On Tue, 5 Jan 2010, Fred Baker wrote:
The primary value of a firewall is two-fold:
- It enables a network administrator to define his "edge", the interior of which he is responsible for. - It enables a network administrator to isolate his network from externally-originated traffic per his whims and viewpoints.
Actually, a firewall is so the "security administrator" can intervene between the network administrator and the system administrator to impose controls on both because they didn't prevent something themselves. It sounds like of beginning of a joke, a network administrator, system administrator and security administrator walk into a bar ... A statefull firewall is most useful for *outbound* traffic, inbound traffic controls usually break things that depend on maintaining state. Of course, if you want outbound traffic from your web server, its no longer just a web server. Its some mongrel type of client/server. Likewise a IDS/IPS/AV/Anti-X box is no longer just a stateful firewall, its some kind of mongrel security device. Simple ACLs can keep stuff out, or keep stuff in. Stateful things are only needed when you want to keep track of things you sent outbound, so you can let (hopefull) the same thing back inbound.
IMHO, it is not a security solution per se; it is comparable perhaps to human skin - keeping certain stuff out to limit the need to use other tools that one uses internally. That said, the tools one uses to create true security are a combination of network-based detection/analysis equipment like honeypots, router configurations, and sensors, and host-based security technologies. In the final analysis, the hosted application is responsible for its own security (if some attacker threads the needle, it had better be able to handle the attack), and uses host and network facilities as defense-in-depth (the less it has to worry about that the more effective overall security is).
Your "simple", "verifiable", "etc" security devices then become something even more complex than the systems they are supposedly are protecting. With that additional complexity comes additional risks that the security device itself has flaws. Adding NAT/PAT/state/DNS proxy creates its own problems and many protocol hacks, often requiring even more complexity to "fix" what you broke. I blame Bellovin & Cheswick for firewalls :-) There are some subtle points in their early papers I'm still learning. Yes, statefull firewalls can be usefull. But too often security professionals suffer from the I have a hammer syndrome. They break everything with a single tool, even stuff that may be better without it. Security should worry about all the letters in C-I-A.