[fw-wiz] Firewall rules order and performance

K K kkadow at gmail.com
Wed Jul 29 10:36:07 EDT 2009


A good example of this is the BIND9 bug released yesterday.  A very
good firewall has a DNS proxy and denies malformed packets, or can be
set to filter out 'nsupdate' type packets.

Even "iptables" can be set to drop these packets, with a one-line rule change.

On 7/28/09, K K <kkadow at gmail.com> wrote:
> Only if your "firewall" is a lowly stateful inspection packet filter,
> and is not deeply aware of the higher level protocols...
>
> The idea behind "deep inspection" and protocol validating proxy
> firewalls was in part to filter out attacks before they reach
> vulnerable servers/clients.   They do make the attacker's job more
> difficult.
>
> KK
>
> On 7/28/09, Eric Gearhart <eric at nixwizard.net> wrote:
>> On Mon, Jul 27, 2009 at 1:21 AM, Jean-Denis Gorin<jdgorin at computer.org>
>> wrote:
>>> Who remember that firewalls (as application gateways) was designed to
>>> solve (or
>>> to ease a lot) the patch management problem?
>>> Now, we are back to patch management as the solution for all problems
>>> because
>>> dumb people (managers, marketers, buyers, system admins, network admins,
>>> developers, or whatever fit your situation) are unable (or unwilling) to
>>> understand what is a firewall, and what is it due for...
>>
>> Part of the problem with your argument is that in order for e,g, a web
>> server to be reached, port 80 (and maybe port 443) have to be allowed
>> through the firewall. That fact alone means that the webservers have
>> to be patched, because as long as the firewall is allowing legitimate
>> traffic through, it could also be allowing malicious traffic
>> through...
>>
>> --
>> Eric
>> http://nixwizard.net
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards at listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>>
>
> --
> Sent from my mobile device
>

-- 
Sent from my mobile device


More information about the firewall-wizards mailing list