On Mon, 21 Aug 2006, Tim Shea wrote:

> And you can equally argue that proxies were never good to begin
> with. Really - the majority of applications out there have no real

I've got clients who at least have some benefit from running HTTP through
a proxy and stopping various MIME types. It's not perfect by any stretch
of the imagination, but it stops a fair volume of malware/spyware daily.

> layer 7 level proxy so you have to tackle the problem from other
> directions. And the off the shell proxies (smtp, dns, http, etc)
> don't offer much value since these applications have been tested to

With a proxy, DNS doesn't go down to the client- that's a huge win in the
anti-tunnel arena. Where I have clients who do MS Exchange internally,
the SMTP proxy keeps them from spewing SMTP from an infected client as

> death or the application isn't anymore "protected". What is the
> point of recommending a solution that doesn't exist? I am a fan of
> proxies but the reality is the firewall - whether it be proxy or
> other - is only a small part of the equation.

A chance to arbitrate the conversation isn't necessarily a bad thing-
especially if you can't control the end nodes.

Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
http://fora.compuwar.net Infosec discussion boards

firewall-wizards mailing list