LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security in the 20-teens

Security in the 20-teens

Posted Feb 3, 2010 16:41 UTC (Wed) by dlang (✭ supporter ✭, #313)
In reply to: Security in the 20-teens by foom
Parent article: Security in the 20-teens

yes, any checking the firewall does opens the firewall up to the possibility of errors (this includes the checking done in stateful packet filters)

However, for all relatively sane protocols, there is checking that can be done that doesn't require as much code (and therefor doesn't have the risk) of the application code that will be processing the request. Properly done the code for the firewall is relatively static and can be well tested. It doesn't need to change every time you add a new function to the application (or change it's behavior), it only needs to be able to be configured to do different checking.

Usually this can be things like (in order of increased complexity)

checking that the message is well formed by the definition of the protocol

checking that the message follows the protocol syntax

checking that specific fields in the message are in a whitelist

Yes Wireshark has a horrible track record in security, but this sort of checking is happening in many firewalls (under names like 'deep packet inspection') for some protocols. There are also seperate 'Application Firewall' products you can get for some protocols. The better IDS/IPS systems do this sort of thing (as opposed to mearly blacklisting known exploits)

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds