My simple definition of a firewall is "a device to ensure conformance to an network
access policy for traffic through it". But this does imply that it won't let through
traffic contrary to access policy so the reply to original question was correct. If
you can see ports on servers behind the firewall that you are not supposed to see,
then the firewall has failed. Of course if you have a network access policy "let
everything through", then you can port scan behind the firewall. But I wouldn't call
that a "security" policy.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Reckhard, Tobias
Sent: Wednesday, March 14, 2001 04:52
To: [EMAIL PROTECTED]
Subject: RE: How to find out about Open ports on firewall
Bollocks. ;-)
No, seriously, you are right, of course, that a firewall should be
configured with a default deny stance in most cases. However, that is hardly
a criterion that decides whether something simply *is* a firewall or not.
That depends entirely on the definition of 'firewall', which is subject to
many a debate. Check 'Building Internet Firewalls, 2nd Ed.' by Zwicky,
Cooper and Chapman. Quoting from page 21 of the book, chapter 1, section
'Religious Arguments', subsection 'That's Not a Firewall!':
'The world is full of people eager to assure you that something is not a
firewall; it's "just a packet filter" or maybe it's "better than a mere
firewall". If it's supposed to keep the bad guys out of your network, it's a
firewall. If it succeeds in keeping the bad guys out, while still letting
you happily use your network, it's a good firewall; if it doesn't, it's a
bad firewall. That's all there is to it."
This is why I prefer to speak of firewall systems or be more specific in the
description of individual components, by speaking of (perhaps stateful)
packet filters, application level gateways (naming the specific protocol),
etc.. There is hardly a common denominator when the term 'firewall' is used.
Back to the original topic, where someone said that open ports could be
mapped through a firewall. Of course this is possible if the firewall is
configured to let traffic pass through, the question is, how difficult and
effective is port scanning going to be. If you've got a public Web server in
a DMZ behind a firewall, of course a port scan on the machine will turn up
TCP port 80 as open and listening. Whether a presumptious syslog UDP port of
514 or an X11 server listening on TCP port 6000, which aren't meant for
public access, will turn up depends on the firewall (and it's configuration,
of course). Stealth scans will get by some firewalls, others not. However,
that's not the point. The point is that port scans can not generally be said
to be impossible through a firewall, neither can the general statement be
made that a firewall that permits any form of port scan to be made through
it is not a firewall.
Cheers,
Tobias
> -----Original Message-----
> From: Bill Royds [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, March 14, 2001 2:55 AM
> To: Reckhard, Tobias
> Cc: [EMAIL PROTECTED]
> Subject: RE: How to find out about Open ports on firewall
>
> Bollocks. If it does not have a deny all unless explicitly allowed, it is
> not a firewall but a router. A "firewall", does not let traffic pass
> unless authorised by a security policy. If it does otherwise, it is not a
> firewall.
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Reckhard, Tobias
> Sent: Tuesday, March 13, 2001 08:33
> To: 'Bill Royds'
> Cc: [EMAIL PROTECTED]
> Subject: RE: How to find out about Open ports on firewall
>
>
> Bill Royds wrote:
> > If you can find the list of open ports THROUGH a firewall, then you need
> > to replace the firewall. It has failed in its main task. The only way
> one
> > should find out about open ports on a server is to be in the same
> > protection domain as the server.
> >
> Bollocks. That may be the case in some setups, but there are clearly going
> to be situations where a firewall, which may amount to as much as a
> screening router, will let traffic through, hopefully but not necessarily
> to
> specific servers and services. Now if your servers have open ports that
> the
> firewall should prevent outsiders from accessing, that's an entirely
> different story.
>
> Tobias
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
