Firewall Wizards mailing list archives
Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe)
From: Darren Reed <darrenr () reed wattle id au>
Date: Wed, 8 Aug 2001 09:44:42 +1000 (EST)
In some email I received from Joseph Steinberg, sie wrote:
Tell me how any of those are going to find a buffer overflow in a newdaemon someone writestomorrow with its own custom protocol ?Use an application-filtering tool/proxy that employs positive logic. Only requests that conform to what the daemon expects will be let to pass through. (You can protect the app-level-inspection engine with other types of security -- such as Air Gap)...
So you're saying every piece of software that interacts with another via the network is to be filtered through an application proxy/tool ? I find that unacceptable. How the heck do we know that this filter isn't buggy ? Where are the gaurantees for it saying it has no buffer overflows ? Simply deploying more layers between two parties does NOT fix the problem, just attempts to hide it. The problem here is quality of software (or lack thereof) and the ability of vendors to legally provide/sell bugware. Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Joseph Steinberg (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Balazs Scheidler (Aug 11)
- <Possible follow-ups>
- RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Joseph Steinberg (Aug 07)
- RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Scott, Richard (Aug 07)
- RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Scott, Richard (Aug 10)