
> is as secure as passive mode.
Really? Have you asked Checkpoint or Cisco about that? Active FTP is a
broken protocol which is a stateful nightmare. That's why the FTP stuff Mike
Olsson was able to pull in January worked on so many firewalls.
[...]
> I never said that the protocols I mentioned which benefit
> from stateful
> inspection on the firewall were good. I was just stating that having a
> firewall which could perform stateful inspection was better
> than nothing.
> I'm talking about the real world where user requirements must be taken
> into consideration. As I said before your dictatorial attitude forces
> these users to find other ways of getting their work done.
This is exactly the opposite of the attitude every good security policy
designer I have met takes. Make a business case for the protocol, then we do
a risk assessment. If the risk is too great, no dice. If you cannot
effectively secure a protocol through a stateful firewall then YOU DON'T RUN
IT if a compromise will lose you the farm. Simple.
[...]
> Perhaps. There are over 25,000 hosts on my companies Intranet. There
> have been no known security breeches (famous last words I know but it
> is a fact).
I know it's not nice to pick on spelling, but I don't think that you're
wearing your "security breeches" at the moment. ;)
[...]
> As I said before your attitude to security is one of the main reasons
> why SOAP exists. How many of your users are already tunnelling through
> HTTP because of your security policy? They sure ain't going
> to tell you
> that they are doing it. In my company they know who to ask
> for Internet
> access and I assess each case on its merits.
If you're allowing active FTP through a brand-name stateful firewall then
you either have a relaxed security policy or you're misguided. I suggest
that you accept that others have more stringent security requirements.
> Me thinks you
> just say no.
Well - that bit is probably true. Paul's pretty grumpy. ;)
Cheers,
--
Ben Nagy
Marconi Services
Network Integration Specialist
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
