On Thu, 2004-03-18 at 15:26, Alexei Roudnev wrote:
A good firewall *should* be doing a whole lot more than that. It should Do not overestimate. Firewall can make a little more than just restrict access and inspect few (very limited) protocols.
If this concerns you, just use a proxy instead of stateful inspection. Even better, use both to leverage the speed of the packet filtering and the application control of the proxy. Defense in-depth and all of that.
It can not protect you from slow scans;
If a firewall can't stop a scan because its slow, then the firewall is broken. If you are talking about detecting a port scan, then its a matter of how you parse the data. I can easily detect port scans as slow as 1 port/4 hours with Netfilter. I can push this out to 1 port/week if the source IP is on my "potentially hostile" list.
it can not protect you from SSL / SSH / (any other encrypted protocol) volnurabilities,
All depends on what you need. For example if you want to inspect payload, terminate the tunnel at the firewall or some external device (like an SSL accelerator) and then run the payload through a reverse proxy. If its outright blocking you want, just inspect for the initial handshake and drop as required. You only need to check the first couple of ACK's to do this correctly.
it can not protect your users from viruses in e-mail, etc etc.
I don't remember saying it would. What I do remember saying is that the firewall could be used to help detect outbound activity if the internal host becomes a zombie due to e-mail based viruses.
Very good level of details - 200 Mb of daily logs (IP, IP protocol = https). Any network statistics system can do it. Unfortunately, all this logs are 99% useless until you need forensics.
I guess its a matter of what you do with them. I personally find my firewall logs *very* useful and can ID a wide range of suspicious activity, even a few that are payload based despite the fact that the firewall does not log the payload. As for review time, 200 MB takes me maybe 20 minutes with my parsing script unless I find something *really* interesting that I want to drill in on. Then the time factor comes down to when my obsessive compulsive personality will let it go. ;-) But then again I'm one of *those* geeks that finds log review to be a fun way to spend a week night. I expect if I found it to be more of a chore I would also find them to be less than useful.
perimeter. It should also be doing some level of content checking to In reality, I can count all useful things firewall can do. I can not count (it is infinite) numbers of things it can not do.
So basically your argument is "its good at some things but not others so why bother?". Given that line of thinking, why bother with IDS because it can't detect Ethernet CRC errors? Why bother running a virus scanner because it can't keep your system patched. Why bother patching your systems because that does not help add the fabric softener during the rise cycle. A firewall is a tool, no more no less. The capability of that tool is 90% dependent on the person wielding the tool. If you can only find a limited number of applications for a firewall, I'm not surprised that you don't find it all that useful. That does not mean the same is true for the rest of us. HTH, C