Tim Shea wrote:
>And you can equally argue that proxies were never good to begin
>with. Really - the majority of applications out there have no real
>layer 7 level proxy so you have to tackle the problem from other

That's exactly what I mean. It goes deeper than that, really. Most
applications out there today have no layer 7 *specification* -- never
mind a proxy. They're simply a bunch of poorly-understood stuff
going back and forth on a connection. Nobody can filter it for
correctness because nobody even knows what correctness
*means* in that case. Or, you get protocols like the VOIP suite,
which are an amalgamation of poorly-designed and over-designed
standards and features; there's no sensible way to go through
and apply protocol minimization because there's no real
protocol, just a feature set driven by a bunch of commands
that are executed in an arbitrary order.

Insecurity is a problem of complexity and trust. We can't fix
trust with technology, and the complexity of current applications
software has completely escaped our grasp. Until such a time
when app protocols are well-designed and specified (ain't gonna
happen!) we're not going to have meaningful progress in security,
we'll just have the "band aid of the month club." For the record,
I never felt firewalls were a solution to the problem (proxy or
otherwise) they're simply a centralizable band aid. The reason
that packet-oriented firewalls suck is because they're locked
into the permit/deny-packet model and that means it's impossible
to do protocol minimization. I don't think anyone does that any
more, anyhow, so it's largely a moot point.

On the other hand, the customers of the "computer security
industry" are spending about $1 billion annually on all the
computer security "solutions" yet the sitation is getting worse.
What does that tell you? It tells me the "conventional
wisdom" isn't.


firewall-wizards mailing list