Firewall Wizards mailing list archives
Re: Firewalls that generate new packets..
From: "Paul D. Robertson" <paul () compuwar net>
Date: Sat, 24 Nov 2007 00:04:33 -0500 (EST)
On Fri, 23 Nov 2007, Dave Piscitello wrote:
Not certain what you mean when you limit the discussion to Internet-enabled software vendors but I am pretty certain that everyone who runs an SSL VPN is running a proxy of some sort.
I didn't say "Internet-enabled software vendors" because I meant "applications that at some point in their life, but after their initial design were given grafted-on Intenret-based functionality." Specifically, in the last couple of years I've dealt with ERP/CRM, Shipping and Financial Services (Payroll) vendors who've all been unpleasantly surprised when software they've had fielded for anywhere from six months to six years doesn't work when presented with an HTTP proxy _even though there are provisions in their applicaiton code for setting up a proxy_. In every case, whatever brain damaged code was used to invoke proxy support ended up doing direct DNS lookups and trying to connect directly to the vendor's systems- and it took lots of packet traces to "prove" their software didn't work as advertised (and in every case there was the immediate request to "remove the firewall" or "open ports" to be met with "the network isn't architected that way and won't be modified thusly.") In the case of the ERP/CRM system, the code was "validated" by a third pary service provider who obviously dropped the ball in whatever "testing" they did because the proxy code functioned in "test your connectivity" mode but not in "send your data" mode. It took two days to bypass the vendor's phone firewall known as "technical support" which was neither technical nor supportive. It's pretty clear to me that where there's a proxy/filter choice to be made, the default is "filter/NAT" enough of the time that vendors are shocked when their code is questioned because "it works for everybody else" just fine. Heck, I had one major shipping vendor punt to dial-up rather than work with a vendor to fix their offering. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." http://www.fluiditgroup.com/blog/pdr/ Art: http://PaulDRobertson.imagekind.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewalls that generate new packets.., (continued)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 17)
- Re: Firewalls that generate new packets.. Dave Piscitello (Nov 19)
- Re: Firewalls that generate new packets.. Timothy Shea (Nov 19)
- Re: Firewalls that generate new packets.. ArkanoiD (Nov 21)
- Re: Firewalls that generate new packets.. Dave Piscitello (Nov 23)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 23)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 25)
- Re: Firewalls that generate new packets.. ArkanoiD (Nov 21)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 23)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 23)
- Re: Firewalls that generate new packets.. Dave Piscitello (Nov 23)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 23)
- Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 25)
- Re: Firewalls that generate new packets.. Dave Piscitello (Nov 25)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 26)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 17)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 25)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 23)
- Re: Firewalls that generate new packets.. Dave Piscitello (Nov 21)