[EMAIL PROTECTED] wrote: > > Actually the Symantec Enterprise Firewall (old Axent Raptor) does a fair > amount of protocol verification, such as HTTP command conformance, causing > problems for people who try to shove new commands past it (WEBDAV > anyone).
Yes, I'll readily agree that some proxy firewalls have gotten quite pedantic with HTTP due to the ridiculous amount of vulnerabilities in web servers all round. This is a good thing. And maybe Raptor is one of the better ones in the L7 inspection area, but equating this to "proxy firewalls in general inspect every aspect of every protocol" sort of tickled my arguing impulse ;) > Notice that the problem for many sysadmins is too much security ... or low IQ^H^H^H^H^H^H lack of security training, but maybe most of all because of interference from a company manglement that needs to be taken out back and shot taken together with broken networked applications whose authors also need to be taken out back and shot. But then again, this is a problem with firewall installations in general, not a real differentiator between proxies/state trackers. > I wouldn't recommend a stateful inspection FW for protecting > a large number of unhardened corporate Windows98 desktops in > the internal network from raw Internet attacks, although that > is its biggest use. Any equipment under the control of lusers needs to be put on a short leash. A bit of layer 7 inspection can work wonders here, f.i. by blocking java/activex/whatnot and disallowing untrusted applications using a common network protocol (read: internet explorer using HTTP). But this is really a matter of securing return data on outbound connections, and restricting which outbound connections may be made in the first place, rather than protecting them from evil evil packets from host X out on the internet, directly targeting an internal workstation. As I've made abundantly obvious, I prefer the "main" firewall to be of the stateful inspection type. But I still like putting up proxies for traffic from internal hosts. In my case, that translates to open source stuff running on a general-purpose *nix server, perhaps in a separate security zone. But I see why the everyday admin won't/isn't able to do that. But then again, the everyday admin wants to run so darn many protocols, and so insecure apps, that I'm unsure that a proxy firewall will be of any help, let alone be able to support all those protocols. Erk. > My original reply to the question about moving Gauntlet to FW-1 > did not imply superiority of proxy firewalls to stateful > inspection, Yes it did, admit it :) > and that there is no simple rule conversion technique > [... and ] they can't be substituted one for the other, > willy-nilly. Couldn't agree more. I've seen several admins coming from the proxy firewall world, trying to set up rules on a stateful inspection firewall, allowing traffic from internal hosts to the firewall itself. Ouch. Vast conceptual differences missed. > Proxy firewalls perhaps are more susceptible to attacks ON the firewall > rather than through it, but I don't know of any reports of proxies > breached themselves [...] Then you need to look harder :) > There are reports of breaches on FW-1 as well, since it normally > runs on a general purpose host. Yep. I'm no big FW-1 fan, so you won't get any argument from me about that particular firewall. I'm tempted to do my rant about running security software on general-purpose operating systems here, but I'll spare you :) (And besides, I'm biased.) /Mike -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com For bored sysadmins: http://lart.badf00d.org _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
