Inbound inspection is relatively trivial, since there are a limited set of possible hosts that external users which to connect to.
External inspection is not so trivial, especially when you have a diverse set of users who may, or may not, trust your outbound proxy (e.g. contractors, consultants, non-PC devices and so on) And then, even if you do have inspection, what are you going to do about the traffic? Signature based products can help to an extent, but for the average enterprise, there are simply too many external hosts to really keep track of if you are trying to prevent actual theft or malicious traffic (as opposed to trying to stop personal use of Bittorrent) Technology alone does not solve operational maturity issues, and until there is some easier way of providing policy based access to sites (beyond whitelisting IPs or similar), then this type of technology isn't going to stop 443 being a "firewall bypass port" in most large orgs. Cheers Ken -----Original Message----- From: Thomas W Shinder [mailto:[EMAIL PROTECTED] Sent: Sunday, 3 February 2008 3:16 PM To: NT System Admin Issues Subject: RE: L2TP vs. SSTP Keep in mind that the "universal firewall bypass port" only works when you can't inspect the connections. Some firewalls can do this inbound and outbound, in which case, the "bypass port" canard no longer applies. HTH, Tom -----Original Message----- From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Saturday, February 02, 2008 1:59 AM To: NT System Admin Issues Subject: RE: L2TP vs. SSTP Well, listen to the evangelism people from Microsoft (and others), it's all about protecting the core services now. The hard edge is going to become increasingly irrelevant for many orgs (there's the need to federate, contractors, mobile devices, home workers, outsourcers etc, etc, etc). We already had the discussion about the universal firewall bypass port :-) Cheers Ken -----Original Message----- From: Micheal Espinola Jr [mailto:[EMAIL PROTECTED] Sent: Saturday, 2 February 2008 6:03 AM To: NT System Admin Issues Subject: Re: L2TP vs. SSTP I guess I missed the meeting ;-) - whats the primary device now? On Jan 31, 2008 10:21 AM, Eric E Eskam <[EMAIL PROTECTED]> wrote: > > > "Ben Scott" <[EMAIL PROTECTED]> wrote on 01/31/2008 09:42:14 AM: > > > > On Jan 31, 2008 8:51 AM, Eric E Eskam <[EMAIL PROTECTED]> wrote: > > > Firewalls haven't been a primary security device for a few > > years now.... > > > > I guess I better take ours down then... ;-) > > :) I didn't say they weren't useful, just said they were no longer a > primary security device - esp. for outbound... ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
