Firewall Wizards mailing list archives
Re: Firewalls that generate new packets..
From: "Darden, Patrick S." <darden () armc org>
Date: Wed, 28 Nov 2007 08:54:42 -0500
I agreed with Marcus, and I agree with you. These terms are traditionally unfocused and meaningless marketing blather. That's why I attempted definitions that would add meaning in the context of this discussion. As for tunneling--yeah. You can tunnel through http or even through icmp (yes, you can tunnel thru ping) via programs like Loki. However, as I stated, my definition of levels of security was to make things more difficult or complex, not the traditional view of more secure. I think along these lines: 80% total wankers (low level of knowledge) 10% script kiddies (adept with using pre-made programs) 5% good general hackers (truly understand firewalls and general vulnerabilities) 5% amazing experts in specific areas (amazing level of knowledge of 1-2 firewalls and a few apps (e.g. apache, mod-perl, perl) I am making all these statistics up, it's my world-view so I am entitled. I figure, however, that level of complexity or difficulty or knowledge is what makes a difference, and so if you can discourage the majority then you have done what you can.... I.e. it is easy to keep out the bottom tier of "hackers". Most firewalls come pre-configured for thst. With a little bit of work you can confound the script kiddies as well. A good security guru can confound the "good general hackers" as well, by keeping up with patches and the latest news. Only luck and great expertise will help with the "amazing experts in specific areas" however--that and having a well-planned out in-depth security system. --Patrick Darden Darren Reed I think 'deep' is more of a reference about how far they'd like you to reach into your pocket - again - so they can get their product bell curve to turn the right way :-) ...
*stateful with deep packet inspection: a connection matrix is kept, mindful of sequence #s, checking to make sure that only proper protocols are allowed, and additionally checking for application level sanity--e.g. squid, a web application proxy that allows for various levels of sanity checking on http commands, can ensure that requests follow RFCs, allows a lot of custom filtering/sanitizing such as regexp type addons for getting rid of pop-ups, malware, pushes that might break cgi boundaries, etc.Now, you're cooking with gas.
You know for a while, one of my favourite HTTP commands to a proxy was "CONNECT". telnet straight through someone's firewall that was HTTP only ;-) I forget how it went, but something like this: CONNECT http://12.34.56.78:23 HTTP/1.0 and sometime later, I'd happily see this: SunOS foo login: Of course now people restrict CONNECT to the more usual ports, such as 443 but since 443 is normally encrypted, it is uncommon for any content filtering to be applied to it... Does your ssh server /also/ run on port 443? ;) ...
Is it possible that a "firewall" is largely "a router with a sticker on it that says 'firewall'?"
The ADSL+router+NAT+Firewall you buy from Safeway at $29.95 probably is just that :-)
... Unless it's doing a lot of useful "deep" stuff at layer-7, I'd say that might be the situation. The question I want you all to start asking is: "What's 'deep' about that?"
I first heard the term "deep packet inspection" around 5 years ago and nothing I've seen or heard since then has convinced me that it is anything other than a marketting term, used by people trying to sell _something_ (be it themselves, their ideas or products) that you'd otherwise not think twice about. And it is the lack of definition about what "deep packet inspection" is that continues to make it sound good. Nobody appears to have a precise definition, so everyone can claim it (for different reasons.) I mean, would you buy a firewall that did stateful filtering, proxying or deep packet inspection? I mean, what sounds sexier? Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- ***SPAM*** Re: Firewalls that generate new packets.., (continued)
- ***SPAM*** Re: Firewalls that generate new packets.. Dave Piscitello (Nov 28)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 29)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 30)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 30)
- Re: Firewalls that generate new packets.. Fetch, Brandon (Nov 30)
- ***SPAM*** Re: Firewalls that generate new packets.. Dave Piscitello (Nov 30)
- Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 28)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 28)
- Re: Firewalls that generate new packets.. Tina Bird (Nov 27)
- Re: Firewalls that generate new packets.. J. Oquendo (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 28)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 28)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 29)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 29)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 30)