Firewall Wizards mailing list archives
Re: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY
From: Darren Reed <darrenr () reed wattle id au>
Date: Wed, 21 Feb 2001 22:19:10 +1100
In some email I received from agetchel () kde state ky us, sie wrote:
Why can't it? Or more to the point, why shouldn't it? Isn't that what's it's there to do - protect web servers, etc? If it can't provide protection from people defacing web servers then what's the point of having it in the first place? Why should I pay $10k for a firewall if it can't protect my web server from hackers?The point of having a traditional layer-3/layer-4 firewall is to protect from _certain kinds_ of attacks, like I said before, from direct access attempts to the server itself. You shouldn't have the expectation that a standard 'stateful inspection' or 'packet filtering' firewall would protect you from layer-7 exploits.
You seem to have made a whole bunch of assumptions about what I was talking about when I said "firewall" and in essence, none of them are true. I never said anything about 'stateful inspection' or 'packet filtering'. A firewall is a firewall, be that what it is. You buy it to protect your network and servers from hackers. If it can't protect your web server from hackers then what sort of protection is it really providing you?
Like I said before, if you want layer-7 security, look at an application proxy.
Actually, you didn't say it before (or at least not in any email I've read).
Why _shouldn't_ layer-3/layer-4 firewalls provide layer-7 security?
That's not the question I asked. I asked why shouldn't firewalls protect web servers. Stop cheating. To quote you from an earlier email: [...]
Apples and oranges. Of course a firewall can't keep someone from defacing a web server which it's protecting, they work at a lower layer and don't care if that HTTP packet which just entered it's external interface contains a buffer overflow attack.
[...] Or are you willing to withdraw that comment about firewalls only being low-level devices? :-)
That's one role. But the fail when you start tunnelling one service inside another. This is what you can do with SSH, SOAP, etc.Correct. Like I said before, if you want layer-7 security, look at something which can inspect the payload of the packet itself to verify the integrity of the data being sent and received. Application proxies do a wonderful job at this.
You can't proxy ssh or at least I wouldn't accept an ssh connection that was proxied :)
They are an _access control_ deviceThat's another role.Access control is the _primary_ role of a layer-3/layer-4 firewall in most cases.
This is one instance where you should have left the "layer-3/layer-4" out.
That's a separate problem.No, that's _the_ problem you are trying to solve that you state a layer-3/layer-4 firewall can't do the job, and you're correct.
I didn't state that it couldn't do the job - you did. I asked this:
Why can't it? Or more to the point, why shouldn't it?
(You should really try reading what people write in emails, not what you think has been written.)
That's why there are application proxies.
No it isn't.
They provide layer-7 security which protect against most all of the typical techniques used for defacing web sites.
Oh really? That's news to me :) If I install Gauntlet, it will magically protect my web server from defacing - hmmm, I'd like to see that :) I'm sure the NAI folk could sell it well if it were true too :)
If you want both layer-3/layer-4 security AND layer-7 security, use both tpyes of devices.
Or one with both as part of its capabilities.
What I'm trying to say here is that there's no _one_ security device that solves every problem and therefore no _one_ security device that is 100% guaranteed to protect servers from exploits.. This is why we have stateful inspection firewalls AND application proxies. Why doesn't one product provide functionality at all layers? Performance is a good reason. Providing security at layer-7 is slow, typically, and not appropriate for all scenarios.
Sure.
Who said a firewall had to be only a layer-3/layer-4 device ? What do you think a proxy firewall does, hmm?I know what an application proxy, or 'proxy firewall' as you say it, is. It provides layer-7 security like I stated above many times. I never said a firewall had too only be a layer-3/layer-4 device, like you said,
In your previous email, discussing firewalls and what they could do, you made this remark:
Bottom line, don't try and solve a layer-7 problem with a layer-3/layer-4 device.
I don't remember this distinction being made prior to your remarks.
because we have application proxies which _are_ a type of firewall. Perhaps we should try and define 'firewall'... =)
You are familiar with the firewall toolkit, are you not ? What about SOCKS ? Why do I feel like I'm teaching firewalls-101 here? Or did the media redefine firewall to only mean packet filters while we weren't watching ? They already stole "hacker"... Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY agetchel (Feb 21)
- Re: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY Darren Reed (Feb 21)