In a recent SearchSecurity webcast, speaker Joel Snyder, Senior Partner for Opus One, addressed technological developments in application-layer firewalls based on his research for sister publication Information Security magazine.

    Requires Free Membership to View

Here he answers a few of the user-submitted questions he didn't have time to answer during the broadcast. If you missed our webcast, Application-layer firewalling: Raise your perimeter IQ, or would like to review it, you may listen to the webcast on-demand or download Joel's presentation without audio.


Why aren't firewalls blocking spyware?

Well, depending on your definition of spyware, they are. Firewalls give you the granular control you need to block incoming and outgoing traffic. The products we reviewed go deeper into the protocol and can block things that look like HTTP but aren't. Look at the table with the Information Security magazine article for features such as "HTTP Header Filtering," for example.


I thought that proxy makers didn't just claim more control but more security (even in the absence of more control), because of RFC enforcement and other things that they can never seem to explain. Please comment.

They do continue to make this claim. What has not happened is a consensus on whether the additional security is useful or not. Taking an example from the physical world, if I put a safe inside of another safe, it's more secure, isn't it? But is that second, inner safe needed? Is the cost/benefit ratio there? I think that this debate has continued and will go on forever. For some enterprises, the cost/benefit ratio is there; for others, it's not. In general, the marketplace has voted with its dollars in favor of products based on stateful-packet filtering over proxies. But the proxies still have a significant market. Folks like Secure Computing and WatchGuard and CyberGuard are all still in business.



MORE INFORMATION ON FIREWALLS:


What capabilities exist in the latest firewall products to break and re-establish SSL encryption so application scanning of encrypted HTTP is possible?

None in the products I tested, but I don't know about all firewalls out there. The companies I spoke with were more than circumspect about that -- they think that even if they have the capability to decrypt encrypted SSL that this may not be a good idea. It may be a more dangerous tool than should be given to most companies.

Your question is actually a bit different. You're asking about possibly setting up two SSL sessions. That's very common -- all the SSL VPN vendors are doing that already. But I'm guessing you're more interested in maintaining end-to-end integrity and decrypting the data on the fly.

Do you think that this is an important feature? Are you concerned that your SSL-based Web server is vulnerable to attack? Or are you worried about end users going out on the Internet using encrypted traffic that you can't evaluate for proper policy compliance?


Have any firewalls added intelligence to evaluate or alert on poor firewall rule sets?

Not the ones I looked at. I would be a bit surprised if the firewall itself had done that. But I've been surprised before.


What do you think of the DoD common criteria process?

At the high end, having certification is generally a waste of time and money. It becomes largely a paper chase of getting certification for operating at some level below where you already are. Thus, high-end products go far beyond the basic common criteria. However, at the low end, there are products that cannot meet the basic levels required not just in DoD, but in all sorts of other certification programs. So it is a reasonable barrier.

My impression is that every high-end product vendor gets these certifications because they are required as part of the purchasing process by some large customers, but that most consider it a waste of time. On the other hand, it does keep the riff-raff out. So it's both good and bad, in my opinion.


This was first published in March 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.