[prev in list] [next in list] [prev in thread] [next in thread]
List: firewall-wizards
Subject: Re: [fw-wiz] VM system for firewall use
From: "Paul D. Robertson" <paul () compuwar ! net>
Date: 2004-10-12 15:25:55
Message-ID: Pine.LNX.4.58.0410121120180.11205 () bat ! clueby4 ! org
[Download RAW message or body]
On Tue, 12 Oct 2004, ArkanoiD wrote:
> > 1. The filter gets all data anyway, so all data going through the proxy
> > is immediately subject to compromise (i.e. the filter can pass back
> > *anything* to compromise an internal machine (say send the next IE browser
> > a GDI exploit?) and the internal systems talk to the proxy.
>
> No, the proxy is not at all that dumb to get data from the filter back and
> to use it blindly. Its iterface to filter is restricted;
> filter may be not allowed to modify content at all - just instruct proxy with
> simple actions.
>
> That's a design issue i should keep in mind.
That's a good design- hopefully the marketing folks that are driving the
changes don't "need" the filtering product to pass back
this-is-why-we-blocked-you HTML, which seems to be the typical chance for
the filtering product manufacturers to get their "brand" in front of the
Web browser, or to make the filter a stand-alone product.
It still amazes me when folks writing security software *design* it well-
I've become very jaded over the years.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic