Re: Hollywood scenarios
Whilst an absolute bitch to configure, the Gauntlet firewalls back in the day were about as secure a firewall as you could ever hope for. The management let it down when compared to Cisco PIX's and the newcomer to the game with it's fancy GUI - Checkpoint - which was probably what led to its' demise.
However, what I noticed was that there were no *new* proxy-type firewalls coming along - all of the current crop of firewalls for Enterprise are pass-through type.
After going on a few courses with aforementioned vendors and meeting people who made me feel like a 3 year old chimp with brain damage in comparison, I discovered that there are ways to bypass pass-through type firewalls. Apart from the obvious back-doors that have been floating around recently I never did find out what that mechanism was, and it was proved to me on one occasion where I was asked to secure a laptop behind a firewall in a lab, and this chap (using another laptop outside the firewall) simply logged in to my laptop, using RDP (which was disabled) and used my webcam (which was disabled in the device manager) and took a photo of my astonished face as I watched my cursor wizz around my screen.
Now I think I know why there are no proxy-type firewalls left in the market :(
For those too young to have played with Gauntlet, it basically had a little bit of proxy code for each application you wanted to allow connectivity to. So there were FTP proxies, HTTP proxies etc. etc. The main point being was that if the incoming data stream didn't conform to the parameters of the proxy, it was filtered - so no buffer overruns - no SQL injections - it was pure whitelisted traffic and nothing else. This would probably be harder to do today since some of the protocols have developed and become a lot more complex, but it *could* be done - so why hasn't it?