Re: Proxies, opensource and the general market: what's wrong with us?

[ArkanoiD <ark () eltex net>]

Packet filters and packet filtering threat control is reactive by design.
(Well, maybe not "by design" as principle of technology, but "by design" of
current implementation, being basically a way to apply regexp to a tcp/ip packet
or tcp flow - and the second technique is called "advanced").

The efficiency of threat control depends on nature of the threat.
Protocol driven attacks are not that widespread now, but they still do exist.
I checked CVEs for, say, pop3 vulnerabilities of last 5 years  and found out that about 90% are
protocol abuses that are prevented by proper proxy on zero knowledge basis.

For http the situation is strictly opposite, to be honest. But for http there are other
things proxy can do.

On Sat, Apr 30, 2011 at 04:10:44PM -0400, Dave Piscitello wrote:
> I wonder if this "all a firewall should be is a packet filter" is truly
> the case. Is the buyer focus on proxy or packet filtering these days, or
> on "blocking X" where X is "a threat"?
>
> Most of the commercial marketing blather focuses on controlling threats,
> users, and application specific attacks. The only mention of packet
> filtering is often in the context of "packet filtering is no longer
> effective". Granted, this is smoke and mirrors, but search NGFW or WAF
> and tell me what you find. I'm not advocating that this is a good thing,
> BTW.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards