Miscellaneous Operating Systems/Hardware

firewalls

hamei
From over the rainbow
Who joined Feb. 24, 2004, 4:10 p.m.
Wrote the following at Dec. 4, 2014, 10:43 p.m...
Was looking around 'cuz my proxy is about twenty years old and Cisco acl's are a bitch and everybody says modern stateful firewalls are the bee's knees and that bright red Watchguard sure would look good sitting in the rack but ...

http://www.ranum.com/security/computer_ ... epinspect/

hmm. Watcha think ?
he said a girl named Patches was found ...
Alver
From Zele, Belgium
Who joined Dec. 7, 2005, 4:46 p.m.
Wrote the following at Jan. 4, 2015, 11:41 p.m...
Deep package inspection is a blessing and a curse - it's great for protecting your internet-facing services; it can block "malicious" stuff that is using legitimate ports and services (remember the old trick of running sshd on port 80?), but it's quite often implemented with one step too far... like doing SSL MITM to check whether a TCP/443 session is in fact encrypted HTTP and not some VPN or any other stream. I've had to jump through some hoops to dodge that kind of nasties at various customers. :D

For a home setup, I seriously wouldn't bother. I've got iptables on my openwrt home router and it does everything I need and more - I guess I could even run a proxy on it (but I don't see a need for it). Any low power Linux or BSD machine with minimal configuration could do that job.

For a company setup... well, better safe than sorry. Maybe a nosy inspecting firewall *is* what you want then. :)
while (!asleep()) sheep++;
jan-jaap
From Wijchen, The Netherlands
Who joined June 17, 2004, 11:35 a.m.
Wrote the following at Jan. 5, 2015, 12:03 a.m...
Alver wrote: I guess I could even run a proxy on it (but I don't see a need for it).

Privoxy on the router is on my TODO-list. To suppress YouTube ads on the TV :)
Now this is a deep dark secret, so everybody keep it quiet :)
It turns out that when reset, the WD33C93 defaults to a SCSI ID of 0, and it was simpler to leave it that way... -- Dave Olson, in comp.sys.sgi
Currently in commercial service: Image :Onyx2: (2x) :O3x02L:
In the museum : almost every MIPS/IRIX system.
Wanted : GM1 board for Professional Series GT graphics (030-0076-003, 030-0076-004)
robespierre
From Boston
Who joined Sept. 12, 2011, 2:28 p.m.
Wrote the following at Jan. 5, 2015, 4:59 p.m...
DPI is useful for spying. It doesn't have much use for a firewall scenario.
:PI: :O2: :Indigo2IMP: :Indigo2IMP:
Alver
From Zele, Belgium
Who joined Dec. 7, 2005, 4:46 p.m.
Wrote the following at Jan. 9, 2015, 4:37 a.m...
robespierre wrote: DPI is useful for spying. It doesn't have much use for a firewall scenario.

I disagree. There are plenty of proper uses for DPI - as a matter of fact, I've only seen it being used for "spying" a couple of times, and always as a side effect of a proper use: checking for masked rogue traffic or exploit fingerprints in communication channels. Killing cross-site scripting and SQL injection attempts before they even hit the actual server is pretty nice.
while (!asleep()) sheep++;
hamei
From over the rainbow
Who joined Feb. 24, 2004, 4:10 p.m.
Wrote the following at Jan. 9, 2015, 8:23 p.m...
Alver wrote: Killing cross-site scripting and SQL injection attempts before they even hit the actual server is pretty nice.

The thing is, tho, that if the servers and browsers weren't doing tremendously stupid stuff, these 'exploits' wouldn't exist. It's very similar to girls wearing skirts up to their ass, no panties, no bra and tops that flash their nipples, then complaining that ugly guys stare at them. If you don't want bad stuff to happen, then don't scribble your address and phone number on the toilet stalls down at the bus station, yes ?

To me it seems like the trouble is not 'security' - real security is pretty easy. The trouble is that people want to let google into their underwear drawer but keep charley the prevert from down the street out.

Well ..... you can't have your cake and eat it too, maybe ?
he said a girl named Patches was found ...