Firewall Wizards mailing list archives
Re: (no subject)
From: Devdas Bhagat <dvb () users sourceforge net>
Date: Tue, 20 Jun 2006 14:00:31 +0530
On 19/06/06 22:18 -0400, Paul D. Robertson wrote: <snip>
That's been true of every new protocol in the last 6 or 7 years, if not longer. If you're going to let users install things, you're going to have to deal with it. Software restriction policies, ACLs, etc. You can't give up control of the end platform, then expect to get decent security by blocking arbitrary ports.
Also, a lot of people have problems with corporate policies not allowing the opening of ports, or too bureaucratic procedures for doing so. They can generally expect that HTTP will be open, and hence the desire to run everything over HTTP. What we need is a proxy which will analyse HTTP traffic content, and filter _that_. I mean that we need a proxy which will analyse the contents of the XML request, and then allow or deny based on that. If you think this is bad, consider SOAP. XML over HTTP, so no new ports have to be opened (yay! it just works!). And the XML is a wrapper around an entirely new protocol, which would at one time have needed a separate port (and hopefully, a proxy). Now with application writers deciding that supporting so many platforms is hard and writing web applications, we have a system where the OS is a browser, code is dynamic (Javascript and AJAX, anyone?) and all code is tunneled over a protocol with holes you could drive a truck (or two) through (HTTP). Firewalls are turning into a joke here. If you were worried about tunnels, now start worrying about tunnels in tunnels. Devdas Bhagat _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- (no subject) Paul D. Robertson (Jun 19)
- Re: (no subject) Devdas Bhagat (Jun 20)
- Re: (no subject) Marcus J. Ranum (Jun 21)
- Re: (no subject) Frank Knobbe (Jun 20)
- Re: (no subject) Aaron Smith (Jun 21)
- Re: (no subject) Coleburn (Jun 22)
- Re: (no subject) Aaron Smith (Jun 21)
- Re: (no subject) Devdas Bhagat (Jun 20)