And you can equally argue that proxies were never good to begin
with. Really - the majority of applications out there have no real
layer 7 level proxy so you have to tackle the problem from other
directions. And the off the shell proxies (smtp, dns, http, etc)
don't offer much value since these applications have been tested to
death or the application isn't anymore "protected". What is the
point of recommending a solution that doesn't exist? I am a fan of
proxies but the reality is the firewall - whether it be proxy or
other - is only a small part of the equation.


On Aug 20, 2006, at 10:35 PM, Marcus J. Ranum wrote:

> Isaac Van Name wrote:
>> You have referred to packet-based
>> firewalls as being outdated.

> I'm not sure if they're "outdated" as much as "never were
> particularly good
> to begin with"
> Remember: popularity is not a reliable gauge of quality. The fact
> that most
> of the firewalls that are fielded today are packet-based (with a
> smidgeon of
> state-tracking thrown in) should concern anyone, when the vast
> majority
> of attacks currently being fielded are above the packet layer. If
> you want to
> look at things from my (admittedly weird) perspective, the current
> fondness
> for "patch your software constantly" is proof positive that packet-
> based
> firewalls don't (and never did) work except for at a very gross level.
> The architecture of a "good firewall" would be some kind of layer-7
> processor that did application protocol correctness verification and
> minimization, as well as come content analysis and filtering. Of
> course
> it'd have to do it extremely fast, or nobody'd want it. Which is
> why it
> doesn't exist. To get that much layer-7 processing done at high speeds
> you'd need silicon, and since silicon isn't particularly mutable
> (not the
> fast kind, anyhow) you'd be constantly bumping against application
> incompatibilities and that wouldn't sit well.
> I guess what I'm saying is "hardly anyone actually WANTS a good
> firewall."
> mjr.
> _______________________________________________
> firewall-wizards mailing list

firewall-wizards mailing list