(mis)-configuration aside, what about 'abuse', which also applies to the
law enforcement agency analogy.
Thanks,
Ron DuFresne
On Fri, 16 Mar 2001, HUNGRY PIRANHA wrote:
> my simple definition of firewall is that of a system hard and software that
> is used to "assist" in enforcing a entity developed security policy. the
> implementation and (mis)-configuration of that system does not denegrate the
> use for which the system was designed. its like law enforcement agencies.
> just because it is/was not designed or setup well does not mean its not a
> law enforcement agency. i think we have lost sight of the fact that 'policy'
> of any kind must not be static when the environment it exist in is 'fluid'.
>
> piranha...
>
>
> >From: "Bill Royds" <[EMAIL PROTECTED]>
> >To: "Reckhard, Tobias" <[EMAIL PROTECTED]>
> >CC: "Firewalls" <[EMAIL PROTECTED]>
> >Subject: RE: How to find out about Open ports on firewall
> >Date: Wed, 14 Mar 2001 23:21:14 -0500
> >
> >My simple definition of a firewall is "a device to ensure conformance to an
> >network access policy for traffic through it". But this does imply that it
> >won't let through traffic contrary to access policy so the reply to
> >original question was correct. If you can see ports on servers behind the
> >firewall that you are not supposed to see, then the firewall has failed. Of
> >course if you have a network access policy "let everything through", then
> >you can port scan behind the firewall. But I wouldn't call that a
> >"security" policy.
> >
> >-----Original Message-----
> >From: [EMAIL PROTECTED]
> >[mailto:[EMAIL PROTECTED]]On Behalf Of Reckhard, Tobias
> >Sent: Wednesday, March 14, 2001 04:52
> >To: [EMAIL PROTECTED]
> >Subject: RE: How to find out about Open ports on firewall
> >
> >
> >Bollocks. ;-)
> >
> >No, seriously, you are right, of course, that a firewall should be
> >configured with a default deny stance in most cases. However, that is
> >hardly
> >a criterion that decides whether something simply *is* a firewall or not.
> >That depends entirely on the definition of 'firewall', which is subject to
> >many a debate. Check 'Building Internet Firewalls, 2nd Ed.' by Zwicky,
> >Cooper and Chapman. Quoting from page 21 of the book, chapter 1, section
> >'Religious Arguments', subsection 'That's Not a Firewall!':
> >
> >'The world is full of people eager to assure you that something is not a
> >firewall; it's "just a packet filter" or maybe it's "better than a mere
> >firewall". If it's supposed to keep the bad guys out of your network, it's
> >a
> >firewall. If it succeeds in keeping the bad guys out, while still letting
> >you happily use your network, it's a good firewall; if it doesn't, it's a
> >bad firewall. That's all there is to it."
> >
> >This is why I prefer to speak of firewall systems or be more specific in
> >the
> >description of individual components, by speaking of (perhaps stateful)
> >packet filters, application level gateways (naming the specific protocol),
> >etc.. There is hardly a common denominator when the term 'firewall' is
> >used.
> >
> >Back to the original topic, where someone said that open ports could be
> >mapped through a firewall. Of course this is possible if the firewall is
> >configured to let traffic pass through, the question is, how difficult and
> >effective is port scanning going to be. If you've got a public Web server
> >in
> >a DMZ behind a firewall, of course a port scan on the machine will turn up
> >TCP port 80 as open and listening. Whether a presumptious syslog UDP port
> >of
> >514 or an X11 server listening on TCP port 6000, which aren't meant for
> >public access, will turn up depends on the firewall (and it's
> >configuration,
> >of course). Stealth scans will get by some firewalls, others not. However,
> >that's not the point. The point is that port scans can not generally be
> >said
> >to be impossible through a firewall, neither can the general statement be
> >made that a firewall that permits any form of port scan to be made through
> >it is not a firewall.
> >
> >Cheers,
> >Tobias
> >
> > > -----Original Message-----
> > > From: Bill Royds [SMTP:[EMAIL PROTECTED]]
> > > Sent: Wednesday, March 14, 2001 2:55 AM
> > > To: Reckhard, Tobias
> > > Cc: [EMAIL PROTECTED]
> > > Subject: RE: How to find out about Open ports on firewall
> > >
> > > Bollocks. If it does not have a deny all unless explicitly allowed, it
> >is
> > > not a firewall but a router. A "firewall", does not let traffic pass
> > > unless authorised by a security policy. If it does otherwise, it is not
> >a
> > > firewall.
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED]]On Behalf Of Reckhard, Tobias
> > > Sent: Tuesday, March 13, 2001 08:33
> > > To: 'Bill Royds'
> > > Cc: [EMAIL PROTECTED]
> > > Subject: RE: How to find out about Open ports on firewall
> > >
> > >
> > > Bill Royds wrote:
> > > > If you can find the list of open ports THROUGH a firewall, then you
> >need
> > > > to replace the firewall. It has failed in its main task. The only way
> > > one
> > > > should find out about open ports on a server is to be in the same
> > > > protection domain as the server.
> > > >
> > > Bollocks. That may be the case in some setups, but there are clearly
> >going
> > > to be situations where a firewall, which may amount to as much as a
> > > screening router, will let traffic through, hopefully but not
> >necessarily
> > > to
> > > specific servers and services. Now if your servers have open ports that
> > > the
> > > firewall should prevent outsiders from accessing, that's an entirely
> > > different story.
> > >
> > > Tobias
> > >
> > > -
> > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > "unsubscribe firewalls" in the body of the message.]
> >-
> >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> >"unsubscribe firewalls" in the body of the message.]
> >
> >-
> >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> >"unsubscribe firewalls" in the body of the message.]
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
