Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe)

[Joseph Steinberg <Joseph () whale-com com>]

I agree wholeheartedly that we do need to come up with a better way of
addressing these issues than patching every specific vulnerability. Our
e-Gap systems do this with positive logic -- i.e., enforcing that
web-servers/applications only receive requests in formats that the
web-servers/apps expect. So, worm attacks, hacker attacks, etc. (which are
generally based on unexpected submissions) fail -- regardless of whether the
particular hack is known to our product or not. I am curious how others deal
with this.

Tunneling -> There are ways to mitigate against tunneling threats. I know
that our products address tunneling by eliminating TCP/IP connectivity and
TCP/IP headers, there may be other that do so as well. We also distinguish
between types of attacks, and I am certain others do as well.

BTW: Even a firewall with a strong application proxy will likely not solve
this unless it uses positive logic. There will always be new vulnerabilities
to keep up with.

Joseph

> Security is not a binary value, yes or no, but a spectrum.  The more
> secure you make the system the fewer worms and script kiddies get
> through.  In this case, Code Red would have been contained (and probably
> was on many well maintained systems).  Are there still holes?  Sure.

> There is no protection at this moment from tunneling.

> Also, a well formed DDOS attack is indestinguishable from the "Slashdot
> Effect."  So there is no defence from that one.

> But that doesn't mean that we just give up, go home and play with our
> Commodore 64's.

> So I must agree that patching is not the only issue here.  I cannot
> clean up the web, but I appreciate the helpfull ideas to help protect my
> site.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards