Other security features in an Enterprise Class firewall; -Inside source based NAT, reinforces secure traffic flow by allowing outside to inside flows based on configured translations and allowed security policies
Terrible from an availability perspective, troubleshooting perspective, too. Just dumb, dumb, dumb - NATed servers fall over at the drop of a hat due to the NAT device choking.
How is that possible with inside source NATing? You must mean a misconfigured outside source NATing
-TCP sequence number randomization (to prevent TCP seq number guessing)
Server IP stack does this itself just fine.
What server randomizes TCP sequence numbers? servers randomize initial >>> sequence numbers!, regardless, the FW will accept and randomize again making sure the endpoints get the correct TCP seq numbers, again more secure
-Intrusion Detection and Prevention (subset of most common signatures) recognize scanning attempts and mitigate recognize common attacks and mitigate
Snake-oil.
Preventing attacks on internal networks or servers, snake oil, LOL FWs typically offer a subset of potential IDS signatures, dedicated appliances or systems offer a higher level of prevention
-Deep packet inspection (application aware inspection for common network services)
Terrible from an availability perspective, snake-oil.
Inspecting application header and data, it will identify/prevent some application >>>attacks? how does that reduce availability?
- Policy based tools for custom traffic classification and filtering
Can be done statelessly, no firewall required.
True, never said this was done statefully, what device are you using to
perform >>>this function?
no firewall required, but part of distributed defense in depth strategy and can be >>>done by a firewall , again a secure architecture is the goal not just a firewall
-Layer 3 segmentation (creates inspection and enforcement points)
Doesn't require a firewall.
No, but segmentation and multiple security enforcements points are essential for >>> a secure architecture,
-Full/Partial Proxy services with authentication
If needed, can be better handled by transparent reverse-proxy farms; auth handled on the servers themselves.
The servers are doing everything in your model, must be quite some servers, are >>>we talking firewalls in general of are we talking datacenter, all companies do not >>>have access to reverse-proxy farms
- Alarm/Logging capabilities providing info on potential attacks -etc ......
NetFlow from the network infrastructure, the OS/apps/services on the server itself do this, etc.
not the same thing , you will need to analyze the data, Netflow does not
perform >>> data analysis, you will need to develop/buy something else for that
Statefull inspection further enhances the security capabilities of a
firewall.
No, it doesn't, not in front of servers where there's no state to inspect, in the first place, given that every incoming packet is unsolicited.
every packet is not unsolicited, webserver to database request ? DB synch >>>between datacenters, administration, remote services, etc ,,,
there is no state for >>>the services you are serving, true, but what about the rest of the network services >>>potentially available and their exploits?
You may choose not to use a firewall or implement a sound security posture utilizing the "Defense in Depth" philosophy, however you chances of being compromised are dramatically increased.
Choosing not to make the mistake of putting a useless, counterproductive firewall in front of a server doesn't mean one isn't employing a sound, multi-faceted opsec strategy.
didn't say it did, I stated several times that a secure architecture should be the >>>goal not just adding a FW, did you fail to read or respond to that part?
I know that all the firewall propaganda denoted above is repeated endlessly, ad nauseam, in the Confused Information Systems Security Professional self-study comic books, but I've found that a bit of real-world operational experience serves as a wonderful antidote, heh.
Again, a firewall has it's place just like any other device in the network, defense in >>> depth is a prudent philosophy to reduce the chances of compromise, it does not >>>eliminate it nor does any architecture you can
think of, period
mike
----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken