On Sun, Mar 19, 2000 at 11:41:41PM -0500, Gregory Maxwell wrote:
> On Sun, 19 Mar 2000, Michael H. Warfield wrote:
> [snip]
> > Stateful filtering in routers, firewalls, or host interfaces is
> > almost certainly a good thing considering the insecurity of most of the
> > alternatives. The secure alternative on a firewall would be proxies.
> > Secure, yes, but a dubious performance hog at the very least... And excuse
> [snip]
> Come on!
> Stateful firewalling buys you *very* little extra security over
> non-stateful filtering. Most of the attacks that a firewall will stop are
> straightforward service exploits via the internet. A simple filter will do
> this just fine.
Exploits yes, but there are other things, like FIN scans, and
Christmas scans, etc, that it stops cold. It also helps (I didn't say
cures) with things like UDP and can stop UDP scanning.
> Most security violations happen from the inside, and unless you like
> spending tons of money breaking all your internal communictaions,
> firewalls can't help you there. Also, it's usually trivial for someone on
> the outside to trick an insider into setting up a covert channel through
> all but the most anal stateful devices.
Agreeded. I don't claim they cure everything. I merely claimed
that they have security advantages. Anyone who claims to have a magic
bullet that cures all you're security woes should be checked over very
carefully and escorted to the door.
> They simply don't get you much over non-stateful devices other then a
> false sence of security, increased complexity, and lowered realibility.
Not true since they do very distinct things which can be inumerated,
not true as long as they are not sold as a single sole point of security,
somewhat true since they do involve somewhat more complexity though largely
not as complex as proxies which provide similar capabilties, largely not
true since they will be just as reliable or more reliable than proxies.
For equivalent functionality, stateful filters are not that much more
complex if at all, and are not less reliable than other equivalent solutions.
Because they do a distinct job which static filters can not, I do not
consider static filters "equivalent".
> The real solution to security is to secure the damn hosts, and stop trying
> to gloss over the problem with cure-all quick fix firewalls.
No...
The real "solution" is to quit looking for single point solutions
such as firewalls and hosts, saying this is all I need to solve my
security problems. The solution is "security in depth". You need layers
of security. Firewalls are a part, and not just perimeter firewalls,
departmental firewalls and even firewalls on single hosts with builtin
firewall capability. Stateful filters are a part. Tools like Abacus sentry
and snort (IDS) are a part. Tools like log monitors and alarms are a part.
Tools like tcpwrappers is a part. Packages like PAM and cracklib are a
part. Tools like ssl, ssh, and ipsec are a part. They're not competative
and they're not going to eliminate each other. They are cooperative and
synergistic. With layers of security, a breach in one layer doesn't
immediately spell doom and compromise for your entire network. The
intruder should have to walk minefield of security where he has to be
perfect in finding a hole in each layer while avoiding any and all
detectors, traps, and alarms.
I'm tired of the situation where all an intruder has to do is to
find one hole in your defenses and you're toast. Anytime anyone says, all
we have to do is fix our security "here" and we're safe, I get worried.
There are no cure-all quick fixes at the host or at the network. The
solution has to be comprehensive and include the human factor. You have
to take into account, stupid human tricks (viruses, covert channels,
misconfigurations, accidents) into account as well. There are no final
solutions either. There are just degrees of security and vigilance.
> Any network small an simple enough not to be crippled by a stateful
> network (i.e. one building with one internet connection, with no peering
> to other networks, with 100% trusted insiders (who know not to run
> dancing-baby2000.exe)) is simple enough to actually make secure.
How does stateful filtering cripple a network???? I've got some
networks that have multiple /21's through a /19 supporting multiple T1's
to the main network (that still manage to saturate periodically) and
intra-enterprise VPN's. That's not even counting our private address
subnets and NAT devices. Several thousand hosts counts for a significant
sized network. I haven't seen any crippling. Do you have some
real world experience with this crippling or are you just making noise?
Now I have seen proxy firewalls become a performance bottleneck
and cause problems like you describe. Are you sure that you're not mixing
apples and oranges?
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
