[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: security at brvenik.com (Jason)
Subject: YABBT [1] - Re: Zone Alarm
This is a dead thread to me. I am replying to list because it adds a
little value to the already OFF TOPIC discussion.
Ron DuFresne wrote:
> [SNIP]
>
>
>>'A HW firewall can only block at the protocol level for an entire
>>machine but can not reliably deny access for one program and allow
>>access for another program when they are using like protocols from the
>>same machine.'
>>
>
>
> Still incorrect, as it seems folks are talking about packet filters only
> of one type or another. No one seems to be considering the high end in
> the firewall realm, and this might be due to the 'homeuser' tone of the
> thread, but, what about firewalls with application proxies? Of course
> these are not very common on a desktop or home machine...
>
[snip large sig block]
There are many application proxies in use on the host these days, they
are often transparent as well. An easy example might be any modern virus
scanner which intercepts a communication stream and emulates the
application protocol to inspect it for virii.
While I see what you are trying to say you are incorrect. There is no
_off system_ firewall, hardware or software, that can differentiate like
protocols and the representation of those protocols simply by being inline.
Let me illustrate..
$ wget www.yahoo.com
...output
$ nc www.yahoo.com 80
GET / HTTP/1.0
User-Agent: Wget/1.8.2
Host: www.yahoo.com
Accept: */*
Connection: Keep-Alive
...output
Barring a subtle difference in the way wget and nc build the tcp
connection there is no way off system to differentiate the above two
HTTP requests and there is no off system method to identify the
requesting application.
Something that might make this mildly on topic for the list would be a
discussion of the next logical statemets about enforcing access to the
internet for specific applications using this method of thinking.
You can do anything that does not require a change on the host system.
Some suggestions:
* configure User-Agent validation
* only allow specific protocols, limited to HTTP for example.
* require user authentcation
Now, with all the products out there the list has, attempt these methods
of restriction and then show us how it can be evaded or otherwise
rendered useless by an application other than the intended. If you
believe it cannot be evaded please show your work and defend your position.
Failing this type of discussion I too SCREAM NAZI
-Jason
Powered by blists - more mailing lists