Aviram Jenik wrote:
A FW is a tool to enforce coorporate policy on people who may or may not wish to abide by it. It is not the only tool, and there are other tools designed to help with that aim. The most recommended, but hard to maintain, is keeping only the services that need to run running.The main idea behind a firewall is not to prevent rogue outgoing communication (this is usually pointless; you can do full IP tunneling over ICMP packets if you wish) but to prevent incoming traffic to various services. For example, you may have an Intranet web server that should only be accessible from inside the network, but nobody from the outside should access it.
The fact that administrators (ab)use it to block various services fromIt's a matter of users deciding not to abide by these policies. Some of the reasons for doing so are understandable (China example), some are less (employees using corporate network to download Kaza movies, or open security holes in ICQ).
internal users (and then those users find "clever" ways to bypass these
restrictions) is another topic altogether
But that's another strange concept.- but the ones that are overloading services on port 80 are not the corporates, but rather than client-side utilities which want to bypass f/w restrictions.
Lets look at it for a second:
Why do clients like ICQ use HTTP? Because they want to be useable even if the admins don't want their users to have it. I'll repeat that - ICQ wants to bypass the corporate policy!
What do admins do about it? Well, whatever their FWs allow them to do. Slowly, FWs start to look at HTTP as a layer 5 protocol, over which further inspection needs to be done. The race has begun. So far, the clients are far ahead, but the distance is slowly being closed. Check Point FW-1 NG FP3 (recently released) has an option of blocking Kaza and such.
Who's the loser? Admins and end users. The former because they have to keep upgrading, and because these checks are far more performance intensive than packet matching and filtering. The former because as the inspections done become more and more intensive, performance drops and costs rise.
Who's winning? Well, the security companies obviously can't complain (they can, and they do, but still). The client companies are also in the mix. They started this thinking that this will make them unfilterable. I expect they will soon find out that they were wrong, and the race will really be on. You will start seeing iterations of changing clients, and changing firewalls and proxies trying to catch up. All I can really say about that is "been there, done that, no winners".
Theoretically, if people in corporates did not try to use these tools to bypass corporate policies, the need for layer 6 filtering would not have been big enough to justify security device companies diving into this market, leaving the real important uses (Free surfing out of China) without an answer. Sadly, people are too short sighted to understand that.Thanks, Aviram Jenik Beyond Security Ltd. http://www.BeyondSecurity.com http://www.SecuriTeam.com
Shachar
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
