Peoples, Why not just put pressure upon the anti-viri folks to create
software that is supposed to deal with viral threats properly, and at the
same time, devote more time to the never ending chore of user awareness.
Those are the real issues here. Melding firewall software/Hardware to
take on the added task of doing anti-viri stuff is not the route to go,
nor is the definition of a new protocol. Hell, IPsec, the newish ole IPv6
stuff hasn't even been fully deployed and it addresses some of the
security issues we face already. Adding more protocols is not the answer.
A total redo of TCP/
IP with security being the main focus might well be, but, is certainly out
of the question for sure.
Thanks,
Ron DuFresne
On Wed, 13 Dec 2000, Stephen Gutknecht (firewalls) wrote:
> Guy,
>
> Both of your comments point toward the need for a new class of software.
> Either a firewall add-on or new client probing. see my other post (right
> before this one) where I propose that a "detection engine" like ZoneAlarms
> could be used to request an outbound server with a "authorization server"
> _before_ the firewall allows outbound traffic.
>
> If an outside company sells your "netnanny" (censoring at server level)
> list, you don't have to spend the time developing one. Or if a outside
> companies sells you a "scanning signature" -- you don't have to develop one
> (detecting at client).
>
> As you basically allow outbound data on port 80 to anywhere, like most (all)
> of us do -- you are open to any program sending undesired data out to port
> 80. We have solved the inbound problem (mostly), outbound is next...
>
> Stephen Gutknecht
> Renton, Washington
>
> -----Original Message-----
> From: elvene [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, December 13, 2000 7:39 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [firewalls] Digest Number 388
>
>
>
> > Date: Tue, 12 Dec 2000 22:38:37 -0800
> > From: "Stephen Gutknecht \(firewalls\)" <[EMAIL PROTECTED]>
> > Subject: Undesired outbound data "leaking" - the next frontier?
> > ....
> > Solutions I can see off the top of my head:
> >
> > 1) Allow only outbound traffic to pre-authorized destinations and keep
> a
> > list of only those allowable destinations on your firewall. Using "net
> > nanny" (censoring) type technology for security purposes.
>
> I could do this now, but if I did so, my entire life would be spent managing
> this list... My compromise is to allow HTTP, HTTPS and the streaming media
> ports open to everywhere, FTP only via our proxy, and all other ports/IP's
> restricted IB AND outbound.
>
> > 2) Develop a list "safe client pc programs" and some type of scanning
> > technology to detect "undesired" programs.
> >
>
> I can kind of do this now (list part with NT), but the amount of time spent
> establishing what executables are allowed, and which aren't, and locking
> things
> to the point that my end users can't change things to run the newest widget
> that
> they downloaded and brought in from home while still being able to do the
> work
> they need to do, and the lost productivity from the inevitable side effect
> of
> restricting something that you didn't intend to... it's just not going to
> happen. Our operating environment changes daily - I could never keep up
> with it
> - it would take me two years to roll out a new platform.
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
