On Mon, Aug 21, 2006 at 09:15:42AM -0400, Paul D. Robertson wrote:
> On Mon, 21 Aug 2006, Tim Shea wrote:
> > And you can equally argue that proxies were never good to begin
> > with. Really - the majority of applications out there have no real

> I've got clients who at least have some benefit from running HTTP through
> a proxy and stopping various MIME types. It's not perfect by any stretch
> of the imagination, but it stops a fair volume of malware/spyware daily.

..and if you strip scripts from untrusted sites, you get rid of most of
malicious XSS and browser attacks, add XML policy filter (properly configured)
and.. you still have tons of ugly uncontrolled stuff but things look not
*that* bad already.

I wonder why there is no opensource XML filter engine. Looks like we
have to develop that one.

> > layer 7 level proxy so you have to tackle the problem from other
> > directions. And the off the shell proxies (smtp, dns, http, etc)
> > don't offer much value since these applications have been tested to

> With a proxy, DNS doesn't go down to the client- that's a huge win in the
> anti-tunnel arena. Where I have clients who do MS Exchange internally,
> the SMTP proxy keeps them from spewing SMTP from an infected client as
> well...
> > death or the application isn't anymore "protected". What is the
> > point of recommending a solution that doesn't exist? I am a fan of
> > proxies but the reality is the firewall - whether it be proxy or
> > other - is only a small part of the equation.
> >

> A chance to arbitrate the conversation isn't necessarily a bad thing-
> especially if you can't control the end nodes.
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal opinions
> paul@compuwar.net which may have no basis whatsoever in fact."
> http://fora.compuwar.net Infosec discussion boards

firewall-wizards mailing list