Re: Firewalls that generate new packets..

["Darden, Patrick S." <darden () armc org>]

I agreed with Marcus, and I agree with you.  These terms
are traditionally unfocused and meaningless marketing 
blather.  That's why I attempted definitions that would
add meaning in the context of this discussion.

As for tunneling--yeah.  You can tunnel through http
or even through icmp (yes, you can tunnel thru ping)
via programs like Loki.  However, as I stated, my
definition of levels of security was to make things
more difficult or complex, not the traditional
view of more secure.  I think along these lines:

80%     total wankers (low level of knowledge)
10%     script kiddies (adept with using pre-made programs)
5%      good general hackers (truly understand firewalls 
        and general vulnerabilities)
5%      amazing experts in specific areas (amazing level 
        of knowledge of 1-2 firewalls and a few apps (e.g.
        apache, mod-perl, perl) 

I am making all these statistics up, it's my world-view 
so I am entitled.  I figure, however, that level of
complexity or difficulty or knowledge is what makes
a difference, and so if you can discourage the majority
then you have done what you can....  

I.e. it is easy to keep out the bottom tier of "hackers".
Most firewalls come pre-configured for thst.  With a 
little bit of work you can confound the script kiddies as
well.  A good security guru can confound the "good general
hackers" as well, by keeping up with patches and the latest
news.  Only luck and great expertise will help with the
"amazing experts in specific areas" however--that and
having a well-planned out in-depth security system.

--Patrick Darden



Darren Reed

I think 'deep' is more of a reference about how far they'd like
you to reach into your pocket - again - so they can get their
product bell curve to turn the right way :-)

...

> > *stateful with deep packet inspection: a connection matrix 
> > is kept, mindful of sequence #s, checking to make sure that 
> > only proper protocols are allowed, and additionally checking
> > for application level sanity--e.g. squid, a web application
> > proxy that allows for various levels of sanity checking on 
> > http commands, can ensure that requests follow RFCs, allows a 
> > lot of custom filtering/sanitizing such as regexp type addons 
> > for getting rid of pop-ups, malware, pushes that might break
> > cgi boundaries, etc.
> >    
>
> Now, you're cooking with gas.
>  

You know for a while, one of my favourite HTTP commands
to a proxy was "CONNECT".  telnet straight through
someone's firewall that was HTTP only ;-)

I forget how it went, but something like this:
CONNECT http://12.34.56.78:23 HTTP/1.0

and sometime later, I'd happily see this:

SunOS foo
login:

Of course now people restrict CONNECT to the more usual
ports, such as 443 but since 443 is normally encrypted, it
is uncommon for any content filtering to be applied to it...

Does your ssh server /also/ run on port 443? ;)


...

> Is it possible that a "firewall" is largely "a router
> with a sticker on it that says 'firewall'?"
>  

The ADSL+router+NAT+Firewall you buy from Safeway at
$29.95 probably is just that :-)


> ...
> Unless it's doing a lot of useful "deep" stuff at
> layer-7, I'd say that might be the situation.
>
> The question I want you all to start asking is:
> "What's 'deep' about that?"
>  

I first heard the term "deep packet inspection" around 5 years
ago and nothing I've seen or heard since then has convinced me
that it is anything other than a marketting term, used by people
trying to sell _something_ (be it themselves, their ideas or products)
that you'd otherwise not think twice about.

And it is the lack of definition about what "deep packet inspection"
is that continues to make it sound good.  Nobody appears to have a
precise definition, so everyone can claim it (for different reasons.)

I mean, would you buy a firewall that did stateful filtering, proxying
or deep packet inspection?  I mean, what sounds sexier?

Darren

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards