Saturday, September 01, 2007

firewall-wizards Digest, Vol 17, Issue 1

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Query: Why bother with an application proxy over stateful
packet filtering? (K K)
2. Stand Alone vs. Domain System (Rafael Palma Teixeira)


----------------------------------------------------------------------

Message: 1
Date: Tue, 28 Aug 2007 15:20:05 -0500
From: "K K" <kkadow@gmail.com>
Subject: Re: [fw-wiz] Query: Why bother with an application proxy over
stateful packet filtering?
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Cc: Andy Cunningham <andyc@cunningham.me.uk>
Message-ID:
<dc718edc0708281320w632cc9c6v10c9a0bddd522c6a@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On 8/27/07, william fitzgerald <wfitzgerald@tssg.org> wrote:
> Also, are web proxy's used in conjunction with firewalls
> or in place of a firewall.

Depends on the site. There are many "firewalls" which include web
proxy functionality, and many commercial web proxy products market
themselves as being a replacement for a traditional "firewall".

In big business I often see an ingress+egress packet filter (a "filter
router") on the outermost edge, with proxy firewalls just inside the
filter, and then the soft and juicy center just "inside" the proxy
firewall layer.


> While agree with you view of controlling telnet or in appropriate
> protocols across a firewall as compared with using a more fine grained
> web proxy, i can still by pass the proxy via "httptunnel" for example.
>
> So both proxy and firewall can be equally subverted internally via out
> bound traffic to a rogue service listening on a http port.

Any good administrator and/or log analysis tool can detect basic
tunnel tools such as "httptunnel".

While it's still possible to bypass the proxy, it's no longer nearly
as trivial as it once was. Newer application proxies are doing true
Man In the Middle (MITM) against encrypted protocols such as SSL and
SSH, so even wrapping your protocol in TLS is no longer sufficient.

Squid doesn't have these particular features, yet.


> Second Point:
> also iptables could use its "string matching" to filter in appropriate
> sites that match content keywords or even based on a black-hole list.

While the difference between an "application proxy" and a "protocol
aware stateful inspection packet filter" is shrinking, there is still
a gap between the two types of products, generally the difference is
how much actual protocol awareness and state is in the security
gateway, and how high in the OSI stack the gateway can do rewriting
and remediation.

Also, I prefer a policy of "that which is not explicitly permitted is
denied by default, and repeated attempts to evade policy have swift
and non-trivial consequences."


> I guess I am still struggling to see any real benefits as of right now
> apart from the obvious web caching abilities but thats not what this
> discussion is about.

There are some specific benefits to using a non-transparent HTTP proxy
to funnel all HTTP protocol requests through a single specific port,
so applications which expect a browser to be able to establish a HTTP
session using non-standard TCP ports work without having to write a
custom filter rule for each, or just permit all possible outbound
ports.

For an extreme example of the benefits of application proxy over a
"smart" packet filter, take a look at the BalaBit Shell Control Box
(SCB), which intercepts and inspects SSH sessions, auditing behavior
and selectively enforcing policy, without the network administrator
needing to have any visibility into or control over the local policy
on the endpoint machines (the only other way I know of to have that
level of granularity and control over an encrypted tunnel).

Kevin

(P.S. Has anybody here actually deployed SCB?)


------------------------------

Message: 2
Date: Wed, 29 Aug 2007 20:56:47 +0100
From: "Rafael Palma Teixeira" <rpteixeira@gmail.com>
Subject: [fw-wiz] Stand Alone vs. Domain System
To: firewall-wizards@listserv.icsalabs.com
Message-ID:
<2aa15a220708291256q1f0be651m8a331d8a84519a75@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Hi List.
I need your thoughts on this one:
Assuming that a laptop will have a few corporate security features (HD
encryption, patch, AV and so forth) will it be safer for it to be in
standalone mode (avoiding domain SID and other information to be leaked) or
joined in a Windows domain (with all that goes along, groups policies and
stuff) ?

Thanks for your time.

R


--
What luck for the rulers that men do not think.
Adolf Hitler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070829/e69a642e/attachment-0001.html


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 17, Issue 1
***********************************************

No comments:

Post a Comment