Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

XML firewalls

From: ArkanoiD <ark () eltex net>
Date: Mon, 13 Feb 2006 14:35:30 +0300
nuqneH,

I wrote this to the list a couple of years ago, but no one answered , though
i see some XML firewall people here.

Could anyone provide some comments on this lines:


On SOAP and other http+xml combos: how do you create security polices
for passing xml-based messages through firewall? 


I've read WS-SecurityPolicy paper, seen some ads of XML firewalls but have 
not seen any good example on how that works for any simple XML-based protocol.
Let's start with, say, jabber: i'd like to write a policy that logs sender
ids and restricts everything other to fit official jabber schema without 
vendor extensions. Could anyone show me how can that be achieved with current
products?
 

----- Forwarded message from ArkanoiD <ark () eltex ru> -----

Delivered-To: firewall-wizards () honor icsalabs com
From: ArkanoiD <ark () eltex ru>
To: firewall-wizards () honor icsalabs com
Reply-To: ark () eltex net
X-Mailer: Mutt 1.0.1i
Subject: [fw-wiz] Future and past firewalls (was "firewalls comparison")
Errors-To: firewall-wizards-admin () honor icsalabs com
X-BeenThere: firewall-wizards () honor icsalabs com
X-Mailman-Version: 2.0.13
Precedence: bulk
List-Help: <mailto:firewall-wizards-request () honor icsalabs com?subject=help>
List-Post: <mailto:firewall-wizards () honor icsalabs com>
List-Subscribe: <http://honor.icsalabs.com/mailman/listinfo/firewall-wizards>,
        <mailto:firewall-wizards-request () honor icsalabs com?subject=subscribe>
List-Id: Firewall Wizards Security Mailing List <firewall-wizards.honor.icsalabs.com>
List-Unsubscribe: <http://honor.icsalabs.com/mailman/listinfo/firewall-wizards>,
        <mailto:firewall-wizards-request () honor icsalabs com?subject=unsubscribe>
List-Archive: <http://honor.icsalabs.com/pipermail/firewall-wizards/>
Date: Fri Jun 25 06:35:37 2004
X-Original-Date: Fri, 25 Jun 2004 14:23:44 +0400

nuqneH,

I've read "Advanced Screening" article on Infosecuritymag site and i'd like to
share some thoughts on it.

The fist impression was quite good, i'd say, things are not as bad as i supposed ;-)
There still IS market for advanced firewalling as i see it and there are
professionals that are interested in tools for having things controlled.
But some questions are still unanswered. Those are:

As i stated before, there are TWO completely different things, both called
"firewall". Devices for protecting DMZ servers, focused on scalability, fault 
tolerance, high performance, IPS capabilities and DoS resistance. And there are 
devices for protecting LANs, with completely different feature requirements:
advanced application ispection and granular control. Why do everyone mix those two?
Diffrent boxes, different designs and sure, different vendors.
(I've found it to be a very good sign that VPN features are left aside in this
comparison, looks like people finally realized the obvious thing firewall itself
is not required to be VPN box, though it usually can ;-))

On SOAP and other http+xml combos: how do you create security polices
for passing xml-based messages through firewall? I still do not have this
feature, but i definitely need it and i'd like to see a wishlist and references
on how do others implement it.

The same question applies to IIOP, which was not even noted in the article, though
2 years ago everyone talked about it.

Is IPS in its traditional meaning important for proxy firewalls? My personal 
impression that it is more important to have advanced protocol parsing that will
drop questionable content regardless if there is known vulnerability abused this way
or not rather that to have up to date "signature database". When i see new 
vulnerability, i often do check if my proxies are paranoid enough. For http/html, it
is about 70% of "unknown" bad things being blocked a priori. For lpd, it is 
about 100% ;-), for cvs-pserver - 50%, etc etc, YMMV. Does not look good enough to
rely on it? Sure, but it is just because of my lack of resources to analyse
vulnerabilities and making content ispection more deep. 

What's wrong with Cyberguard? It was blamed in the article for "legacy design",
what do they mean?

Does Netscreen really do in-depth IMAP inspection? The protocol is terribly
complicated :-(

P.S. (some advertising ;-)

Though there still are some corporate, goverment and bank installations of my 
creature, it becomes mostly like academic project at the moment ;-). Here is the 
core code snapshot (sorry, almost no documentation, but it should look familliar to
you if you have expirience with TIS/NAI fwtk, there even is an API that resembles
old one so you may compile any fwtk proxy with it). We are interested in any
commercial proposals on the thing.

http://milliways.chance.ru/~ark/soft/ADVAopenfwtk-pre2.tar.gz

$ md5sum ADVAopenfwtk-pre2.tar.gz 
86065d63d96e03479bdba627f279753b  ADVAopenfwtk-pre2.tar.gz

It is pre-release code, so no public license - if you want to use it, just write
me a email.

Legacy proxies that did not pass QA are not included, you may get them at fwtk.org
in "patches" section.

----- End forwarded message -----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: