firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Firewall scaling (R. DuFresne)
2. Recommended Open Source Proxy Firewalls (Mathew Brown)
3. Re: Recommended Open Source Proxy Firewalls (Patrick M. Hausen)
4. Re: Recommended Open Source Proxy Firewalls (Gumennik, Mark J.)
5. Re: Firewall scaling (J. Oquendo)
----------------------------------------------------------------------
Message: 1
Date: Fri, 6 Jul 2007 16:29:14 -0400 (EDT)
From: "R. DuFresne" <dufresne@sysinfo.com>
Subject: Re: [fw-wiz] Firewall scaling
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <Pine.LNX.4.64.0707061626590.5321@darkstar.sysinfo.com>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Total nonsense! If you have 100 or so users at WORK of all places using
bittorrent to produce greater then 320 connections apeice, there is no
work getting done.
The original poster said small company, nothing about a college or .edu.
Folks need to read, breathe, re-read, then choose not to post nonsense.
Thanks,
Ron DuFresne
On Wed, 27 Jun 2007, Pollock, Joseph wrote:
> I want to second this comment. With p2p software running on clients in
> our dorms, I've seen 3500+ connections from individual computers. And
> the social networking sites are almost as bad, loading data from dozens
> or hundreds of sites on a single page. I just saw a report that some of
> them generate several hundred DNS queries from a single page load. We
> have the data flow restricted, but the connections still get
> established.
>
> If you're a business site, though, you likely have more control over the
> local desktop.
>
> Joe Pollock
> Network Services
>
> -----Original Message-----
>
>
>
>
>
>>
>> it depends very much what the traffic pattern for those users is.
>> it's not that hard to generate 32k connections with 100 pcs :)
>
> Right, especially if you have dorms full of college students running
> bittorrent.
>
> Jason Mishka - "I'm like a Subway in a land of McDonalds..."
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFGjqYdst+vzJSwZikRApm4AKCKF0QJrY6/75S8eedbXRTIEDWzFgCgl3Jo
lmq1qd33fjdAXLYV1Ludu2s=
=e/By
-----END PGP SIGNATURE-----
------------------------------
Message: 2
Date: Sun, 08 Jul 2007 09:34:22 -0700
From: "Mathew Brown" <mathewbrown@fastmail.fm>
Subject: [fw-wiz] Recommended Open Source Proxy Firewalls
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <1183912462.31459.1199070639@webmail.messagingengine.com>
Content-Type: text/plain; charset="iso-8859-1"
Hi,
I just finished reading Marcus Ranum's very interesting paper -
http://www.ranum.com/security/computer_security/editorials/deepinspect/index.html
- comparing "deep packet inspection firewalls" with "proxy firewalls"
and was interested in investigating open source "proxy firewalls". Do
open source proxy firewalls even exist, and if so, which would you
recommend and why? Thank you for your help.
--
Mathew Brown
mathewbrown@fastmail.fm
--
http://www.fastmail.fm - A no graphics, no pop-ups email service
------------------------------
Message: 3
Date: Mon, 9 Jul 2007 20:25:19 +0200
From: "Patrick M. Hausen" <hausen@punkt.de>
Subject: Re: [fw-wiz] Recommended Open Source Proxy Firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20070709182519.GC36484@hugo10.ka.punkt.de>
Content-Type: text/plain; charset=iso-8859-1
Hi, all!
On Sun, Jul 08, 2007 at 09:34:22AM -0700, Mathew Brown wrote:
> Hi,
> I just finished reading Marcus Ranum's very interesting paper -
>
http://www.ranum.com/security/computer_security/editorials/deepinspect/index.html
> - comparing "deep packet inspection firewalls" with "proxy firewalls"
> and was interested in investigating open source "proxy firewalls". Do
> open source proxy firewalls even exist, and if so, which would you
> recommend and why? Thank you for your help.
Well, IMHO this question is not a simple one to answer, because
as soon as I'm thinking about the first fact I might want to
tell you, I feel like opening Pandora's box ;-) Where to start ..?
OK, first: I do not know of any more or less polished "product" that
would fit the term "Open Source Application Level Gateway" and meet
today's standards.
Go and get a copy of "Firewalls and Internet Security" by Steve Bellovin
and Bill Cheswick. It tells you almost everything you need to know to
build your own. At least it will tell you all the principles and
concepts. They have not changed that much in the last years, despite
vendors hyping a new "technology" every other year or so.
The problem with real application level gateways is: you need to
"support" a whole bunch of applications that are inherently
insecure. So while I believe that you can build a reasonably
strong proxy for HTTP, because the protocol is ubiqitous, reasonably
well understood, and there are a lot of plugins for e.g. the
Squid proxy, that implement MIME filtering, virus checking ...,
for many other real world applications you are out of luck.
Reason being that the protocols themselves are propriatary.
Which is a bad thing when you think about security. Still they
exist and people will want to run them through your firewall
and - and this is the most important point - if they are not
completely brain washed by the security industry, they will
expect the firewall (i.e. the particular proxy) to know what
it's doing. E.g. an Oracle proxy for database access over the
net could only permit certain configurable databases (SIDs in
Oracle speak) to be accessed by a certain client.
You will probably need to sign an NDA with Oracle to get enough
information to wactually go and write such a proxy. And even
if you figure it out yourself, they might sue you ;-)
So if you insist on using open source you end up with a
"TCP plug" proxy. You could just use a static packet filter
with a little bit of "SYN/ACK/established" brains instead.
There really isn't that much difference, save possibly IP
fragment tricks and similar low level stuff.
Unfortunately the majority of application layer firewall
vendors discredited themselves years ago, shipping products
that had advanced understanding of the underlying protocol
only for some simple and common stuff: HTTP, FTP, Telnet,
End of List. Even Gauntlet 6.0 implemented the HTTPS "proxy"
as a simple TCP plug. As I said, there's probably nothing won
by this. IIRC, Marcus once called that the "dirty little
secret" of ALG vendors. Gauntlet was better than a simple
NAT gateway, though, because of its "default deny" policy
instead of "anything initiated from inside must be 'good'".
But not much. At least not if matched against today's threats
which are mostly targeted at the application.
I'm selling a particular ALG (Sidewinder by Secure Computing)
and to most potential customers I have to explain these
concepts carefully and in depth, and demonstrate just how
many filtering capabilities my product really has - because
they have been trained into thinking that firewalls are about
permitting or denying "ports".
E.g. the Sidewinder's HTTPS proxy enforces a proper TLS handshake
when the connection is initiated. It cannot work magic, so once
the encryption is in place, it's just as blind about the content
as a plug, but at least it enforces protocol. So: Skype does
not work through a Sidewinder in default configuration. I consider
that a feature. Skype uses a propriatary encrypted protocol over
port 443, because most packet filtering firewalls or adaptive
deep inspection whatever thingies just leave that port wide open
for everything. And you can add SSL decryption and man-in-the-middle
your connections to do real content inspection even on HTTPS.
I don't want to just endorse Sidewinder's merits, I just want to
give you a picture of what it takes to build an application
level gateway that matches today's threats.
And that's for every single application! You need an MS-SQL
proxy that understands MS-SQL. Want netmeeting? You need a
proxy that speaks H.323 and T.120. As I said ... Pandora's box.
So, for historical and technical studies, you could look here:
But don't expect it to match up against Sidewinder or Cyberguard
or other commercial offerings.
And as much as I prefer Sidewinder over every competing product
I've seen so far: it still does much too little! I'd love to
have an HTTP proxy that takes a set of regular expressions to
match against URLs that are permitted to be fetched from a
protected web server and denies everything else.
Just as a start. I can think of many more things an ALG could do. ;-)
HTH,
Patrick
--
punkt.de GmbH * Vorholzstr. 25 * 76137 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
info@punkt.de
http://www.punkt.de
Gf: J?rgen Egeling AG Mannheim 108285
------------------------------
Message: 4
Date: Mon, 9 Jul 2007 13:53:28 -0400
From: "Gumennik, Mark J." <mgumennik@mitre.org>
Subject: Re: [fw-wiz] Recommended Open Source Proxy Firewalls
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<FD7E7B96AFD3DB46AA13B39261A2279401FBAD28@IMCSRV3.MITRE.ORG>
Content-Type: text/plain; charset="us-ascii"
This article is 2000 years old, but still true
I don't know any open source ones, but did work with 2 good commercial
ones:
- Sidewinder by Secure Computing
- Raptor, now by Symantec
Mark G
-----Original Message-----
From: firewall-wizards-bounces@listserv.cybertrust.com
[mailto:firewall-wizards-bounces@listserv.cybertrust.com] On Behalf Of
Mathew Brown
Sent: Sunday, July 08, 2007 12:34 PM
To: firewall-wizards@listserv.cybertrust.com
Subject: [fw-wiz] Recommended Open Source Proxy Firewalls
Hi,
I just finished reading Marcus Ranum's very interesting paper -
http://www.ranum.com/security/computer_security/editorials/deepinspect/
index.html
- comparing "deep packet inspection firewalls" with "proxy firewalls"
and was interested in investigating open source "proxy firewalls".
Do
open source proxy firewalls even exist, and if so, which would you
recommend and why? Thank you for your help.
--
Mathew Brown
mathewbrown@fastmail.fm
--
http://www.fastmail.fm - A no graphics, no pop-ups email service
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
------------------------------
Message: 5
Date: Mon, 09 Jul 2007 13:05:42 -0400
From: "J. Oquendo" <sil@infiltrated.net>
Subject: Re: [fw-wiz] Firewall scaling
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <46926AE6.8000301@infiltrated.net>
Content-Type: text/plain; charset="iso-8859-1"
R. DuFresne wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Total nonsense! If you have 100 or so users at WORK of all places using
> bittorrent to produce greater then 320 connections apeice, there is no
> work getting done.
>
> The original poster said small company, nothing about a college or .edu.
>
> Folks need to read, breathe, re-read, then choose not to post nonsense.
>
> Thanks,
>
> Ron DuFresne
>
Not necessarily the case. For one if it's not blocked, someone could
have tried some
QoS voodoo and limited that traffic to 1k per session ;) Highly
doubtable though.
Heck I'm at a midsized company and QoS in here would be a plus but its
highly
sneered at
--
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
echo infiltrated.net|sed 's/^/sil@/g'
"Wise men talk because they have something to say;
fools, because they have to say something." -- Plato
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5157 bytes
Desc: S/MIME Cryptographic Signature
Url : https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070709/ffa3c83c/attachment.bin
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 15, Issue 1
***********************************************
1 comment:
I am glad you said that?
Post a Comment