Firewall Wizards mailing list archives
Re: Re: Firewalls breaking stuff: [Was re: fwtk]
From: "Charles W. Swiger" <chuck () codefab com>
Date: Mon, 22 Jul 2002 12:41:30 -0400
On Saturday, July 20, 2002, at 10:31 AM, Marcus J. Ranum wrote:
I'll agree that OpenSSL almost certainly has bugs. There are some other alternatives, such as getting a hardware crypto-accelerator card or box, and using that to perform SSL.Ah, you've fallen for the first fallacy of the appliance!! "It's hardware" - uh, no - it's probably a PC running *BSD inside, and it's running software - possibly OpenSSL or Bsafe (which has also had security holes)...
Most of the firewalls sold today are "hardware" running some "software", too. Some of them are nothing more than a PC running *BSD and web-based firewall management app. Let's say the SSL device is internal: on a PCI card, or is connected via the SCSI bus. Even if the device is vulnerable,
how is an attacker going to get to it?[ Short of compromising and going through the HTTPS server machine, that is. ]
SSL accelerators are _performance_ tools not security tools.
I'd agree with this.But that doesn't mean a SSL cryptoaccelerator box is inherently more vulnerable to compromise than any other network appliance. For instance, has anyone else had to update the firmware on their network switches for the SNMP vulerability?
- So we started with you challenging the wisdom of implementing only a subset of SMTP
We started with a criticism of security vendors who release software which doesn't implement protocols correctly. One example was Cisco's MailGuard breaking SMTP, yes.
- And I responded that that was a good thing because it let us leave a bunch of complexity out of the picture
I haven't seen a real-world example why the munging of the SMTP protocol that Cisco's MailGuard performs is beneficial. A reductionist approach is great for security, but there comes a point where the additional security gained doesn't justify the tradeoff in terms of cost, missing functionality, etc.
- And you responded that we should get EVEN MORE COMPLEX by adding mystical unauditable devices to the configuration because...? it's better than just implementing a subset of SMTP?
Are the mystical unauditable devices sold by some security vendors better? How could I audit the VPN solution you mention below?
Cryptoswift is one vendor I'm familiar with in that area.Besides-- is there a better alternative than SSL, given the requirement above?Well, the original question was the wisdom of implementing a subset of SMTP on a secure gateway. I think that's still the best option. Now, if the next question is providing secure access to Email I'd say a VPN would work well for that, since there's a high likelihood that the customer will have other types of access they want to provide than just email, no?
People tend to want VPNs between branch offices or permanent home offices because they do take some effort to configure. People don't tend to want VPNs when going to a trade show, or reading their mail from a client site,
or from some other transient location. -ChuckChuck Swiger | chuck () codefab com | All your packets are belong to us. -------------+-------------------+-----------------------------------
"The human race's favorite method for being in control of the facts is to ignore them." -Celia Green _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: FWTK and smap/smapd, (continued)
- Re: FWTK and smap/smapd Devdas Bhagat (Jul 17)
- Re: FWTK and smap/smapd Rick Murphy (Jul 17)
- Re: FWTK and smap/smapd Charles W. Swiger (Jul 17)
- Firewalls breaking stuff: [Was re: fwtk] Marcus J. Ranum (Jul 18)
- Re: Firewalls breaking stuff: [Was re: fwtk] Dominik Miklaszewski (Jul 18)
- Re: Firewalls breaking stuff: [Was re: fwtk] Charles W. Swiger (Jul 19)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Paul Robertson (Jul 19)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Marcus J. Ranum (Jul 19)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Charles Swiger (Jul 20)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Marcus J. Ranum (Jul 20)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Charles W. Swiger (Jul 22)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Paul Robertson (Jul 22)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Charles W. Swiger (Jul 22)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Paul Robertson (Jul 22)
- Re: FWTK and smap/smapd David Lang (Jul 16)
- Re: FWTK and smap/smapd Dominik Miklaszewski (Jul 16)
- Re: FWTK and smap/smapd Paul Robertson (Jul 16)
- Re: FWTK and smap/smapd Marcus J. Ranum (Jul 16)