Monday, August 27, 2007

firewall-wizards Digest, Vol 16, Issue 14

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: ***SPAM*** Re: IPv6 support in firewalls (Patrick M. Hausen)
2. Query: Why bother with an application proxy over stateful
packet filtering? (william fitzgerald)


----------------------------------------------------------------------

Message: 1
Date: Mon, 27 Aug 2007 09:30:45 +0200
From: "Patrick M. Hausen" <hausen@punkt.de>
Subject: Re: [fw-wiz] ***SPAM*** Re: IPv6 support in firewalls
To: dave@corecom.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Cc: "Patrick M. Hausen" <hausen@punkt.de>
Message-ID: <20070827073045.GA90669@hugo10.ka.punkt.de>
Content-Type: text/plain; charset=iso-8859-1

Hi, all,

On Thu, Aug 23, 2007 at 05:06:55PM -0400, Dave Piscitello wrote:

> I'm sorry, but you are not using the term end-to-end in the correct context.

Understood and agreed, but ... ;-)

> Almost any firewalled configuration uses IP masquerading and that's hugely
> important. Do you really think it's better to assign public address space
> behind firewalls? Do you really want everyone to know every IP address block
> your organization uses internally by querying an RIR?

Yes, I think "official" registered address space for every single
node, PC, mobile phone, fridge, coffee machine, ... _is_ the
ultimate goal and one of the major reasons to deploy IPv6.

First you should not rely on NAT as a security measure, anyway,
because it isn't.

Second, one can just as well deploy a proxy with registered
address space on both sides. I'm doing it in my datacenter
to protect web and database servers. There's nothing gained
by putting the "visible" address on the proxy and the web server
on net 10. Besides added complexity and worse logging capabilities.
Modern proxy firewalls with transparency appear like a router to
the protected hosts, so why not use them that way and disable NAT?

Third, this is the _only_ way to get rid of the "net 10 considered
harmful" nightmare that pops up over and over again when two
enterprises want to connect their internal nets in some way.
For example SAP already hands /29 subnets of their own RIPE
assigned IPv4 address space to their customers to build DMZs for
remote support/VPN access, precisely for this reason.

> These combined are reasons to implement IPv4 forever:-)

IMHO theses are the combined reasons to start over and
kill NAT forever.

Kind regards,
Patrick M. Hausen
--
punkt.de GmbH * Vorholzstr. 25 * 76137 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
info@punkt.de

http://www.punkt.de
Gf: J?rgen Egeling AG Mannheim 108285


------------------------------

Message: 2
Date: Mon, 27 Aug 2007 15:05:16 +0100
From: william fitzgerald <wfitzgerald@tssg.org>
Subject: [fw-wiz] Query: Why bother with an application proxy over
stateful packet filtering?
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <46D2DA1C.7080307@tssg.org>
Content-Type: text/plain; charset=ISO-8859-1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Experts,

I am interested in knowing ore about network access control via various
kinds of firewalls.

I am wondering why would the be a need to web up a proxy such as a web
proxy (Squid) instead of just using a stateful packet filtering firewall
(iptables) only in a network?

I realise SQUID provide caching but leaving that aside and focusing on
the security policy aspects what advantages can it offer over a general
purpose firewall?

My initial research/reading in to Squid for example seems to suggest
that Linux iptables can cover all of Squids functionality such as ACL
via ports and ip address range, protocol type, deep packet inspection
etc etc.

One thing however I see squid can do is provide access control by an
end-user where as iptables seems only to provide this at a host machine
level.

But, i see iptables has the --owner matching along with --string
matching and also has a layer-7 module now.

I am just trying to get a feel for why one would be used over another.

Also, are web proxy's used in conjunction with firewalls or in place of
a firewall.

I presume a bastion style host proxy with a firewall is the usual setup:

LAN --> squid proxy --> iptables ---> internet

or even a multi-homed device:

LAN --> [proxy and firewall] --> internet

regards,
Will.


- --
William M. Fitzgerald,
PhD Student,
Telecommunications Software & Systems Group,
ArcLabs Research and Innovation Centre,
Waterford Institute of Technology,
WIT West Campus,
Carriganore,
Waterford.
Office Ph: +353 51 302937
Mobile Ph: +353 87 9527083
Web: www.williamfitzgerald.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG0tocIcwlebz1MmwRAvwOAJ93bgxR71YoQyfc8j97bNP7nM/N2gCg7Mwe
uX7Oi+/dg8hZTL/iTrRFBcA=
=MKS+
-----END PGP SIGNATURE-----


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 16, Issue 14
************************************************

No comments:

Post a Comment