On Jan 10, 2010, at 5:51 AM, harbor235 wrote:
Other security features in an Enterprise Class firewall; -Inside source based NAT, reinforces secure traffic flow by allowing outside to inside flows based on configured translations and allowed security policies
Terrible from an availability perspective, troubleshooting perspective, too. Just dumb, dumb, dumb - NATted servers fall over at the drop of a hat due to the NAT device choking.
-TCP sequence number randomization (to prevent TCP seq number guessing)
Server IP stack does this itself just fine.
-Intrusion Detection and Prevention (subset of most common signatures) recognize scanning attempts and mitigate recognize common attacks and mitigate
Snake-oil.
-Deep packet inspection (application aware inspection for common network services)
Terrible from an availability perspective, snake-oil.
- Policy based tools for custom traffic classification and filtering
Can be done statelessly, no firewall required.
-Layer 3 segmentation (creates inspection and enforcement points)
Doesn't require a firewall.
-Full/Partial Proxy services with authentication
If needed, can be better handled by transparent reverse-proxy farms; auth handled on the servers themselves.
- Alarm/Logging capabilities providing info on potential attacks -etc ......
NetFlow from the network infrastructure, the OS/apps/services on the server itself do this, etc.
Statefull inspection further enhances the security capabilities of a firewall.
No, it doesn't, not in front of servers where there's no state to inspect, in the first place, given that every incoming packet is unsolicited.
You may choose not to use a firewall or implement a sound security posture utilizing the "Defense in Depth" philosophy, however you chances of being compromised are dramatically increased.
Choosing not to make the mistake of putting a useless, counterproductive firewall in front of a server doesn't mean one isn't employing a sound, multi-faceted opsec strategy. I know that all the firewall propaganda denoted above is repeated endlessly, ad nauseam, in the Confused Information Systems Security Professional self-study comic books, but I've found that a bit of real-world operational experience serves as a wonderful antidote, heh. ;> ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken