Firewall Wizards mailing list archives
Re: Firewall best practices
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Fri, 23 Apr 2010 20:42:39 -0500
Martin Barry wrote:
Marcus, are you referring to DPI or proxies or both or something else entirely?
I wasn't referring to anything in specific; I think, though, that we've moved past the point where we can think of firewalls as just source/dest IP source/dest port and we need to start characterizing genres and sub-genres of traffic. There was a time when Jon Postel said that "Email is the new datagram" but now "HTTP is the new IP" - we've lost the battle on trying to have HTTP just be a fetch protocol for data; it's now a much more complicated thing with genres and sub-genres and probably sub-sub-genres of traffic. We can't meaningfully "firewall" traffic if "permit source HTTP ANY" includes VPNs, bidirectional commands, voice data, and who knows what else? We're reaping the rewards of ignoring that problem, in the form of firewall-busting malware that does all the stuff that yesterday's "firewall friendly application" used to do. I guess what I'm saying is that we need application friendly firewalls to undo the damage from the firewall friendly applications. :) I think that the vendors' technology strategies largely show an awareness of the problem; they mostly have some kind of increasingly powerful layer-7 processing capability either in the product, in the works, or on the roadmap. They've got to, because firewall friendly applications are about as friendly to the firewall as a bullet to the head. You're completely right about the "if the application emulates HTTPS traffic" problem. I don't have an answer to that one other than "we warned everyone that that was going to be a problem." At this point, it's less of technical problem than a social one. It seems to me that an organization cannot claim to be concerned about security while allowing user-oriented encrypted outgoing links to any target. That's just foolishness. The fact that "everyone does it" doesn't make it any less foolish. Back in the proxy days we advocated tying outgoing connections to an authenticated user; that's another important aspect of the problem that gets short shrift. mjr. -- Marcus J. Ranum CSO, Tenable Network Security, Inc. http://www.tenablesecurity.com _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewall best practices, (continued)
- Re: Firewall best practices Paul D. Robertson (Apr 15)
- Re: Firewall best practices Darden, Patrick S. (Apr 15)
- Re: Firewall best practices John Morrison (Apr 15)
- Re: Firewall best practices Darden, Patrick S. (Apr 15)
- Re: Firewall best practices Marcus J. Ranum (Apr 15)
- Re: Firewall best practices Morty (Apr 16)
- Re: Firewall best practices Darden, Patrick S. (Apr 22)
- Re: Firewall best practices Martin Barry (Apr 22)
- Re: Firewall best practices Marcus J. Ranum (Apr 22)
- Re: Firewall best practices Martin Barry (Apr 23)
- Re: Firewall best practices Marcus J. Ranum (Apr 26)
- Re: Firewall best practices Carson Gaspar (Apr 27)
- Re: Firewall best practices ArkanoiD (Apr 28)
- Re: Firewall best practices david (Apr 26)
- Re: Firewall best practices John Morrison (Apr 27)
- Re: Firewall best practices Harrell, Matthew (Apr 27)
- Re: Firewall best practices Marcus J. Ranum (Apr 27)
- Re: Firewall best practices Paul D. Robertson (Apr 27)
- Re: Firewall best practices ArkanoiD (Apr 30)
- Re: Firewall best practices Andre Lima (Apr 30)
- Re: Firewall best practices Dave Piscitello (Apr 28)