my simple definition of firewall is that of a system hard and software that
is used to "assist" in enforcing a entity developed security policy. the
implementation and (mis)-configuration of that system does not denegrate the
use for which the system was designed. its like law enforcement agencies.
just because it is/was not designed or setup well does not mean its not a
law enforcement agency. i think we have lost sight of the fact that 'policy'
of any kind must not be static when the environment it exist in is 'fluid'.
piranha...
>From: "Bill Royds" <[EMAIL PROTECTED]>
>To: "Reckhard, Tobias" <[EMAIL PROTECTED]>
>CC: "Firewalls" <[EMAIL PROTECTED]>
>Subject: RE: How to find out about Open ports on firewall
>Date: Wed, 14 Mar 2001 23:21:14 -0500
>
>My simple definition of a firewall is "a device to ensure conformance to an
>network access policy for traffic through it". But this does imply that it
>won't let through traffic contrary to access policy so the reply to
>original question was correct. If you can see ports on servers behind the
>firewall that you are not supposed to see, then the firewall has failed. Of
>course if you have a network access policy "let everything through", then
>you can port scan behind the firewall. But I wouldn't call that a
>"security" policy.
>
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED]]On Behalf Of Reckhard, Tobias
>Sent: Wednesday, March 14, 2001 04:52
>To: [EMAIL PROTECTED]
>Subject: RE: How to find out about Open ports on firewall
>
>
>Bollocks. ;-)
>
>No, seriously, you are right, of course, that a firewall should be
>configured with a default deny stance in most cases. However, that is
>hardly
>a criterion that decides whether something simply *is* a firewall or not.
>That depends entirely on the definition of 'firewall', which is subject to
>many a debate. Check 'Building Internet Firewalls, 2nd Ed.' by Zwicky,
>Cooper and Chapman. Quoting from page 21 of the book, chapter 1, section
>'Religious Arguments', subsection 'That's Not a Firewall!':
>
>'The world is full of people eager to assure you that something is not a
>firewall; it's "just a packet filter" or maybe it's "better than a mere
>firewall". If it's supposed to keep the bad guys out of your network, it's
>a
>firewall. If it succeeds in keeping the bad guys out, while still letting
>you happily use your network, it's a good firewall; if it doesn't, it's a
>bad firewall. That's all there is to it."
>
>This is why I prefer to speak of firewall systems or be more specific in
>the
>description of individual components, by speaking of (perhaps stateful)
>packet filters, application level gateways (naming the specific protocol),
>etc.. There is hardly a common denominator when the term 'firewall' is
>used.
>
>Back to the original topic, where someone said that open ports could be
>mapped through a firewall. Of course this is possible if the firewall is
>configured to let traffic pass through, the question is, how difficult and
>effective is port scanning going to be. If you've got a public Web server
>in
>a DMZ behind a firewall, of course a port scan on the machine will turn up
>TCP port 80 as open and listening. Whether a presumptious syslog UDP port
>of
>514 or an X11 server listening on TCP port 6000, which aren't meant for
>public access, will turn up depends on the firewall (and it's
>configuration,
>of course). Stealth scans will get by some firewalls, others not. However,
>that's not the point. The point is that port scans can not generally be
>said
>to be impossible through a firewall, neither can the general statement be
>made that a firewall that permits any form of port scan to be made through
>it is not a firewall.
>
>Cheers,
>Tobias
>
> > -----Original Message-----
> > From: Bill Royds [SMTP:[EMAIL PROTECTED]]
> > Sent: Wednesday, March 14, 2001 2:55 AM
> > To: Reckhard, Tobias
> > Cc: [EMAIL PROTECTED]
> > Subject: RE: How to find out about Open ports on firewall
> >
> > Bollocks. If it does not have a deny all unless explicitly allowed, it
>is
> > not a firewall but a router. A "firewall", does not let traffic pass
> > unless authorised by a security policy. If it does otherwise, it is not
>a
> > firewall.
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Reckhard, Tobias
> > Sent: Tuesday, March 13, 2001 08:33
> > To: 'Bill Royds'
> > Cc: [EMAIL PROTECTED]
> > Subject: RE: How to find out about Open ports on firewall
> >
> >
> > Bill Royds wrote:
> > > If you can find the list of open ports THROUGH a firewall, then you
>need
> > > to replace the firewall. It has failed in its main task. The only way
> > one
> > > should find out about open ports on a server is to be in the same
> > > protection domain as the server.
> > >
> > Bollocks. That may be the case in some setups, but there are clearly
>going
> > to be situations where a firewall, which may amount to as much as a
> > screening router, will let traffic through, hopefully but not
>necessarily
> > to
> > specific servers and services. Now if your servers have open ports that
> > the
> > firewall should prevent outsiders from accessing, that's an entirely
> > different story.
> >
> > Tobias
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
