Re: Firewall opinions wanted please
PIX firewalls are great if you configure them correctly for the application. 40 or less servers may not require something as complex, however if the data you are protecting is super-critical, I think a PIX might be your best solution. Proxy firewalls (i.e. Linux, BSD or variant gateways) are good if you're into doing a internal IP network with a NAT access point. But remember dealing with proxies, there is no such thing as a 'TRUE' transparent proxy, and having to go through all of the complexities of port forwarding, packet mangling, etc. might be too much if you are simply trying to firewall your web servers and whatnot. As discussed in a previous thread, I spoke about transparent bridging used for packet filtering and mangling. On a small application, that might be a good idea, because you get all of the true internet access (i.e. legit IPs, no proxying etc.) with the same ability to filter TCP, ICMP, UDP, IGMP etc. traffic. Disadvantages to dealing with transparent bridging is that you run into the whole MAC address collision and excess over-head announcements being made from the bridge itself every time it sends a packet through. The best option I guess is to figure out how important it is for you to have a firewall, what is the reason you need one and how important the data is on your servers. That will help you decide the best choice for a firewall or proxy application. Greg -- Original Message -- From: Nicole <[EMAIL PROTECTED]> Date: Tue, 16 Mar 2004 14:27:16 -0800 (PST) > > > > Hi > I am looking for a good but reasonably priced firewall for a 40 or so server > site. Some people swear by Pix, others swear at it a lot. Also I have heard >good things about Netscreen. Or any others you would recommend for protecting >servers on a busy network. Don't really need anything with VPN just the >standard http, ftp, ssh, https, type traffic up to 100mb throughput. > From what I have heard a proxy firewall would be best? > > > > Thanks in advance!! > > > Nicole > > > > > >-- > |\ __ /| (`\ > | o_o |__ ) ) >// \\ > - [EMAIL PROTECTED] - Powered by FreeBSD - >-- > " Daemons" will now be known as "spiritual guides" > -Politically Correct UNIX Page > > >
RE: Firewall opinions wanted please
Depends on many aspects; performance, management, and logging features. I personally recommend Checkpoint FW-1 Express for a smaller site if you want easy configuration and a great logging interface; though the pricing may not be what you are looking for. Cisco PIX is also great but the management and logging aspects in my opinion are not up to par with Checkpoint on the lower price end (i.e. Without investment in other management tools). It goes back to what you and anyone supporting the platform will be comfortable with. Chris Burton Network Engineer Walt Disney Internet Group: Network Services The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact Walt Disney Internet Group at 206-664-4000. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicole Sent: Tuesday, March 16, 2004 2:27 PM To: [EMAIL PROTECTED] Subject: Firewall opinions wanted please Hi I am looking for a good but reasonably priced firewall for a 40 or so server site. Some people swear by Pix, others swear at it a lot. Also I have heard good things about Netscreen. Or any others you would recommend for protecting servers on a busy network. Don't really need anything with VPN just the standard http, ftp, ssh, https, type traffic up to 100mb throughput. From what I have heard a proxy firewall would be best? Thanks in advance!! Nicole -- |\ __ /| (`\ | o_o |__ ) ) // \\ - [EMAIL PROTECTED] - Powered by FreeBSD - -- " Daemons" will now be known as "spiritual guides" -Politically Correct UNIX Page
Re: Firewall opinions wanted please
On Tue, 16 Mar 2004 14:27:16 PST, Nicole <[EMAIL PROTECTED]> said: > From what I have heard a proxy firewall would be best? I'll go out on a limb here and say that the actual make and model of the firewall don't matter anywhere *near* as much as a proper understanding on the client's part of what a firewall can and can't do. It can let you know when somebody's poking at your site. But it can't do it on its own, somebody *will* have to read the logs (even if you use a good log-filtering package to trim out all the true noise). It can't automagically secure your site. All it takes is *one* laptop or VPN connection to the "inside" from a compromised machine and you're history. The most successful firewall installs I've encountered have invariably considered the firewall not as a "prevention device" but as an "IDS with a bad attitude". A firewall is *never* an acceptable substitute for proper end-host security procedures - the end host *must* be fully prepared to deal with a total breach of the firewall (remember - a firewall will never stop a disgruntled employee). pgp0.pgp Description: PGP signature
Re: Firewall opinions wanted please
In message <[EMAIL PROTECTED]>, Valdis.Kletni [EMAIL PROTECTED] writes: > >--==_Exmh_2134986584P >Content-Type: text/plain; charset=us-ascii > >On Tue, 16 Mar 2004 14:27:16 PST, Nicole <[EMAIL PROTECTED]> said: > >> From what I have heard a proxy firewall would be best? > >I'll go out on a limb here and say that the actual make and model of the >firewall don't matter anywhere *near* as much as a proper understanding on the >client's part of what a firewall can and can't do. You're not going out on a limb; you're absolutely right, and I've been saying that for years. I'll quote myself: Although firewalls are a useful part of a network security program, they are not a panacea. When managed properly, they are useful, but they will not do everything. If firewalls are used improperly, the only thing they buy you is a false sense of security. Beyond that, different security policies have a much greater impact than different brands or types of firewalls. --Steve Bellovin, http://www.research.att.com/~smb
Re: Firewall opinions wanted please
Netscreen rocks. They are record-breakingly sexy devices running the gamut as far as networks they can be configured to service and they burlier beasties are easily worthy of deployment on a carrier class network. However, if you're looking to drop small change on a product that will not be required to withstand the rigors of VPN termination, HA, VRRP, blah blah blah, and you are trying to cover basic, fundamental firewalling (port filtering is a very base feature and should open the doors to many other vendors if that's truly the brunt of what you are trying to achieve), then take a gander at PIX. Or even Raptor or Checkpoint. All 3 are old standbys that have seen their days being equally celebrated as leaders and mourned as losers. boa sorte, --ra -- k. rachael treu, CISSP [EMAIL PROTECTED] ..quis costodiet ipsos custodes?.. On Tue, Mar 16, 2004 at 02:27:16PM -0800, Nicole said something to the effect of: > > > > Hi > I am looking for a good but reasonably priced firewall for a 40 or so server > site. Some people swear by Pix, others swear at it a lot. Also I have heard > good things about Netscreen. Or any others you would recommend for protecting > servers on a busy network. Don't really need anything with VPN just the > standard http, ftp, ssh, https, type traffic up to 100mb throughput. > From what I have heard a proxy firewall would be best? > > > > Thanks in advance!! > > > Nicole > > > > > > -- > |\ __ /| (`\ > | o_o |__ ) ) > // \\ > - [EMAIL PROTECTED] - Powered by FreeBSD - > -- > " Daemons" will now be known as "spiritual guides" > -Politically Correct UNIX Page >
Re: Firewall opinions wanted please
On Tue, Mar 16, 2004 at 05:01:22PM -0600, Gregory Taylor said something to the effect of: ..snip snip.. > As discussed in a previous thread, I spoke about transparent bridging used for > packet filtering and mangling. On a small application, that might be a good idea, > because you get all of the true internet access (i.e. legit IPs, no proxying etc.) > with the same ability to filter TCP, ICMP, UDP, IGMP etc. traffic. > > Disadvantages to dealing with transparent bridging is that you run into the whole > MAC address collision and excess over-head announcements being made from the bridge > itself every time it sends a packet through. > > The best option I guess is to figure out how important it is for you to have a > firewall, _Everyone_ (network connected) should have a firewall. My grandma should have a firewall. Nicole, holding dominion over this business network and its critical infrastructure, should _definitely_ have a firewall. ;) Curses. Budget constraints. Bah. >what is the reason you need one and how important the data is on your servers. That >will help you decide the best choice for a firewall or proxy application. See above. ;) The importance of the data is often more and issue of calculating things like redundancy and storage. A firewall in this case should likely be regarded as non-negotiable. Be careful with transparent bridging in lieu of stricter edge filtering... Also consider the efficacy and reward of firewall logs, application layer filtering, and IDS integration (in a budget-friendly, open source flavor of free...) down the road. ymmv, --ra -- k. rachael treu, CISSP [EMAIL PROTECTED] ..quis costodiet ipsos custodes?.. > > Greg > > -- Original Message -- > From: Nicole <[EMAIL PROTECTED]> > Date: Tue, 16 Mar 2004 14:27:16 -0800 (PST) > > > > > > > > > Hi > > I am looking for a good but reasonably priced firewall for a 40 or so server > > site. Some people swear by Pix, others swear at it a lot. Also I have heard > >good things about Netscreen. Or any others you would recommend for protecting > >servers on a busy network. Don't really need anything with VPN just the > >standard http, ftp, ssh, https, type traffic up to 100mb throughput. > > From what I have heard a proxy firewall would be best? > > > > > > > > Thanks in advance!! > > > > > > Nicole > > > > > > > > > > > >-- > > |\ __ /| (`\ > > | o_o |__ ) ) > >// \\ > > - [EMAIL PROTECTED] - Powered by FreeBSD - > >-- > > " Daemons" will now be known as "spiritual guides" > > -Politically Correct UNIX Page > > > > > >
Re: Firewall opinions wanted please
> > The best option I guess is to figure out how important it is for you to have a > > firewall, > > _Everyone_ (network connected) should have a firewall. My grandma should > have a firewall. Nicole, holding dominion over this business network and > its critical infrastructure, should _definitely_ have a firewall. ;) > Why? When did the end2end nature of the Internet suddenly sprout these mutant bits of extra complexity that reduce the overall security of the 'net? Two questions asked, Two answers are sufficent. --bill
Re: Firewall opinions wanted please
On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the effect of: > > > The best option I guess is to figure out how important it is for you to have a > > > firewall, > > > > _Everyone_ (network connected) should have a firewall. My grandma should > > have a firewall. Nicole, holding dominion over this business network and > > its critical infrastructure, should _definitely_ have a firewall. ;) > > > Why? When did the end2end nature of the Internet suddenly > sprout these mutant bits of extra complexity that reduce > the overall security of the 'net? > > Two questions asked, Two answers are sufficent. Nope. One will do it. The day the first remote exploit or condition, in protocol or application, that could potentially have given rise to such and exploit made it possible for a user not in your control to gain control of your box(en), firewalling became necessary. Then Internet is not exactly end-to-end beyond pure fundamentals; it's more end-to-many-ends. And the notion of "end-to-end" requires preservation of a connection between 2 consenting hosts, and preservation includes securement of that connection against destructive mechanisms, which includes the subversive techniques and intercetptions commonly associated with network security. Denial of Service is as much a threat to availability and network functionality as is power outage if it occurs. Before this turns to a "you security freaks want to screw around with my network and don't care about availability..." Firewalls are logical interventions, costing as little as some processor overhead. Dedicated appliances are only one deployment. Filters on routers also qualify as firewalls. Am I correct in understanding that you feel edge filtering is mutant lunacy and unnecessary complexity? Regarding dedicated firewalls, please see Mr. Bellovin's previous post regarding appropriate and competent administration. The lack thereof presents the complication, not the countermeasure itself. As for your assertion that firewalls "reduce the overall security of the 'net."...can you please elaborate on that, as well? Other factions might/do argue that it's the other team refusing to lock their doors at night that are perpetuating the flux of bad behavior as a close second to the ignorant and infected. --ra -- k. rachael treu, CISSP [EMAIL PROTECTED] ..quis costodiet ipsos custodes?.. > > --bill
Re: Firewall opinions wanted please
>> _Everyone_ (network connected) should have a firewall. >Why? Every network-connected device should have a security layer. Firewalls provide a nice modular security layer and they are cheap compared to the devices/networks that they protect. > When did the end2end nature of the Internet suddenly >sprout these mutant bits of extra complexity that reduce >the overall security of the 'net? The security issue has always been there. You can either build security into the network or into the endpoints. Given that the Internet model is to keep complexity out of the network and in the endpoints, the next question is for site administrators to ask themselves, do I manage *MY* network, like the Internet, or do I manage it like an endpoint? If the answer is to treat it as an endpoint, then it is quite appropriate to install a firewall as a gateway between the network and the Internet. Consider that many endpoints in today's world now encapsulate networks within a single physical device. Routers, switches, cellphones, cars and any embedded device using I2C. Just as the distinction between a router and a switch has been blurred by the advance of technology, so too has the distinction between an endpoint and a network. --Michael Dillon
Re: Firewall opinions wanted please
> > _Everyone_ (network connected) should have a firewall. My grandma should > > have a firewall. Nicole, holding dominion over this business network and > > its critical infrastructure, should _definitely_ have a firewall. ;) By "firewall", do you mean "dedicated unit that does statefull filtering" or just "something that will block packets"? We've successfully argued to just about every group here at our University who came to us asking for a "firewall" that, given what they wanted to achieve, they could accomplish the same thing with simple ACLs... I'm sure that the cost of the ACL's (i.e. $0.00) versus the cost of a firewall also helped them in their decision... Eric :)
Re: Firewall opinions wanted please
> Date: Wed, 17 Mar 2004 11:57:33 -0600 > From: Rachael Treu <[EMAIL PROTECTED]> > Sender: [EMAIL PROTECTED] > > > On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the effect of: > > > > The best option I guess is to figure out how important it is for you to have a > > > > firewall, > > > > > > _Everyone_ (network connected) should have a firewall. My grandma should > > > have a firewall. Nicole, holding dominion over this business network and > > > its critical infrastructure, should _definitely_ have a firewall. ;) > > > > > Why? When did the end2end nature of the Internet suddenly > > sprout these mutant bits of extra complexity that reduce > > the overall security of the 'net? > > > > Two questions asked, Two answers are sufficent. > > Nope. One will do it. The day the first remote exploit or condition, > in protocol or application, that could potentially have given rise to such > and exploit made it possible for a user not in your control to gain control > of your box(en), firewalling became necessary. Then Internet is not exactly > end-to-end beyond pure fundamentals; it's more end-to-many-ends. And the > notion of "end-to-end" requires preservation of a connection between 2 > consenting hosts, and preservation includes securement of that connection > against destructive mechanisms, which includes the subversive techniques and > intercetptions commonly associated with network security. > > Denial of Service is as much a threat to availability and network > functionality as is power outage if it occurs. Before this turns to a "you > security freaks want to screw around with my network and don't care about > availability..." > > Firewalls are logical interventions, costing as little as some processor > overhead. Dedicated appliances are only one deployment. Filters on > routers also qualify as firewalls. Am I correct in understanding that you > feel edge filtering is mutant lunacy and unnecessary complexity? > > Regarding dedicated firewalls, please see Mr. Bellovin's previous post > regarding appropriate and competent administration. The lack thereof > presents the complication, not the countermeasure itself. > > As for your assertion that firewalls "reduce the overall security of the > 'net."...can you please elaborate on that, as well? Other factions might/do > argue that it's the other team refusing to lock their doors at night that > are perpetuating the flux of bad behavior as a close second to the ignorant > and infected. I dislike firewalls for many applications, although I have a Sonic Wall on my cable modem. On the whole, they lead to false belief that firewalls really make you safe. They also block many interesting applications. Things like H.323 conferencing are made vastly more complex by firewalls with no easy or canned work-arounds. One large research site I work closely with has directly opted for IDS with a bad attitude (love that description) which has successfully blocked many intrusion and DOS attempts with no major failures. Slammer did overwhelm it, but it did the same for most everything. The end-to-end nature of the net is really, really important, but is being blocked more and more by those who thing the net is web browsing and e-mail clients and that everything else is simply an annoyance. This attitude is hamstringing network development already and may end up turning the commercial Internet into a permanently limited tool with fewer real capabilities that the ARPANET had before TCP/IP replaced NCP. Grandma may need a firewall. (My sister DEFINITELY needs one.) But not all network connections need or will benefit from a firewall. And many system will exist with significant security flaws because the owners believe that the firewall takes care of everything. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: [EMAIL PROTECTED] Phone: +1 510 486-8634
Re: Firewall opinions wanted please
> > > On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the effect of: > > > > The best option I guess is to figure out how important it is for you to have a > > > > firewall, > > > > > > _Everyone_ (network connected) should have a firewall. My grandma should > > > have a firewall. Nicole, holding dominion over this business network and > > > its critical infrastructure, should _definitely_ have a firewall. ;) > > > > > Why? When did the end2end nature of the Internet suddenly > > sprout these mutant bits of extra complexity that reduce > > the overall security of the 'net? > > > > Two questions asked, Two answers are sufficent. > > Nope. One will do it. The day the first remote exploit or condition, > in protocol or application, that could potentially have given rise to such > and exploit made it possible for a user not in your control to gain control > of your box(en), firewalling became necessary. Ah, so back in 1979. Three (well two and a half, roughly) decades between making fundamental design choices on how protocols vs folks trying to do the right thing in the wrong place. > Then Internet is not exactly > end-to-end beyond pure fundamentals; it's more end-to-many-ends. And the > notion of "end-to-end" requires preservation of a connection between 2 > consenting hosts, and preservation includes securement of that connection > against destructive mechanisms, which includes the subversive techniques and > intercetptions commonly associated with network security. Here we have some disagreement. Network Security is protecting the infrastructures ability to deliver bits and has nothing to do w/ end systems per se. > Firewalls are logical interventions, costing as little as some processor > overhead. Dedicated appliances are only one deployment. Filters on > routers also qualify as firewalls. Am I correct in understanding that you > feel edge filtering is mutant lunacy and unnecessary complexity? Please include the OPEX costs. And you have ignored the IAB plea for having filtering done as a temporary expdient as a way to encourage new application/feature development. And yes, the need to perform edge filtering is symtematic of a cultural problem. We have sociopaths in the community that drive normally sane people to do perverse things. So yes, mutant lunacy and unDESIRABLE complexity. > Regarding dedicated firewalls, please see Mr. Bellovin's previous post > regarding appropriate and competent administration. The lack thereof > presents the complication, not the countermeasure itself. Amen. See above. From a systems perspective, adding yet one more level of management/administration decreases the efficentcy and robustness of the overall system. From a "security" perspective, another attack point! > As for your assertion that firewalls "reduce the overall security of the > 'net."...can you please elaborate on that, as well? Other factions might/do > argue that it's the other team refusing to lock their doors at night that > are perpetuating the flux of bad behavior as a close second to the ignorant > and infected. See above. > > --ra > > -- > k. rachael treu, CISSP [EMAIL PROTECTED] > ..quis costodiet ipsos custodes?.. > > > > --bill > >
RE: Firewall opinions wanted please
Depending on your chosen vendor the ACL cost is unlikely to be $0 - if you steal CPU cycles from packet forwarding then you incur earlier router upgrade costs and that has a NPV cost increase associated with it. It's just not as obvious as a invoice for a firewall. Matt. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Eric Gauthier Sent: 17 March 2004 17:20 To: [EMAIL PROTECTED] Subject: Re: Firewall opinions wanted please > > _Everyone_ (network connected) should have a firewall. My grandma should > > have a firewall. Nicole, holding dominion over this business network and > > its critical infrastructure, should _definitely_ have a firewall. ;) By "firewall", do you mean "dedicated unit that does statefull filtering" or just "something that will block packets"? We've successfully argued to just about every group here at our University who came to us asking for a "firewall" that, given what they wanted to achieve, they could accomplish the same thing with simple ACLs... I'm sure that the cost of the ACL's (i.e. $0.00) versus the cost of a firewall also helped them in their decision... Eric :) -- Live Life in Broadband www.telewest.co.uk The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Statements and opinions expressed in this e-mail may not represent those of the company. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender immediately and delete the material from any computer. ==
Re: Firewall opinions wanted please
Not _firewalling_, but access limitation. Grandma can live with PNAT router - she do not need any firewall, if she do not grant external access to anything. She can live with Windows _default deny_ setting. If grandma have extra money, it is better to purchase anty-virus. Moreover. Just for _ghrandma_, it can be cheaper do nothing than to invest into security (bad thing for us, I know!) - because she lost '$0' in case of intrusion... It explains shidespread of modern viruses, spam-trojans etc (they cost '$0' to infected households in many cases). It is as Wireless access - my friend have secured access point, but when I tried, I could use unsecured access points of 2 his neighbourths. They know abouth insecurity - but they do not lost anything, so they do not want to spend $0.01 to improve it. And unfortunately, I can not blame them. > > On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the effect of: > > > > The best option I guess is to figure out how important it is for you to have a firewall, > > > > > > _Everyone_ (network connected) should have a firewall. My grandma should > > > have a firewall. Nicole, holding dominion over this business network and > > > its critical infrastructure, should _definitely_ have a firewall. ;) > > > > > Why? When did the end2end nature of the Internet suddenly > > sprout these mutant bits of extra complexity that reduce > > the overall security of the 'net? > > > > Two questions asked, Two answers are sufficent. > > Nope. One will do it. The day the first remote exploit or condition, > in protocol or application, that could potentially have given rise to such > and exploit made it possible for a user not in your control to gain control > of your box(en), firewalling became necessary. Then Internet is not exactly > end-to-end beyond pure fundamentals; it's more end-to-many-ends. And the > notion of "end-to-end" requires preservation of a connection between 2 > consenting hosts, and preservation includes securement of that connection > against destructive mechanisms, which includes the subversive techniques and > intercetptions commonly associated with network security. > > Denial of Service is as much a threat to availability and network > functionality as is power outage if it occurs. Before this turns to a "you > security freaks want to screw around with my network and don't care about > availability..." > > Firewalls are logical interventions, costing as little as some processor > overhead. Dedicated appliances are only one deployment. Filters on > routers also qualify as firewalls. Am I correct in understanding that you > feel edge filtering is mutant lunacy and unnecessary complexity? > > Regarding dedicated firewalls, please see Mr. Bellovin's previous post > regarding appropriate and competent administration. The lack thereof > presents the complication, not the countermeasure itself. > > As for your assertion that firewalls "reduce the overall security of the > 'net."...can you please elaborate on that, as well? Other factions might/do > argue that it's the other team refusing to lock their doors at night that > are perpetuating the flux of bad behavior as a close second to the ignorant > and infected. > > --ra > > -- > k. rachael treu, CISSP [EMAIL PROTECTED] > ..quis costodiet ipsos custodes?.. > > > > --bill > >
Re: Firewall opinions wanted please
On Wed, Mar 17, 2004 at 02:01:59PM -0500, Matthew Silvey said something to the effect of: > On Wed, Mar 17, 2004 at 11:57:33AM -0600, Rachael Treu wrote: > > > > As for your assertion that firewalls "reduce the overall security of the > > 'net."...can you please elaborate on that, as well? Other factions might/do > > argue that it's the other team refusing to lock their doors at night that > > are perpetuating the flux of bad behavior as a close second to the ignorant > > and infected. > > > > > to extend an abstraction: > > these factions are arguing about the lock on the door, but it is the door > that is important. it is a feature of the house, a means of entering and > exiting. if you argue that all doors must have a lock then you can no longer > have the freedom of design and creation to decide whether your house will > have a door for pigeons, hamster, cats, or humans without deciding how each > specific door can be accessed by each specific creature. By that rationale, why must any houses have doors at all? Further, your analogy doesn't, I feel, hold water in this case. Let's reverse that portion of said abstraction. I said all doors must have locks and all edges filters. I did not expound upon to what extent those edges are filtered. Saying that the doors must be locked does not have anything to do with whether the doors are for pigeons, hamster, cats, or humans... Access control balances this equation. You can lock a pigeon door with a key that the pigeon can bear and the hamster... Okay...this is getting absurd. Let's revert to netspeak. :) Access control. "if you argue that all doors must have a lock then you can no longer have the freedom of design and creation to decide whether your house will have a door for pigeons, hamster, cats, or humans without deciding how each specific door can be accessed by each specific creature." Exactly. Absolutely! What is wrong with that? That is my point. This is not an "information wants to be free" argument, guys. You have a network connection, you have a responsibility to ensure that you manage your risks and also that you do not enable it to be used to harm others. You build a corporate intranet server and I want to get into it. Are you going to let me? Or are you going to design it with the intent that only corporate hamsters...er...employees can access that specific door. How about your home network? Mind if I do a little recon and raid your personal systems for password and personal info harvesting? Do you _use_ passwords, for that matter? If the argument is really about a means of entering and exiting and not locking or restricting access, then why bother? Do you lock the front door to your house? These wide-swinging doors of which you speak are not practical in terms of government intelligence. Or physical border control. If your doors-- which given what you are describing are actually doorless doorways and more closely resemble gaping maws--were appropriate edge deployments, then guards should drop from perimeter and border walls, passwords should come off machines, encryption should die, ATM PINs should be decommissioned, and so on and so forth. Inarguably people complain that passwords are annoying to maintain and enter and that firewalls are in the way a lot of the time. Thankfully, many of those complaining are outsiders and intruders that shouldn't be getting in, too. I imagine that vehicle thieves find door locks to be a bit of an impairment to their livelihood, too. This is about access control. Not everything out there is meant to be collected and used by everyone else. Why do you have doors? So that people can get in. Why do you lock them? So that only the appropriate people can. The tenet of effective network security is to make the holes punched into a network small enough to prevent unauthorized access, but not so small that functionality is impaired. It is the goal of security engineers (the decent ones at least) to determine how things like access controls can best serve and protect, interoperate with, and withstand the rigors of the network, not the other way around. Now...how is it that a firewall deployed to protect the deployer's network is crushing the fundamental network purism or kills our inner rogue or pens in our data (free range packets, anyone?) These methodologies are not conjured up in order to irritate those managing the movement of traffic (legitimately). This is about flow control of payload, as are stoplights and turnstyles and credit card companies asking for your mother's maiden name and photo IDs and taking a number at the butcher or DMV... > if you're selling services that consist of pushing http/dns/smtp/pop3 traffic > then you have a much easier time inserting and using any kind of filtering > system. but if your preventative system stifles the development of new > applications then you have a losing situation. any kind of f
Re: Firewall opinions wanted please
Rachael Treu wrote: _Everyone_ (network connected) should have a firewall. My grandma should have a firewall. Nicole, holding dominion over this business network and its critical infrastructure, should _definitely_ have a firewall. ;) No, the applications should accept only authorized connections. If that would be the case, there would be no need to filter at packet level. Pete
Re: Firewall opinions wanted please
Guys...firewall is as generic a term as any. Saying grandma needs a router does not mean that an M20 is interchangeable with her Linksys. The definition of firewall[1]: 1. A fireproof wall used as a barrier to prevent the spread of fire. 2. Computer Science. Any of a number of security schemes that prevent unauthorized users from gaining access to a computer network or that monitor transfers of information to and from the network. By that rationale, firewall includes ACLs, filtering, and the umpteen built-in apps that ship standard with home CPE/routers that _call themselves_ firewall software. I am absolutely talking access control. Not about an HA Netscreen500 pair with VRRP off redundant switch fabric and H.323 support. As for your cost commentary, you are absolutely right. I said grandma needs a firewall, not that she has one or will buy one. That is the unfortunate disparity between prudence and practical application. --ra [1]http://dictionary.reference.com/search?q=firewall -- k. rachael treu, CISSP [EMAIL PROTECTED] ..quis costodiet ipsos custodes?.. On Wed, Mar 17, 2004 at 11:19:54AM -0800, Alexei Roudnev said something to the effect of: > Not _firewalling_, but access limitation. Grandma can live with PNAT > router - she do not need any firewall, if she do not grant external access > to anything. She can live with Windows _default deny_ setting. If grandma > have extra money, it is better to purchase anty-virus. > > Moreover. Just for _ghrandma_, it can be cheaper do nothing than to invest > into security (bad thing for us, I know!) - because she lost '$0' in case > of intrusion... It explains shidespread of modern viruses, spam-trojans etc > (they cost '$0' to infected households in many cases). > > It is as Wireless access - my friend have secured access point, but when I > tried, I could use unsecured access points of 2 his neighbourths. > They know abouth insecurity - but they do not lost anything, so they do not > want to spend $0.01 to improve it. And unfortunately, I can not blame them. > > > > > > On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the > effect of: > > > > > The best option I guess is to figure out how important it is for you > to have a firewall, > > > > > > > > _Everyone_ (network connected) should have a firewall. My grandma > should > > > > have a firewall. Nicole, holding dominion over this business network > and > > > > its critical infrastructure, should _definitely_ have a firewall. ;) > > > > > > > Why? When did the end2end nature of the Internet suddenly > > > sprout these mutant bits of extra complexity that reduce > > > the overall security of the 'net? > > > > > > Two questions asked, Two answers are sufficent. > > > > Nope. One will do it. The day the first remote exploit or condition, > > in protocol or application, that could potentially have given rise to such > > and exploit made it possible for a user not in your control to gain > control > > of your box(en), firewalling became necessary. Then Internet is not > exactly > > end-to-end beyond pure fundamentals; it's more end-to-many-ends. And the > > notion of "end-to-end" requires preservation of a connection between 2 > > consenting hosts, and preservation includes securement of that connection > > against destructive mechanisms, which includes the subversive techniques > and > > intercetptions commonly associated with network security. > > > > Denial of Service is as much a threat to availability and network > > functionality as is power outage if it occurs. Before this turns to a > "you > > security freaks want to screw around with my network and don't care about > > availability..." > > > > Firewalls are logical interventions, costing as little as some processor > > overhead. Dedicated appliances are only one deployment. Filters on > > routers also qualify as firewalls. Am I correct in understanding that you > > feel edge filtering is mutant lunacy and unnecessary complexity? > > > > Regarding dedicated firewalls, please see Mr. Bellovin's previous post > > regarding appropriate and competent administration. The lack thereof > > presents the complication, not the countermeasure itself. > > > > As for your assertion that firewalls "reduce the overall security of the > > 'net."...can you please elaborate on that, as well? Other factions > might/do > > argue that it's the other team refusing to lock their doors at night that > > are perpetuating the flux of bad behavior as a close second to the > ignorant > > and infected. > > > > --ra > > > > -- > > k. rachael treu, CISSP [EMAIL PROTECTED] > > ..quis costodiet ipsos custodes?.. > > > > > > --bill > > > >
Re: Firewall opinions wanted please
"Firewall" refers to access control. Firewall appliances are dedicated machines that perform firewall functions. ACLs on many router platforms are called firewalls. Juniper calls them "firewall filters." My personal context was covered in a reply I sent earlier in this thread that read: "Firewalls are logical interventions, costing as little as some processor overhead. Dedicated appliances are only one deployment. Filters on routers also qualify as firewalls." So...I don't disagree with you at all... --ra On Wed, Mar 17, 2004 at 06:33:54PM -, Matt Ryan said something to the effect of: > > Depending on your chosen vendor the ACL cost is unlikely to be $0 - if you > steal CPU cycles from packet forwarding then you incur earlier router > upgrade costs and that has a NPV cost increase associated with it. It's just > not as obvious as a invoice for a firewall. > > > Matt. > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Eric Gauthier > Sent: 17 March 2004 17:20 > To: [EMAIL PROTECTED] > Subject: Re: Firewall opinions wanted please > > > > > > _Everyone_ (network connected) should have a firewall. My grandma > should > > > have a firewall. Nicole, holding dominion over this business network > and > > > its critical infrastructure, should _definitely_ have a firewall. ;) > > By "firewall", do you mean "dedicated unit that does statefull filtering" > or just "something that will block packets"? We've successfully argued > to just about every group here at our University who came to us asking for a > > "firewall" that, given what they wanted to achieve, they could accomplish > the > same thing with simple ACLs... > > I'm sure that the cost of the ACL's (i.e. $0.00) versus the cost of a > firewall > also helped them in their decision... > > Eric :) > > -- > Live Life in Broadband > www.telewest.co.uk > > > The information transmitted is intended only for the person or entity to which it is > addressed and may contain confidential and/or privileged material. > Statements and opinions expressed in this e-mail may not represent those of the > company. Any review, retransmission, dissemination or other use of, or taking of any > action in reliance upon, this information by persons or entities other than the > intended recipient is prohibited. If you received this in error, please contact the > sender immediately and delete the material from any computer. > > == -- rachael treu [EMAIL PROTECTED] ..quis costodiet ipsos custodes?..
Re: Firewall opinions wanted please
On Wed, 2004-03-17 at 21:02, Petri Helenius wrote: > No, the applications should accept only authorized connections. If that > would be the case, there would be no need to filter at packet level. No, since this would be assuming that each application is perfect and there's no such thing as buffer overflows and other software bugs (including those in authentication routines). A firewall is an extra line of defence in preventing malicious packets from reaching the destination app and the more people have one the better (although I'm not sure whether grandma would be too bothered) It's not bulletproof (and could potentially contain a gut itself) but it provides additional security, regardless of authenticaion of connections. -- --- Erik Haagsman Network Architect We Dare BV tel: +31.10.7507008 fax: +31.10.7507005 http://www.we-dare.nl
Re: Firewall opinions wanted please
On Wed, Mar 17, 2004 at 12:19:53PM -0500, Eric Gauthier said something to the effect of: > > > > _Everyone_ (network connected) should have a firewall. My grandma should > > > have a firewall. Nicole, holding dominion over this business network and > > > its critical infrastructure, should _definitely_ have a firewall. ;) > > By "firewall", do you mean "dedicated unit that does statefull filtering" No. > or just "something that will block packets"? We've successfully argued > to just about every group here at our University who came to us asking for a > "firewall" that, given what they wanted to achieve, they could accomplish the > same thing with simple ACLs... fire'wall 1. A fireproof wall used as a barrier to prevent the spread of fire. 2. Computer Science. Any of a number of security schemes that prevent unauthorized users from gaining access to a computer network or that monitor transfers of information to and from the network. > > I'm sure that the cost of the ACL's (i.e. $0.00) versus the cost of a firewall > also helped them in their decision... This is just a semantic issue. I am putting any packet-level inspection engine deployed as an access control means into the category of "firewall." The confusion here would be akin to my retorting with "how on earth are deploying lists of system object access rights going to protect a network edge?" ;) ACL has alternate meanings, as well[1]. A sample of what some vendors call some things: Cisco: router packet-level access control = ACL Microsoft: OS object permissioning schema = ACL Linksys: router packet-level access control = firewall Juniper: router packet-level access control = firewall filter :) *, --ra [1]http://whatis.techtarget.com/definition/0,289893,sid9_gci213757,00.html -- k. rachael treu, CISSP [EMAIL PROTECTED] ..quis costodiet ipsos custodes?.. > > Eric :)
Re: Firewall opinions wanted please
In message <[EMAIL PROTECTED]>, Petri Helenius writes: > >> >No, the applications should accept only authorized connections. If that >would be the case, there would be no need to filter at packet level. > No. Quite apart from the fact that you mean "authorized", not "authenticated", the primary purpose of a firewall is to keep the bad guys away from the buggy code. Firewalls are the networks' response to the host security problem. Put in a NANOG0-friendly way, they're a scalable security mechanism that can *help* defend you. Think of the endorsement on most tubes of (American) toothpaste: ... has been shown to be an effective decay-preventive dentifrice that can be of significant value when used as directed in a conscientiously applied program of oral hygiene and regular professional care. If all you want to do is say "no" to all incoming connections on a single machine, you don't need a separate box labeled "firewall" -- assuming, of course, that your host is properly configured. Most systems aren't configured that way; worse yet, it takes a lot of knowledge to understand how to block things, and when it's ok to do so. (It's an amusing exercise to run ZoneAlarm on a new, out-of-the box Windows machine and see how many different programs think they need to talk to the network, or (worse yet) act as servers.) But it's a lot of work to configure a machine to be that safe, and if you have a hundred or a thousand of them you can't do it; entropy will open up new holes -- that is, open up new sockets for buggy applications -- faster than you can close them down. Add to that that you don't really know what's safe or unsafe, and that you have some services that are convenient for insiders but don't have adequate, scalable authentication on which you can build an authorization mechanism, and you see why firewalls are useful. Perfect? No, of course not. A good idea? Absolutely. --Steve Bellovin, http://www.research.att.com/~smb
Re: Firewall opinions wanted please
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Erik Haagsman wrote: | On Wed, 2004-03-17 at 21:02, Petri Helenius wrote: | |>No, the applications should accept only authorized connections. If that |>would be the case, there would be no need to filter at packet level. | | | No, since this would be assuming that each application is perfect and | there's no such thing as buffer overflows and other software bugs | (including those in authentication routines). A firewall is an extra | line of defence in preventing malicious packets from reaching the | destination app and the more people have one the better (although I'm | not sure whether grandma would be too bothered) | It's not bulletproof (and could potentially contain a gut itself) but it | provides additional security, regardless of authenticaion of | connections. | | | And I think you have hit it right on the head...another line of defense. Everything I've ever read about security (network or otherwise) suggests that a layered approach increases effectiveness. I certainly don't trust a firewall appliance as my only security device, so I also do prudent things like disable ports and applications that are not in use on my network and enforce authentication and authorization for access to legitimate services. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (MingW32) iD8DBQFAWLiWE1XcgMgrtyYRAjh+AJ9Cio8w/iPuT+EfUK26ku2RdDl9JwCgrN9P Qll6/VX0Z4xVBRf+G0S5HXA= =uFwS -END PGP SIGNATURE-
Re: Firewall opinions wanted please
On Wed, 2004-03-17 at 21:44, Bruce Pinsky wrote: > Everything I've ever read about security (network or otherwise) suggests > that a layered approach increases effectiveness. I certainly don't trust a > firewall appliance as my only security device, so I also do prudent things > like disable ports and applications that are not in use on my network and > enforce authentication and authorization for access to legitimate services. Good point...and that's exactly why in some cases, especially in SOHO and SMB oriented products, both hardware as well as software vendors can be part of the security problem by advertising their products as the definite solution to all security holes. Truely securing even a single server or host connected to the Internet entails a lot more than just blocking a few ports, let alone securing a network. By marketing "the perfect solution" to no-too-clueful admins the actual security holes only get bigger and harder to track. -- --- Erik Haagsman Network Architect We Dare BV tel: +31.10.7507008 fax: +31.10.7507005 http://www.we-dare.nl
Re: Firewall opinions wanted please
On Wed, Mar 17, 2004 at 09:48:30AM -0800, Kevin Oberman said something to the effect of: ..snip snip.. > I dislike firewalls for many applications, although I have a Sonic Wall > on my cable modem. On the whole, they lead to false belief that > firewalls really make you safe. They also block many interesting > applications. Things like H.323 conferencing are made vastly more > complex by firewalls with no easy or canned work-arounds. H.323 is its own complex, unweildy mutant (though a lovely one at that), and it is unfair to throw the baby out with the bathwater in that case. Something like saying that it's rough configure MPLS on your cable modem at home so we should do away with those. Configured properly, firewalls handle H.323 just fine. As for false beliefs... Seat belts aren't guaranteed to save your life if you wrap your car around a tree, but they improve the chances that you won't pierce the windshield with your face. That lid on your coffee cup has a hole in it so you can drink out of it, but that can spill, too.. Still...which way would you rather have that cup--lidded or lidless-- when it goes flying out of your cupholder and into your lap? A stoplight doesn't actually physically stop traffic. Having a green light in your direction doesn't actually guarantee that the intersecting traffic won't plow into you. Sometimes parachutes don't open properly parachute not open properly, but can you imagine if people gave up skydiving altogether, or skydived without them, refusing to be lulled into a false sense of safety? Hrm. This now becomes an issue of adequate education and precaution. It's not the fault of the technology if its users are ill-informed... > > One large research site I work closely with has directly opted for IDS > with a bad attitude (love that description) which has successfully > blocked many intrusion and DOS attempts with no major failures. Slammer > did overwhelm it, but it did the same for most everything. IDS that reacts is, by classical definition, firewalling. The IDS component merely detects the anomaly. To react is a firewall function. Does IDS not smack of that false sense of security you mentioned? If admins refuse to acknowledge attack conditions because the IDS didn't squawk, does that guarantee that the network is totally peaceful? > > The end-to-end nature of the net is really, really important, but is > being blocked more and more by those who thing the net is web browsing > and e-mail clients and that everything else is simply an annoyance. This > attitude is hamstringing network development already and may end up > turning the commercial Internet into a permanently limited tool with > fewer real capabilities that the ARPANET had before TCP/IP replaced NCP. This is a very valid concern. Unfortunately, aside from those in pure academia, this is the bread and butter for most of us. The HTML-for-the-masses and email-happy vox populi are the ones subscribing to providers and buying bandwidth that we are trying to enable. > > Grandma may need a firewall. (My sister DEFINITELY needs one.) But not > all network connections need or will benefit from a firewall. And many > system will exist with significant security flaws because the owners > believe that the firewall takes care of everything. As do may owners that believe their Microsoft boxes do everything. Or nothing. Or that nothing needs to be done to their MS boxes... *, --ra -- k. rachael treu, CISSP [EMAIL PROTECTED] ..quis costodiet ipsos custodes?.. > -- > R. Kevin Oberman, Network Engineer > Energy Sciences Network (ESnet) > Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) > E-mail: [EMAIL PROTECTED] Phone: +1 510 486-8634
Re: Firewall opinions wanted please
> "the primary purpose of a firewall is to keep the bad > guys away from the buggy code. Firewalls are the networks' response to > the host security problem." a pretty good sound bite. :) > Add to that that you don't really know what's > safe or unsafe, and that you have some services that are convenient for > insiders but don't have adequate, scalable authentication on which you > can build an authorization mechanism, and you see why firewalls are > useful. > > Perfect? No, of course not. A good idea? Absolutely. Er... perhaps. Who is configuring the "firewall"? What are its capabilities? How easy will it be to deploy new services? I, as an enduser, am abdicating most of my responsibility to or it is being hijacked by one or more network service providers. Ken is right. Firewalls, in general, seem to be a great place for blackhats to focus on. DoS is trivial, the degenerate case is encaps of everything into stuff that passes through the firewall (IP over port 80), and then we've just pushed the problem elsewhere, adding more complexity to the system for little if any improvment in the overall integrity. Sounds like the result is a system that is more fragile. > --Steve Bellovin, http://www.research.att.com/~smb --bill (cynic) Noting that the nanog thread of the day has changed, but not n'cessly for the better. :)
Re: Firewall opinions wanted please
On Wed, Mar 17, 2004 at 03:01:50PM -0800, bill said something to the effect of: > > "the primary purpose of a firewall is to keep the bad > > guys away from the buggy code. Firewalls are the networks' response to > > the host security problem." > > a pretty good sound bite. :) > > > Add to that that you don't really know what's > > safe or unsafe, and that you have some services that are convenient for > > insiders but don't have adequate, scalable authentication on which you > > can build an authorization mechanism, and you see why firewalls are > > useful. > > > > Perfect? No, of course not. A good idea? Absolutely. > > Er... perhaps. > > Who is configuring the "firewall"? What are its capabilities? You are. Your network engineer is. The needs of your network and staff dictate the demands and deploy a mechanism suitable enough to satisfy them. This is not a question others can answer for you in the hypothetical. > How easy will it be to deploy new services? I, as an enduser, That will depend on the services. If you ask most to stream Kazaa into your cube at work, they'll laugh at you. If you want to route jellybeans-over-IP, you'll likely not be considered. If you're at the helm at the office or at home, then it's as easy as you make it and you can do what you want within the scope of your provider's AUP.. Again...competent security engineer...comes to mind... > am abdicating most of my responsibility to or it is being hijacked > by one or more network service providers. Ken is right. This is the job of the edge/customer/network administrator, or a 3rd party agent contracted to provide managed security services. Most NSPs do not do this (granular filtering) unless engaged (and paid) directly by the customer. Is that what has your dander up? This is the job/responsibility/whim of the subscriber, for the most part. > > Firewalls, in general, seem to be a great place for blackhats > to focus on. What? No...unprotected systems are the great places for blackhats to focus on. Where are you getting this? I apologize for sounding potentially antagonistic, but I am having a difficult time discerning between devil's advocacy and counterintuition in your opinions regarding secure network praxes. Single points of failure are prime targets for attack, too, by the way. As are unchecked portals and ingress vectors. Eschewing security mechansims (physical, logical, DR, etc) contribute to both. > DoS is trivial, Please tell me you did not just go there... Network outage is not trivial. Not ever. One more time...where are you getting your information? That clause is patently incorrect. Please remember virii and node subversion when you head in that direction, as well, as granular security is not just about DoS... > the degenerate case is encaps > of everything into stuff that passes through the firewall > (IP over port 80), and then we've just pushed the problem What kind of firewall are you talking about? Who does this? > elsewhere, adding more complexity to the system for little > if any improvment in the overall integrity. Sounds like > the result is a system that is more fragile. Broken record...from where did you derive this information? And how better do you propose to restrict access to a network than filtering/firewalling or somesuch similar level of access control? Or is it (as you have not yet answered this) your position that a network should remain open and unsecured? Not your service provider's network...but networks in general. What, in no uncertain terms, do you believe belongs keeping watch over your network perimeter? Also, what constitutes acceptable loss and/or outage in your organization? It is entirely possible and I am increasingly hopeful that you and I are simply talking about 2 totally separate things. For the record...the top 2 Achilles' heels to network security are improperly- protected edge devices (i.e., web servers, unpatched desktops, unsecured routers, etc), and protocol-related vulnerabilities (i.e., SNMP, DNS/BIND). Your concern for thwarted network application development leads me to enlist you and yours to fix inherently weak protocols (SMTP, for example) to make networking itself again more robust before I agree to see a security layer as superfluous. And then there are software purveyors to visit. --ra -- k. rachael treu, CISSP [EMAIL PROTECTED] ..quis costodiet ipsos custodes?.. > > > --Steve Bellovin, http://www.research.att.com/~smb > > --bill (cynic) > > Noting that the nanog thread of the day has changed, but > not n'cessly for the better. :)
Re: Firewall opinions wanted please
In message <[EMAIL PROTECTED]>, bill writes: >> "the primary purpose of a firewall is to keep the bad >> guys away from the buggy code. Firewalls are the networks' response to >> the host security problem." > > a pretty good sound bite. :) Thanks -- I've been using that line for about 10 years, and I haven't gotten tired of it yet > >> Add to that that you don't really know what's >> safe or unsafe, and that you have some services that are convenient for >> insiders but don't have adequate, scalable authentication on which you >> can build an authorization mechanism, and you see why firewalls are >> useful. >> >> Perfect? No, of course not. A good idea? Absolutely. > > Er... perhaps. > > Who is configuring the "firewall"? What are its capabilities? > How easy will it be to deploy new services? I, as an enduser, > am abdicating most of my responsibility to or it is being hijacked > by one or more network service providers. Ken is right. I don't have time to participate in this thread any more tonight -- tomorrow is the biweekly IESG call, and I still have several documents to review -- but I never said that ISPs should implement firewalls. In fact, in general that's a bad idea. Firewalls are the instantiation of a security policy; I don't want my ISP telling me what my security policy is or should be. To be sure, there is a market for a value-added ISP service that provides assorted types of filtering. But that's the sort of thing that's best done by consenting adults. More later --Steve Bellovin, http://www.research.att.com/~smb
Re: Firewall opinions wanted please
> > No. Quite apart from the fact that you mean "authorized", not > "authenticated", the primary purpose of a firewall is to keep the bad > guys away from the buggy code. Firewalls are the networks' response to > the host security problem. No. let's imagine, that I have 4 hosts, without ANY security problems in software, and I'd like to provide WEB service. Firewall protects other services from outside access. Without it, you can slogin to me, if you know my password, even if host have not any bugs. (Of course, SecureID, hand scan etc... decreases a need for this.) Second. Not ANY network require FireWall. If network (grandma) do not allow any ACCESS fron Internet (grandma's netword do not allow access because it does not expose any IP device to outside network, using NAT for outgoing connections), it can live withourt any ACl and any firewall attributes - and be as secure as production network with expansive firewall(s). Key word is _ACCESS_. No ACCESS - no FireWall (cut wires). One Way Access - many different devices plays role of firewall (PNAT translator, for example, makes 99.9% of the work). More ACCESS required - mode COMPLICATED firewalls are required. So, key word is not PROTECTION but ACCESS.
Re: Firewall opinions wanted please
> > And I think you have hit it right on the head...another line of defense. > Everything I've ever read about security (network or otherwise) suggests > that a layered approach increases effectiveness. I certainly don't trust a > firewall appliance as my only security device, so I also do prudent things > like disable ports and applications that are not in use on my network and > enforce authentication and authorization for access to legitimate services. Unfortunately, it decreases it. If I turn off file sharing on Windows server, I'll increase security but complicate support (in some cases). If I run ids system, I spend time, verifying and approving changes done by maintaineers. And so on. So, it is very important to have a strong FIRST line of defense (inbound firewalls) and last line (host IDS); it allows to bring little more efficiency by keeping convenient (but not very secure) protocols inside your internal network. Else, you end up in full paranoya.
Re: Firewall opinions wanted please
Rachael Treu wrote: > Guys...firewall is as generic a term as any. Saying grandma needs a > router does not mean that an M20 is interchangeable with her Linksys. You're preaching to a list with people on it who invented the terms you are using *and* wrote the books. Stop lecturing and *listen*. Peter
Re: Firewall opinions wanted please
OK, I've tried to stay out of this, but... On Thu, 2004-03-18 at 01:17, Alexei Roudnev wrote: > > No. let's imagine, that I have 4 hosts, without ANY security problems in > software, Exactly how do you *prove* there are zero security problems with any of this software? I hate to say it, but a lot of the security issues we are faced with today is because people thought they could build secure software without worrying about a secure architecture. That's exactly what you are doing here. > Firewall protects other services from outside access. A good firewall *should* be doing a whole lot more than that. It should also be giving you a good level of detail about what crosses your perimeter. It should also be doing some level of content checking to protect the servers behind it. It should also be stopping and alerting you if that Web server one day tries to TFTP out to the Internet. Etc. etc. etc. > Second. Not ANY network require FireWall. If network (grandma) do not allow > any ACCESS fron Internet (grandma's netword do not allow access because it > does not expose any IP device to outside network, using NAT for outgoing > connections), it can live withourt any ACl and any firewall attributes Absolutely, because who cares if someone drops a call home Trojan on Grandma's system (via e-mail or nasty URL) which turns the system into a spam relay or a DDoS zombie. That would *never* happen, right? Oh wait, I seem to remember that both of these problems are discussed on at least a weekly basis in this forum. A firewall can't prevent the above attacks, but it can give you a heads up that they happened. > - and > be as secure as production network with expansive firewall(s). Dude, *please* don't take this as a slam, but you really need to come more up to speed on this technology. > Key word is _ACCESS_. No ACCESS - no FireWall (cut wires). Agreed, but in both of your examples were you say a firewall is not needed, you include some level of access. Now if you are going to cut the wires and ensure there are no 802.11 or dial-in access points, I'll agree so long as physical security is up to snuff. > One Way Access - > many different devices plays role of firewall (PNAT translator, for example, > makes 99.9% of the work). Hey has anyone tested this lately? I beat up on a number of NAT only firewalls about 3 years ago and found that approximately half could be defeated by simply using loose source routing. Has anyone tested the latest round up of products for this "functionality"? HTH, Chris
Re: Firewall opinions wanted please
> > > Firewall protects other services from outside access. > > A good firewall *should* be doing a whole lot more than that. It should Do not overestimate. Firewall can make a little more than just restrict access and inspect few (very limited) protocols. It can not protect you from slow scans; it can not protect you from SSL / SSH / (any other encrypted protocol) volnurabilities, it can not protect your users from viruses in e-mail, etc etc. Proxy firewall (device which terminates _ALL_ protocols) can help in some cases (management access to your network by ssh) but can not with others (SSL site hosting , for excample). > also be giving you a good level of detail about what crosses your Very good level of details - 200 Mb of daily logs (IP, IP protocol = https). Any network statistics system can do it. Unfortunately, all this logs are 99% useless until you need forensics. > perimeter. It should also be doing some level of content checking to In reality, I can count all useful things firewall can do. I can not count (it is infinite) numbers of things it can not do. In real life, protocol inspection is useful for SMTP and DNS. Sometimes, for http (but not https), SIP, few other _open_ protocols. That's all. Sometimes, it can recognize unusual behaviour of _your_ server and notify you (esp. if you maintain _default deny_ for some protocols). You are right about _checking outbound connections_ - firewall can help, if properly configured. Unfortunately, you can spend days, configuring your home firewall for outbound connections, even if you maintain a proxy. I do not think, that you will do it for grandma... You are right about possibility of weaknesses in some PNAT devices. This is a very big potencial for a problem / holes here. I'd like to see such tests you are talking about (security tests for PNAT devices).
Re: Firewall opinions wanted please
On Thu, 2004-03-18 at 15:26, Alexei Roudnev wrote: > > > A good firewall *should* be doing a whole lot more than that. It should > Do not overestimate. Firewall can make a little more than just restrict > access and inspect few (very limited) protocols. If this concerns you, just use a proxy instead of stateful inspection. Even better, use both to leverage the speed of the packet filtering and the application control of the proxy. Defense in-depth and all of that. > It can not protect you from slow scans; If a firewall can't stop a scan because its slow, then the firewall is broken. If you are talking about detecting a port scan, then its a matter of how you parse the data. I can easily detect port scans as slow as 1 port/4 hours with Netfilter. I can push this out to 1 port/week if the source IP is on my "potentially hostile" list. > it can not protect you from SSL / > SSH / (any other encrypted protocol) volnurabilities, All depends on what you need. For example if you want to inspect payload, terminate the tunnel at the firewall or some external device (like an SSL accelerator) and then run the payload through a reverse proxy. If its outright blocking you want, just inspect for the initial handshake and drop as required. You only need to check the first couple of ACK's to do this correctly. > it can not protect your users from viruses in e-mail, etc etc. I don't remember saying it would. What I do remember saying is that the firewall could be used to help detect outbound activity if the internal host becomes a zombie due to e-mail based viruses. > Very good level of details - 200 Mb of daily logs (IP, IP protocol = https). > Any network statistics system can do it. Unfortunately, all this logs are > 99% useless until you need forensics. I guess its a matter of what you do with them. I personally find my firewall logs *very* useful and can ID a wide range of suspicious activity, even a few that are payload based despite the fact that the firewall does not log the payload. As for review time, 200 MB takes me maybe 20 minutes with my parsing script unless I find something *really* interesting that I want to drill in on. Then the time factor comes down to when my obsessive compulsive personality will let it go. ;-) But then again I'm one of *those* geeks that finds log review to be a fun way to spend a week night. I expect if I found it to be more of a chore I would also find them to be less than useful. > > perimeter. It should also be doing some level of content checking to > In reality, I can count all useful things firewall can do. I can not count > (it is infinite) numbers of things it can not do. So basically your argument is "its good at some things but not others so why bother?". Given that line of thinking, why bother with IDS because it can't detect Ethernet CRC errors? Why bother running a virus scanner because it can't keep your system patched. Why bother patching your systems because that does not help add the fabric softener during the rise cycle. A firewall is a tool, no more no less. The capability of that tool is 90% dependent on the person wielding the tool. If you can only find a limited number of applications for a firewall, I'm not surprised that you don't find it all that useful. That does not mean the same is true for the rest of us. HTH, C
RE: Firewall opinions wanted please - clarification
As much as I hate to follow up my own post, I suppose I was a bit too vauge for my own good =] We do not run any cisco gear and we are in a Class A data facility. By proxy I did not mean to imply NAT. I cannot remember the proper term but what I mean is full packet handeling as opposed to packet inspection. Security is important but the budget limit is only up to about 3K. I have been trying to get the client a firewall for some time and am just now getting the go ahead. Sorry for any vaugeness but I usually like to not say to much as to sway opinions one way or another and to learn more as any knowlege I have may be wrong or out of date. Nicole On 16-Mar-04 Unnamed Administration sources reported Nicole said : > > > > Hi > I am looking for a good but reasonably priced firewall for a 40 or so server > site. Some people swear by Pix, others swear at it a lot. Also I have heard > good things about Netscreen. Or any others you would recommend for protecting > servers on a busy network. Don't really need anything with VPN just the > standard http, ftp, ssh, https, type traffic up to 100mb throughput. > From what I have heard a proxy firewall would be best? > > > > Thanks in advance!! > > > Nicole > >
Re: Firewall opinions wanted please - clarification
Sonicwall makes a great product that can run in STANDARD (Proxy) mode. Their prices are pretty good as well, espicially if you buy them through a reseller. We deploy many of these firewalls every year and they are great! Thanks, Brandon On Tue, 16 Mar 2004 15:07:26 -0800 (PST) Nicole <[EMAIL PROTECTED]> wrote: As much as I hate to follow up my own post, I suppose I was a bit too vauge for my own good =] We do not run any cisco gear and we are in a Class A data facility. By proxy I did not mean to imply NAT. I cannot remember the proper term but what I mean is full packet handeling as opposed to packet inspection. Security is important but the budget limit is only up to about 3K. I have been trying to get the client a firewall for some time and am just now getting the go ahead. Sorry for any vaugeness but I usually like to not say to much as to sway opinions one way or another and to learn more as any knowlege I have may be wrong or out of date. Nicole On 16-Mar-04 Unnamed Administration sources reported Nicole said : > > > > Hi > I am looking for a good but reasonably priced firewall for a 40 or >so server > site. Some people swear by Pix, others swear at it a lot. Also I >have heard > good things about Netscreen. Or any others you would recommend for >protecting > servers on a busy network. Don't really need anything with VPN just >the > standard http, ftp, ssh, https, type traffic up to 100mb >throughput. > From what I have heard a proxy firewall would be best? > > > > Thanks in advance!! > > > Nicole > >
Re: Firewall opinions wanted please - clarification
You mean _PROTOCL HANDELING_, I believe. I do not know, why people are paying so much attention to it. Important questions are: - which services are you providing for the public? - who will handle all your SSL sessions, if any (may be, Load Balancers? Then you do not bother about FW proxy for them); - who will handle all http requests (yes, proxy can help here, but it is not the only way); - who will inspect mail content (not SMTP protocol, but attachments etc)? - who will handle your ssh sessions, if you have inbound shh? - who will handle your inbound VPN or PPTP, if you use it? - are DDOS attacks dangerous for you (you host SCO, for example) or not (you provide specific servic for 100 companies, not for wide public); - do you use host level IDS / change control? PIX is excellent firewall... for many purposes, but not for others (and not as a proxy, of course). It is impossible to select anything without knowing answers on this questions... AlexeiRoudnev > > As much as I hate to follow up my own post, I suppose I was a bit > > too vauge > > for my own good =] > > > > We do not run any cisco gear and we are in a Class A data facility. > > > > By proxy I did not mean to imply NAT. I cannot remember the proper > > term but > > what I mean is full packet handeling as opposed to packet > > inspection. > > > > Security is important but the budget limit is only up to about 3K. > > I have been > > trying to get the client a firewall for some time and am just now > > getting the > > go ahead. > > > > > > > > Sorry for any vaugeness but I usually like to not say to much as to > > sway > > opinions one way or another and to learn more as any knowlege I have > > may be > > wrong or out of date. > > > > > > > > Nicole > > > > > > > > On 16-Mar-04 Unnamed Administration sources reported Nicole said : > > > > > > > > > > > > Hi > > > I am looking for a good but reasonably priced firewall for a 40 or > > >so server > > > site. Some people swear by Pix, others swear at it a lot. Also I > > >have heard > > > good things about Netscreen. Or any others you would recommend for > > >protecting > > > servers on a busy network. Don't really need anything with VPN just > > >the > > > standard http, ftp, ssh, https, type traffic up to 100mb > > >throughput. > > > From what I have heard a proxy firewall would be best? > > > > > > > > > > > > Thanks in advance!! > > > > > > > > > Nicole > > > > > > > > > > > > >
Re: Firewall opinions wanted please - clarification
On Tue, 16 Mar 2004 17:18:38 -0700 "Brandon Shiers" <[EMAIL PROTECTED]> wrote: > Sonicwall makes a great product that can run in STANDARD (Proxy) mode. As with any product, it's only as good as the support channel behind it *in your locality* ... we have just removed Sonicwall from the list of approved suppliers here because of a series of failures that left two parts of our network unprotected for several weeks (and, if any other Firewall vendors with _good_ European support are reading this thread, you're welcome to contact us by mail if you feel you can do better than Sonicwall's local representatives did ;-) ) -- Richard Cox
Re: [NANOG-LIST] RE: Firewall opinions wanted please - clarification
Another important question is who is going to be managing the firewall once it gets purchased and installed? Buying a PIX is great but not if you don't have anyone that knows how to use it. This applies to any vendors solution be it Checkpoint, IPTables, PIX, netscreen, etc.. Also by proxy do you mean statefull packet inspection? -Brent At 03:07 PM 3/16/2004, Nicole wrote: As much as I hate to follow up my own post, I suppose I was a bit too vauge for my own good =] We do not run any cisco gear and we are in a Class A data facility. By proxy I did not mean to imply NAT. I cannot remember the proper term but what I mean is full packet handeling as opposed to packet inspection. Security is important but the budget limit is only up to about 3K. I have been trying to get the client a firewall for some time and am just now getting the go ahead. Sorry for any vaugeness but I usually like to not say to much as to sway opinions one way or another and to learn more as any knowlege I have may be wrong or out of date. Nicole On 16-Mar-04 Unnamed Administration sources reported Nicole said : > > > > Hi > I am looking for a good but reasonably priced firewall for a 40 or so server > site. Some people swear by Pix, others swear at it a lot. Also I have heard > good things about Netscreen. Or any others you would recommend for protecting > servers on a busy network. Don't really need anything with VPN just the > standard http, ftp, ssh, https, type traffic up to 100mb throughput. > From what I have heard a proxy firewall would be best? > > > > Thanks in advance!! > > > Nicole > >
