Search This Blog

Monday, May 02, 2011

firewall-wizards Digest, Vol 58, Issue 2

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Proxies, opensource and the general market: what's wrong
with us? (Dave Piscitello)
2. Re: Proxies, opensource and the general market: what's wrong
with us? (david@lang.hm)
3. Re: Proxies, opensource and the general market: what's wrong
with us? (david@lang.hm)
4. Re: Proxies, opensource and the general market: what's wrong
with us? (Claudio Telmon)


----------------------------------------------------------------------

Message: 1
Date: Sat, 30 Apr 2011 16:10:44 -0400
From: Dave Piscitello <dave@corecom.com>
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <4DBC6CC4.1070707@corecom.com>
Content-Type: text/plain; charset=ISO-8859-1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 4/27/2011 4:52 PM, David Lang wrote:
> open projects implementing proxies have a really hard time here, because
> most people have bought into the marketing that all a firewall should be
> is a packet filter, so proxies aren't going to be used by anyone who can
> just use a packet filter, and the available proxies don't do a lot of
> things that the commercial tools do, so the gap where someone has
> decided that packet filters are not good enough, and where they need
> features that only the commercial tools offer is pretty narrow.

I wonder if this "all a firewall should be is a packet filter" is truly
the case. Is the buyer focus on proxy or packet filtering these days, or
on "blocking X" where X is "a threat"?

Most of the commercial marketing blather focuses on controlling threats,
users, and application specific attacks. The only mention of packet
filtering is often in the context of "packet filtering is no longer
effective". Granted, this is smoke and mirrors, but search NGFW or WAF
and tell me what you find. I'm not advocating that this is a good thing,
BTW.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJNvGzEAAoJEDa3DI8IpP3/V6QIAIOZxPtac8HlPdSGXSZ2+dtQ
SbFBEztdJUP0HRytxVXekxQsUNv1JZKgWN/vJ+OY98XxC7623nQ4sLb1BXVVpcwB
+IxN1gV2tYM3TW9Xs3NofMBoeKxOfuARagg6zjoxPBJETb2B4jrtfGItACRsJUJG
T1FiiLAAcH4dOf7XcsAlFxmFIk3gt6h58Z3OL8O43+EB6xW970qPFFUNrHDdyJxN
CUxsvUA1xIM3W8ik/41qL+J4cPgvUtG8iLllHPeDb+GrmPROh/LSqgVXXxJLOSjg
sY16VrSVBai/RqG0nDjSn37nFToW50bXHFGAbr8EUhLS+RaWUO72z940mJgM370=
=hpop
-----END PGP SIGNATURE-----


------------------------------

Message: 2
Date: Fri, 29 Apr 2011 10:39:03 -0700 (PDT)
From: david@lang.hm
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <alpine.DEB.2.00.1104291035450.29811@asgard.lang.hm>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

On Fri, 29 Apr 2011, ArkanoiD wrote:

> On Thu, Apr 28, 2011 at 06:21:35PM -0700, david@lang.hm wrote:
>> the fact that you need to direct me to use a CVS snapshot because all the
>> tarballs are too old is a realy good indicator of the problem.
>
> Just check out HEAD. Or, even better, I will upload new snapshot today.

I'll wait for the snapshot and work from that

>> I looked at openfwtk when it was first announced, and at that time it
>> wasn't ready to replace all the parts of fwtk that I use, so I didn't move
>> to it. i've checked back once in a while, but without seeing new releases
>> it hasn't seemed like there was anything new to test.
>>
>> I would suggest moving to git or similar DVCS so that you can create a
>> fork for developing each new feature and then as each one gets done, merge
>> it in to the main trunk rather than having to either keep development out
>> of the main repository, or have each snapshot get a fairly random state of
>> functionality between all the development.
>
> CVS branches are ok as well..

CVS doesn't have good tools for merging the branches back togeather, and
only people who have commit access to CVS can use them. with a DVCS (I
happen to favor git, but this applies to any of them), people can do local
work and then push it back to the central point without you having to
trust them with CVS access first.

David Lang


------------------------------

Message: 3
Date: Fri, 29 Apr 2011 10:41:15 -0700 (PDT)
From: david@lang.hm
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <alpine.DEB.2.00.1104291039590.29811@asgard.lang.hm>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

On Fri, 29 Apr 2011, Claudio Telmon wrote:

> I wouldn't say that most users think that blocking ports is the only
> thing a firewall should/can do. Almost every device has currently this
> basic functionality, including routers, load balancers etc., so
> companies buying an expensive firewall expect it to do something more.
> The problem is, if they know what, and if they get it or not ;)

actually, the problem is that many companies _don't_ expect the firewall
to do anything more. and neither to many admins (unfortunantly including a
large percentage of 'security' people)

David Lang


------------------------------

Message: 4
Date: Mon, 02 May 2011 14:24:25 +0200
From: Claudio Telmon <claudio@telmon.org>
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4DBEA279.5070400@telmon.org>
Content-Type: text/plain; charset=ISO-8859-1

On 04/29/2011 04:09 PM, ArkanoiD wrote:
> On Fri, Apr 29, 2011 at 10:22:45AM +0200, Claudio Telmon wrote:
>>
>> Proxies have been mostly put on top of an operating system's tcp/ip
>> stack, but I wouldn't say that this is a benefit, it's just simpler.
>
> Actually it *IS* a benefit. By eliminating direct packet flow you do not
> need to care about bad things sneaking in TCP and below, actually it is the only
> way to *reliably* ensure that we see similar data on the firewall and the endpoint.

I agree, but I was just saying that using the TCP/IP stack of an OS is
simpler than building a "stripped down" stack that only supports the
proxy needs, non even including e.g. the option to route packets, or to
support the many protocols supported by most current OS.

ciao

- Claudio

--

Claudio Telmon
claudio@telmon.org
http://www.telmon.org

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 58, Issue 2
***********************************************

3 comments:

Anonymous said...

My pаrtner and I stumbleԁ οver here fгom a different pаge and thought I might cheсκ
things out. I like whаt ӏ see sо i am just following yοu.
Look forward to going over уоur web page гepeаtеdly.


Нere is my ωeb-site; Devis peinture

Anonymous said...

I got this wеb ρage fгom mу friend who informed mе
аbout thіѕ web site and now thіѕ timе I
am browsing this web pagе and reading very informative articles аt thiѕ placе.


Feel free to νisit my web site - comparatif ssd

Anonymous said...

Keep on writing, great job!

My blog voyance par telephone