Re: Firewalls that generate new packets..

[Timothy Shea <tim () tshea net>]

I agree.  As a practical matter I do take outgoing and inbound proxies  
as "security devices" and usually insist that its managed by the same  
group that manages the firewalls.  I would add to your comments that  
an outgoing proxy (such as squid or bluecoat) allows you to eliminate  
the dreaded "completely open outbound default" rule found on many  
corporate firewalls and allows a higher degree of auditing.  Both  
security minded purposes.

But the arguments over what is and what is not a security device is a  
pet peeve of mind.  Its waaay past time we stop thinking what is and  
what is not a "security device" and think how we configure and manage  
each piece in the environment with security in mind.   The firewall,  
the server, the router, the load balancer, the OS, the application  
code, processes, and, heck, even the switch and the wiring.  The  
"firewall" is becoming less and less important (and useful) as a tool  
in the grand scheme of things.

t.s


On Nov 28, 2007, at 8:08 AM, Darden, Patrick S. wrote:

> I disagree slightly with what you say.  Squid can do the
> following security oriented things:
>
> 0     sanitizes http commands going through it (dos, espec
>       unintentional doses by corrupt clients or bad networks)
> 0     can limit sizes to limit buffer overflows
> 0     can anonymize or even edit headers to limit access to
>       user-agent, link, www-authenticate, referer, from, server,
>       accept-charset, etc.
> 0     filter out known signatures for malware such as pop-ups,
>       hijack scripts, cross-site scripting, etc.
>
> That's just what I can think of off the top of my head....  You
> can use Squid as an outgoing proxy for your users, or an incoming
> cache for your servers, and both ways would provide different
> security possibilities.
>
> I am NOT saying Squid is the end-all be-all, not even advocating
> its use at all.  I was merely using it as an example of an
> application proxy.  SOCKS might make more sense than Squid,
> from a purely security perspective....
>
> --p
>
>
> Marcin Antkiewicz
> > I am well aware that Squid does not do all of the previous--
> > it is an application proxy.  Application level proxies, or
> > the equivalent, are the best form of deep packet inspectors.
> > The rest of the Stateful with deep packet inspection would be
> > what is more traditionally thought of as a firewall.  They
> > would not substitute for one another, but instead complement
> > each other.
>
> I would not look at Squid as a security device - I cannot imagine a
> security proxy written for HTTP as it stands today. In order to have
> any install base, HTTP proxy can, at most, implement ACLs/user auth  
> with
> content filtering and some spam, maybe some cookie encription/info  
> leakage
> prevention, but cannot really limit the protocol. Squid and most  
> popular
> http proxies are http caches/load balancers but not security devices.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards