1. Home
  2. Networking Firewalls
  3. Most Popular Hardware Firewalls?
  4. Page 2

Most Popular Hardware Firewalls?

That's where you're confused, they are watched at the right point, in fact at multiple points.

Are you related to Charles Newman?

Not only IS it practical, it's done by normal practice in many companies, at least the ones that want to be secure. And this doesn't even take into account the Mandatory Security settings that can be pushed out via GP to the workstations for IE.

Again, it's about knowing the threat, not about patching some broken software, if you block the threats it doesn't matter what program is broken.

Reply to
Leythos
Loading thread data ...

Behind their back / on the screen? All the time?

There is no secure configuration for IE, neither would it be practical.

Someone who still believes in Enumerating Badness...

Reply to
Sebastian Gottschalk

Nope, don't need to watch them directly, they can't do anything that can't be seen over the network.

The you don't know much about it and how to set it up. It's very easy to secure IE against threats when combined with other filtering methods, and there is no reason, in most cases, to allow unrestricted access to the web, which is another method to help secure the network.

What does that make you - someone that doesn't know how to secure a network, it's simple, you just have to know enough.

Reply to
Leythos

One or the other or both depending on what we see with one or the other....

Why do you have such a hard time with secure networks and the idea that users don't have to be permitted unrestricted access to the Internet (nice I made it larger than the web) in order to do their work or even from their homes in most cases.

It's easy to find a tunnel, easy to find a idiot trying to connect to his home computer or a proxy out there....

The first rule is deny access until proven it's needed, and access does not mean allowing complete/unlimited access to the web.

[snipped the rest as it was already addressed]
Reply to
Leythos

Charles Newman clone.

Reply to
Spender
[not much]

Reply to
Vrodok the Troll

You can filter tunneling on a good firewall. A good firewall with deep packet inspection will recognize and stop HTTP tunneling, sock tunneling, etc.

Decent firewalls usually have IPSEC VPN and L2TP built in, with radius and/or ldap authentication support.

The IPS package I have on my firewall works quite well. Why do you say it is impractical?

Decent firewalls all have this. DSCP and 802.1p, mapping between the two and to internal queues/priority levels, etc.

Whatever.

Hence the extremely large number of zomied PC's on the internet spewing crap. 99.9999 percent of which belong to home users.

Ya, right. Home users don't need firewalls. Like they don't need oxygen.

Reply to
snertking

Not true with a decent firewall that does IPS.

No. Siganture based detection. Blockeing PARTICULAR javascript exploits, etc.

Reply to
snertking

Most IPSs are crap, besides they offer wonderful possibilities of Self-DoS.

Ever heard something named "encoding"? Just eval(unescape($escape-encoded exploit)) is usually sufficient to circumvent it, and this is comparably simple to the real exploits out there.

Reply to
Sebastian Gottschalk

You forgot the word "some" at certain places. And to state to performance penalty.

What exactly does it? Simple pattern macthing or comprehensive anomaly analysis? And what exactly does it actually help increasing security? Does it offer a speed of 100 Mbps?

And this hasn't decreased even over the comprehensal promotion of so-called "firewalls". Actually it seems to just got worse.

Then I wonder why I'm getting along without one.

Reply to
Sebastian Gottschalk

No. This is impossible, already in theory.

Yours, VB.

Reply to
Volker Birk

Many firewalls see the difference between HTTP over port 80 and non-HTTP traffic over port 80 (or any other port/service).

Reply to
Leythos

What part of "tunneling" didn't you understand?

Reply to
Sebastian Gottschalk

What part of Tunneling don't you understand - it can't reach the destination if it's not permitted.

Reply to
Leythos

So you want to deny access to Google? And what about DNS?

Reply to
Sebastian Gottschalk

DNS doesn't have to be denied - the firewall can bet setup to deny HTTP access except to approved sites, based on several metrics, and it can also be setup to allow select members/groups to have different filtering rules for HTTP.

If an employee or kid needs access to google, they could be permitted, but getting access to google through the rules doesn't give them access to sites shown in a google search.

It appears you've never worked with a real firewall.

Reply to
Leythos

Oops, there your tunnels go.

So Google Cache doesn't exist?

It appears you never thought about what you were trying and why it can't work.

Reply to
Sebastian Gottschalk

How so? HTTP tunnelling could largely be defeating by just looking for "connect" command in the outgoing stream.

Reply to
snertking

Wrong, DNS from the LAN to the LAN server, where only the the internal DNS server is permitted outbound access via DNS - so that means you can't tunnel via DNS rules since only the DNS server has permission to reach out and find someone....

How does that permit one to tunnel out? It doesn't and once you leave the google site you still can't reach it - and all of this means you let users use google in the first place. Heck, most users are not even permitted web access and even less are permitted access to search engines...

It's clear that you have never setup, managed, been behind a properly configured firewall.

Reply to
Leythos

Are you related to J. Edgar Hoover?

Reply to
Jerry Gardner

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.