PIX firewalls are great if you configure them correctly for the application. 40 or less servers may not require something as complex, however if the data you are protecting is super-critical, I think a PIX might be your best solution. Proxy firewalls (i.e. Linux, BSD or variant gateways) are good if you're into doing a internal IP network with a NAT access point. But remember dealing with proxies, there is no such thing as a 'TRUE' transparent proxy, and having to go through all of the complexities of port forwarding, packet mangling, etc. might be too much if you are simply trying to firewall your web servers and whatnot. As discussed in a previous thread, I spoke about transparent bridging used for packet filtering and mangling. On a small application, that might be a good idea, because you get all of the true internet access (i.e. legit IPs, no proxying etc.) with the same ability to filter TCP, ICMP, UDP, IGMP etc. traffic. Disadvantages to dealing with transparent bridging is that you run into the whole MAC address collision and excess over-head announcements being made from the bridge itself every time it sends a packet through. The best option I guess is to figure out how important it is for you to have a firewall, what is the reason you need one and how important the data is on your servers. That will help you decide the best choice for a firewall or proxy application. Greg ---------- Original Message ---------------------------------- From: Nicole <nmh@daemontech.com> Date: Tue, 16 Mar 2004 14:27:16 -0800 (PST)
Hi I am looking for a good but reasonably priced firewall for a 40 or so server site. Some people swear by Pix, others swear at it a lot. Also I have heard good things about Netscreen. Or any others you would recommend for protecting servers on a busy network. Don't really need anything with VPN just the standard http, ftp, ssh, https, type traffic up to 100mb throughput. From what I have heard a proxy firewall would be best?
Thanks in advance!!
Nicole
-- |\ __ /| (`\ | o_o |__ ) ) // \\ - nmh@daemontech.com - Powered by FreeBSD - ------------------------------------------------------ " Daemons" will now be known as "spiritual guides" -Politically Correct UNIX Page
On Tue, Mar 16, 2004 at 05:01:22PM -0600, Gregory Taylor said something to the effect of: ..snip snip..
As discussed in a previous thread, I spoke about transparent bridging used for packet filtering and mangling. On a small application, that might be a good idea, because you get all of the true internet access (i.e. legit IPs, no proxying etc.) with the same ability to filter TCP, ICMP, UDP, IGMP etc. traffic.
Disadvantages to dealing with transparent bridging is that you run into the whole MAC address collision and excess over-head announcements being made from the bridge itself every time it sends a packet through.
The best option I guess is to figure out how important it is for you to have a firewall,
_Everyone_ (network connected) should have a firewall. My grandma should have a firewall. Nicole, holding dominion over this business network and its critical infrastructure, should _definitely_ have a firewall. ;) Curses. Budget constraints. Bah.
what is the reason you need one and how important the data is on your servers. That will help you decide the best choice for a firewall or proxy application.
See above. ;) The importance of the data is often more and issue of calculating things like redundancy and storage. A firewall in this case should likely be regarded as non-negotiable. Be careful with transparent bridging in lieu of stricter edge filtering... Also consider the efficacy and reward of firewall logs, application layer filtering, and IDS integration (in a budget-friendly, open source flavor of free...) down the road. ymmv, --ra -- k. rachael treu, CISSP rara@navigo.com ..quis costodiet ipsos custodes?..
Greg
---------- Original Message ---------------------------------- From: Nicole <nmh@daemontech.com> Date: Tue, 16 Mar 2004 14:27:16 -0800 (PST)
Hi I am looking for a good but reasonably priced firewall for a 40 or so server site. Some people swear by Pix, others swear at it a lot. Also I have heard good things about Netscreen. Or any others you would recommend for protecting servers on a busy network. Don't really need anything with VPN just the standard http, ftp, ssh, https, type traffic up to 100mb throughput. From what I have heard a proxy firewall would be best?
Thanks in advance!!
Nicole
-- |\ __ /| (`\ | o_o |__ ) ) // \\ - nmh@daemontech.com - Powered by FreeBSD - ------------------------------------------------------ " Daemons" will now be known as "spiritual guides" -Politically Correct UNIX Page
The best option I guess is to figure out how important it is for you to have a firewall,
_Everyone_ (network connected) should have a firewall. My grandma should have a firewall. Nicole, holding dominion over this business network and its critical infrastructure, should _definitely_ have a firewall. ;)
Why? When did the end2end nature of the Internet suddenly sprout these mutant bits of extra complexity that reduce the overall security of the 'net? Two questions asked, Two answers are sufficent. --bill
_Everyone_ (network connected) should have a firewall. My grandma should have a firewall. Nicole, holding dominion over this business network and its critical infrastructure, should _definitely_ have a firewall. ;)
By "firewall", do you mean "dedicated unit that does statefull filtering" or just "something that will block packets"? We've successfully argued to just about every group here at our University who came to us asking for a "firewall" that, given what they wanted to achieve, they could accomplish the same thing with simple ACLs... I'm sure that the cost of the ACL's (i.e. $0.00) versus the cost of a firewall also helped them in their decision... Eric :)
On Wed, Mar 17, 2004 at 12:19:53PM -0500, Eric Gauthier said something to the effect of:
_Everyone_ (network connected) should have a firewall. My grandma should have a firewall. Nicole, holding dominion over this business network and its critical infrastructure, should _definitely_ have a firewall. ;)
By "firewall", do you mean "dedicated unit that does statefull filtering"
No.
or just "something that will block packets"? We've successfully argued to just about every group here at our University who came to us asking for a "firewall" that, given what they wanted to achieve, they could accomplish the same thing with simple ACLs...
fire'wall 1. A fireproof wall used as a barrier to prevent the spread of fire. 2. Computer Science. Any of a number of security schemes that prevent unauthorized users from gaining access to a computer network or that monitor transfers of information to and from the network.
I'm sure that the cost of the ACL's (i.e. $0.00) versus the cost of a firewall also helped them in their decision...
This is just a semantic issue. I am putting any packet-level inspection engine deployed as an access control means into the category of "firewall." The confusion here would be akin to my retorting with "how on earth are deploying lists of system object access rights going to protect a network edge?" ;) ACL has alternate meanings, as well[1]. A sample of what some vendors call some things: Cisco: router packet-level access control = ACL Microsoft: OS object permissioning schema = ACL Linksys: router packet-level access control = firewall Juniper: router packet-level access control = firewall filter :) *, --ra [1]http://whatis.techtarget.com/definition/0,289893,sid9_gci213757,00.html -- k. rachael treu, CISSP rara@navigo.com ..quis costodiet ipsos custodes?..
Eric :)
On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the effect of:
The best option I guess is to figure out how important it is for you to have a firewall,
_Everyone_ (network connected) should have a firewall. My grandma should have a firewall. Nicole, holding dominion over this business network and its critical infrastructure, should _definitely_ have a firewall. ;)
Why? When did the end2end nature of the Internet suddenly sprout these mutant bits of extra complexity that reduce the overall security of the 'net?
Two questions asked, Two answers are sufficent.
Nope. One will do it. The day the first remote exploit or condition, in protocol or application, that could potentially have given rise to such and exploit made it possible for a user not in your control to gain control of your box(en), firewalling became necessary. Then Internet is not exactly end-to-end beyond pure fundamentals; it's more end-to-many-ends. And the notion of "end-to-end" requires preservation of a connection between 2 consenting hosts, and preservation includes securement of that connection against destructive mechanisms, which includes the subversive techniques and intercetptions commonly associated with network security. Denial of Service is as much a threat to availability and network functionality as is power outage if it occurs. Before this turns to a "you security freaks want to screw around with my network and don't care about availability..." Firewalls are logical interventions, costing as little as some processor overhead. Dedicated appliances are only one deployment. Filters on routers also qualify as firewalls. Am I correct in understanding that you feel edge filtering is mutant lunacy and unnecessary complexity? Regarding dedicated firewalls, please see Mr. Bellovin's previous post regarding appropriate and competent administration. The lack thereof presents the complication, not the countermeasure itself. As for your assertion that firewalls "reduce the overall security of the 'net."...can you please elaborate on that, as well? Other factions might/do argue that it's the other team refusing to lock their doors at night that are perpetuating the flux of bad behavior as a close second to the ignorant and infected. --ra -- k. rachael treu, CISSP rara@navigo.com ..quis costodiet ipsos custodes?..
--bill
Date: Wed, 17 Mar 2004 11:57:33 -0600 From: Rachael Treu <rara@navigo.com> Sender: owner-nanog@merit.edu
On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the effect of:
The best option I guess is to figure out how important it is for you to have a firewall,
_Everyone_ (network connected) should have a firewall. My grandma should have a firewall. Nicole, holding dominion over this business network and its critical infrastructure, should _definitely_ have a firewall. ;)
Why? When did the end2end nature of the Internet suddenly sprout these mutant bits of extra complexity that reduce the overall security of the 'net?
Two questions asked, Two answers are sufficent.
Nope. One will do it. The day the first remote exploit or condition, in protocol or application, that could potentially have given rise to such and exploit made it possible for a user not in your control to gain control of your box(en), firewalling became necessary. Then Internet is not exactly end-to-end beyond pure fundamentals; it's more end-to-many-ends. And the notion of "end-to-end" requires preservation of a connection between 2 consenting hosts, and preservation includes securement of that connection against destructive mechanisms, which includes the subversive techniques and intercetptions commonly associated with network security.
Denial of Service is as much a threat to availability and network functionality as is power outage if it occurs. Before this turns to a "you security freaks want to screw around with my network and don't care about availability..."
Firewalls are logical interventions, costing as little as some processor overhead. Dedicated appliances are only one deployment. Filters on routers also qualify as firewalls. Am I correct in understanding that you feel edge filtering is mutant lunacy and unnecessary complexity?
Regarding dedicated firewalls, please see Mr. Bellovin's previous post regarding appropriate and competent administration. The lack thereof presents the complication, not the countermeasure itself.
As for your assertion that firewalls "reduce the overall security of the 'net."...can you please elaborate on that, as well? Other factions might/do argue that it's the other team refusing to lock their doors at night that are perpetuating the flux of bad behavior as a close second to the ignorant and infected.
I dislike firewalls for many applications, although I have a Sonic Wall on my cable modem. On the whole, they lead to false belief that firewalls really make you safe. They also block many interesting applications. Things like H.323 conferencing are made vastly more complex by firewalls with no easy or canned work-arounds. One large research site I work closely with has directly opted for IDS with a bad attitude (love that description) which has successfully blocked many intrusion and DOS attempts with no major failures. Slammer did overwhelm it, but it did the same for most everything. The end-to-end nature of the net is really, really important, but is being blocked more and more by those who thing the net is web browsing and e-mail clients and that everything else is simply an annoyance. This attitude is hamstringing network development already and may end up turning the commercial Internet into a permanently limited tool with fewer real capabilities that the ARPANET had before TCP/IP replaced NCP. Grandma may need a firewall. (My sister DEFINITELY needs one.) But not all network connections need or will benefit from a firewall. And many system will exist with significant security flaws because the owners believe that the firewall takes care of everything. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634
On Wed, Mar 17, 2004 at 09:48:30AM -0800, Kevin Oberman said something to the effect of: ..snip snip..
I dislike firewalls for many applications, although I have a Sonic Wall on my cable modem. On the whole, they lead to false belief that firewalls really make you safe. They also block many interesting applications. Things like H.323 conferencing are made vastly more complex by firewalls with no easy or canned work-arounds.
H.323 is its own complex, unweildy mutant (though a lovely one at that), and it is unfair to throw the baby out with the bathwater in that case. Something like saying that it's rough configure MPLS on your cable modem at home so we should do away with those. Configured properly, firewalls handle H.323 just fine. As for false beliefs... Seat belts aren't guaranteed to save your life if you wrap your car around a tree, but they improve the chances that you won't pierce the windshield with your face. That lid on your coffee cup has a hole in it so you can drink out of it, but that can spill, too.. Still...which way would you rather have that cup--lidded or lidless-- when it goes flying out of your cupholder and into your lap? A stoplight doesn't actually physically stop traffic. Having a green light in your direction doesn't actually guarantee that the intersecting traffic won't plow into you. Sometimes parachutes don't open properly parachute not open properly, but can you imagine if people gave up skydiving altogether, or skydived without them, refusing to be lulled into a false sense of safety? Hrm. This now becomes an issue of adequate education and precaution. It's not the fault of the technology if its users are ill-informed...
One large research site I work closely with has directly opted for IDS with a bad attitude (love that description) which has successfully blocked many intrusion and DOS attempts with no major failures. Slammer did overwhelm it, but it did the same for most everything.
IDS that reacts is, by classical definition, firewalling. The IDS component merely detects the anomaly. To react is a firewall function. Does IDS not smack of that false sense of security you mentioned? If admins refuse to acknowledge attack conditions because the IDS didn't squawk, does that guarantee that the network is totally peaceful?
The end-to-end nature of the net is really, really important, but is being blocked more and more by those who thing the net is web browsing and e-mail clients and that everything else is simply an annoyance. This attitude is hamstringing network development already and may end up turning the commercial Internet into a permanently limited tool with fewer real capabilities that the ARPANET had before TCP/IP replaced NCP.
This is a very valid concern. Unfortunately, aside from those in pure academia, this is the bread and butter for most of us. The HTML-for-the-masses and email-happy vox populi are the ones subscribing to providers and buying bandwidth that we are trying to enable.
Grandma may need a firewall. (My sister DEFINITELY needs one.) But not all network connections need or will benefit from a firewall. And many system will exist with significant security flaws because the owners believe that the firewall takes care of everything.
As do may owners that believe their Microsoft boxes do everything. Or nothing. Or that nothing needs to be done to their MS boxes... *, --ra -- k. rachael treu, CISSP rara@navigo.com ..quis costodiet ipsos custodes?..
-- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634
On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the effect of:
The best option I guess is to figure out how important it is for you to have a firewall,
_Everyone_ (network connected) should have a firewall. My grandma should have a firewall. Nicole, holding dominion over this business network and its critical infrastructure, should _definitely_ have a firewall. ;)
Why? When did the end2end nature of the Internet suddenly sprout these mutant bits of extra complexity that reduce the overall security of the 'net?
Two questions asked, Two answers are sufficent.
Nope. One will do it. The day the first remote exploit or condition, in protocol or application, that could potentially have given rise to such and exploit made it possible for a user not in your control to gain control of your box(en), firewalling became necessary.
Ah, so back in 1979. Three (well two and a half, roughly) decades between making fundamental design choices on how protocols vs folks trying to do the right thing in the wrong place.
Then Internet is not exactly end-to-end beyond pure fundamentals; it's more end-to-many-ends. And the notion of "end-to-end" requires preservation of a connection between 2 consenting hosts, and preservation includes securement of that connection against destructive mechanisms, which includes the subversive techniques and intercetptions commonly associated with network security.
Here we have some disagreement. Network Security is protecting the infrastructures ability to deliver bits and has nothing to do w/ end systems per se.
Firewalls are logical interventions, costing as little as some processor overhead. Dedicated appliances are only one deployment. Filters on routers also qualify as firewalls. Am I correct in understanding that you feel edge filtering is mutant lunacy and unnecessary complexity?
Please include the OPEX costs. And you have ignored the IAB plea for having filtering done as a temporary expdient as a way to encourage new application/feature development. And yes, the need to perform edge filtering is symtematic of a cultural problem. We have sociopaths in the community that drive normally sane people to do perverse things. So yes, mutant lunacy and unDESIRABLE complexity.
Regarding dedicated firewalls, please see Mr. Bellovin's previous post regarding appropriate and competent administration. The lack thereof presents the complication, not the countermeasure itself.
Amen. See above. From a systems perspective, adding yet one more level of management/administration decreases the efficentcy and robustness of the overall system. From a "security" perspective, another attack point!
As for your assertion that firewalls "reduce the overall security of the 'net."...can you please elaborate on that, as well? Other factions might/do argue that it's the other team refusing to lock their doors at night that are perpetuating the flux of bad behavior as a close second to the ignorant and infected.
See above.
--ra
-- k. rachael treu, CISSP rara@navigo.com ..quis costodiet ipsos custodes?..
--bill
Not _firewalling_, but access limitation. Grandma can live with PNAT router - she do not need any firewall, if she do not grant external access to anything. She can live with Windows _default deny_ setting. If grandma have extra money, it is better to purchase anty-virus. Moreover. Just for _ghrandma_, it can be cheaper do nothing than to invest into security (bad thing for us, I know!) - because she lost '$0' in case of intrusion... It explains shidespread of modern viruses, spam-trojans etc (they cost '$0' to infected households in many cases). It is as Wireless access - my friend have secured access point, but when I tried, I could use unsecured access points of 2 his neighbourths. They know abouth insecurity - but they do not lost anything, so they do not want to spend $0.01 to improve it. And unfortunately, I can not blame them.
On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the
effect of:
The best option I guess is to figure out how important it is for you to have a firewall,
_Everyone_ (network connected) should have a firewall. My grandma should have a firewall. Nicole, holding dominion over this business network and its critical infrastructure, should _definitely_ have a firewall. ;)
Why? When did the end2end nature of the Internet suddenly sprout these mutant bits of extra complexity that reduce the overall security of the 'net?
Two questions asked, Two answers are sufficent.
Nope. One will do it. The day the first remote exploit or condition, in protocol or application, that could potentially have given rise to such and exploit made it possible for a user not in your control to gain control of your box(en), firewalling became necessary. Then Internet is not exactly end-to-end beyond pure fundamentals; it's more end-to-many-ends. And the notion of "end-to-end" requires preservation of a connection between 2 consenting hosts, and preservation includes securement of that connection against destructive mechanisms, which includes the subversive techniques and intercetptions commonly associated with network security.
Denial of Service is as much a threat to availability and network functionality as is power outage if it occurs. Before this turns to a "you security freaks want to screw around with my network and don't care about availability..."
Firewalls are logical interventions, costing as little as some processor overhead. Dedicated appliances are only one deployment. Filters on routers also qualify as firewalls. Am I correct in understanding that you feel edge filtering is mutant lunacy and unnecessary complexity?
Regarding dedicated firewalls, please see Mr. Bellovin's previous post regarding appropriate and competent administration. The lack thereof presents the complication, not the countermeasure itself.
As for your assertion that firewalls "reduce the overall security of the 'net."...can you please elaborate on that, as well? Other factions might/do argue that it's the other team refusing to lock their doors at night that are perpetuating the flux of bad behavior as a close second to the ignorant and infected.
--ra
-- k. rachael treu, CISSP rara@navigo.com ..quis costodiet ipsos custodes?..
--bill
Guys...firewall is as generic a term as any. Saying grandma needs a router does not mean that an M20 is interchangeable with her Linksys. The definition of firewall[1]: 1. A fireproof wall used as a barrier to prevent the spread of fire. 2. Computer Science. Any of a number of security schemes that prevent unauthorized users from gaining access to a computer network or that monitor transfers of information to and from the network. By that rationale, firewall includes ACLs, filtering, and the umpteen built-in apps that ship standard with home CPE/routers that _call themselves_ firewall software. I am absolutely talking access control. Not about an HA Netscreen500 pair with VRRP off redundant switch fabric and H.323 support. As for your cost commentary, you are absolutely right. I said grandma needs a firewall, not that she has one or will buy one. That is the unfortunate disparity between prudence and practical application. --ra [1]http://dictionary.reference.com/search?q=firewall -- k. rachael treu, CISSP rara@navigo.com ..quis costodiet ipsos custodes?.. On Wed, Mar 17, 2004 at 11:19:54AM -0800, Alexei Roudnev said something to the effect of:
Not _firewalling_, but access limitation. Grandma can live with PNAT router - she do not need any firewall, if she do not grant external access to anything. She can live with Windows _default deny_ setting. If grandma have extra money, it is better to purchase anty-virus.
Moreover. Just for _ghrandma_, it can be cheaper do nothing than to invest into security (bad thing for us, I know!) - because she lost '$0' in case of intrusion... It explains shidespread of modern viruses, spam-trojans etc (they cost '$0' to infected households in many cases).
It is as Wireless access - my friend have secured access point, but when I tried, I could use unsecured access points of 2 his neighbourths. They know abouth insecurity - but they do not lost anything, so they do not want to spend $0.01 to improve it. And unfortunately, I can not blame them.
On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the
effect of:
The best option I guess is to figure out how important it is for you to have a firewall,
_Everyone_ (network connected) should have a firewall. My grandma should have a firewall. Nicole, holding dominion over this business network and its critical infrastructure, should _definitely_ have a firewall. ;)
Why? When did the end2end nature of the Internet suddenly sprout these mutant bits of extra complexity that reduce the overall security of the 'net?
Two questions asked, Two answers are sufficent.
Nope. One will do it. The day the first remote exploit or condition, in protocol or application, that could potentially have given rise to such and exploit made it possible for a user not in your control to gain control of your box(en), firewalling became necessary. Then Internet is not exactly end-to-end beyond pure fundamentals; it's more end-to-many-ends. And the notion of "end-to-end" requires preservation of a connection between 2 consenting hosts, and preservation includes securement of that connection against destructive mechanisms, which includes the subversive techniques and intercetptions commonly associated with network security.
Denial of Service is as much a threat to availability and network functionality as is power outage if it occurs. Before this turns to a "you security freaks want to screw around with my network and don't care about availability..."
Firewalls are logical interventions, costing as little as some processor overhead. Dedicated appliances are only one deployment. Filters on routers also qualify as firewalls. Am I correct in understanding that you feel edge filtering is mutant lunacy and unnecessary complexity?
Regarding dedicated firewalls, please see Mr. Bellovin's previous post regarding appropriate and competent administration. The lack thereof presents the complication, not the countermeasure itself.
As for your assertion that firewalls "reduce the overall security of the 'net."...can you please elaborate on that, as well? Other factions might/do argue that it's the other team refusing to lock their doors at night that are perpetuating the flux of bad behavior as a close second to the ignorant and infected.
--ra
-- k. rachael treu, CISSP rara@navigo.com ..quis costodiet ipsos custodes?..
--bill
Rachael Treu wrote:
Guys...firewall is as generic a term as any. Saying grandma needs a router does not mean that an M20 is interchangeable with her Linksys.
You're preaching to a list with people on it who invented the terms you are using *and* wrote the books. Stop lecturing and *listen*. Peter
Rachael Treu wrote:
_Everyone_ (network connected) should have a firewall. My grandma should
have a firewall. Nicole, holding dominion over this business network and its critical infrastructure, should _definitely_ have a firewall. ;)
No, the applications should accept only authorized connections. If that would be the case, there would be no need to filter at packet level. Pete
On Wed, 2004-03-17 at 21:02, Petri Helenius wrote:
No, the applications should accept only authorized connections. If that would be the case, there would be no need to filter at packet level.
No, since this would be assuming that each application is perfect and there's no such thing as buffer overflows and other software bugs (including those in authentication routines). A firewall is an extra line of defence in preventing malicious packets from reaching the destination app and the more people have one the better (although I'm not sure whether grandma would be too bothered) It's not bulletproof (and could potentially contain a gut itself) but it provides additional security, regardless of authenticaion of connections. -- --- Erik Haagsman Network Architect We Dare BV tel: +31.10.7507008 fax: +31.10.7507005 http://www.we-dare.nl
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Erik Haagsman wrote: | On Wed, 2004-03-17 at 21:02, Petri Helenius wrote: | |>No, the applications should accept only authorized connections. If that |>would be the case, there would be no need to filter at packet level. | | | No, since this would be assuming that each application is perfect and | there's no such thing as buffer overflows and other software bugs | (including those in authentication routines). A firewall is an extra | line of defence in preventing malicious packets from reaching the | destination app and the more people have one the better (although I'm | not sure whether grandma would be too bothered) | It's not bulletproof (and could potentially contain a gut itself) but it | provides additional security, regardless of authenticaion of | connections. | | | And I think you have hit it right on the head...another line of defense. Everything I've ever read about security (network or otherwise) suggests that a layered approach increases effectiveness. I certainly don't trust a firewall appliance as my only security device, so I also do prudent things like disable ports and applications that are not in use on my network and enforce authentication and authorization for access to legitimate services. - -- ========= bep -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) iD8DBQFAWLiWE1XcgMgrtyYRAjh+AJ9Cio8w/iPuT+EfUK26ku2RdDl9JwCgrN9P Qll6/VX0Z4xVBRf+G0S5HXA= =uFwS -----END PGP SIGNATURE-----
On Wed, 2004-03-17 at 21:44, Bruce Pinsky wrote:
Everything I've ever read about security (network or otherwise) suggests that a layered approach increases effectiveness. I certainly don't trust a firewall appliance as my only security device, so I also do prudent things like disable ports and applications that are not in use on my network and enforce authentication and authorization for access to legitimate services.
Good point...and that's exactly why in some cases, especially in SOHO and SMB oriented products, both hardware as well as software vendors can be part of the security problem by advertising their products as the definite solution to all security holes. Truely securing even a single server or host connected to the Internet entails a lot more than just blocking a few ports, let alone securing a network. By marketing "the perfect solution" to no-too-clueful admins the actual security holes only get bigger and harder to track. -- --- Erik Haagsman Network Architect We Dare BV tel: +31.10.7507008 fax: +31.10.7507005 http://www.we-dare.nl
And I think you have hit it right on the head...another line of defense. Everything I've ever read about security (network or otherwise) suggests that a layered approach increases effectiveness. I certainly don't trust
a
firewall appliance as my only security device, so I also do prudent things like disable ports and applications that are not in use on my network and enforce authentication and authorization for access to legitimate services.
Unfortunately, it decreases it. If I turn off file sharing on Windows server, I'll increase security but complicate support (in some cases). If I run ids system, I spend time, verifying and approving changes done by maintaineers. And so on. So, it is very important to have a strong FIRST line of defense (inbound firewalls) and last line (host IDS); it allows to bring little more efficiency by keeping convenient (but not very secure) protocols inside your internal network. Else, you end up in full paranoya.
In message <4058AEF2.2060109@he.iki.fi>, Petri Helenius writes:
No, the applications should accept only authorized connections. If that would be the case, there would be no need to filter at packet level.
No. Quite apart from the fact that you mean "authorized", not "authenticated", the primary purpose of a firewall is to keep the bad guys away from the buggy code. Firewalls are the networks' response to the host security problem. Put in a NANOG0-friendly way, they're a scalable security mechanism that can *help* defend you. Think of the endorsement on most tubes of (American) toothpaste: ... has been shown to be an effective decay-preventive dentifrice that can be of significant value when used as directed in a conscientiously applied program of oral hygiene and regular professional care. If all you want to do is say "no" to all incoming connections on a single machine, you don't need a separate box labeled "firewall" -- assuming, of course, that your host is properly configured. Most systems aren't configured that way; worse yet, it takes a lot of knowledge to understand how to block things, and when it's ok to do so. (It's an amusing exercise to run ZoneAlarm on a new, out-of-the box Windows machine and see how many different programs think they need to talk to the network, or (worse yet) act as servers.) But it's a lot of work to configure a machine to be that safe, and if you have a hundred or a thousand of them you can't do it; entropy will open up new holes -- that is, open up new sockets for buggy applications -- faster than you can close them down. Add to that that you don't really know what's safe or unsafe, and that you have some services that are convenient for insiders but don't have adequate, scalable authentication on which you can build an authorization mechanism, and you see why firewalls are useful. Perfect? No, of course not. A good idea? Absolutely. --Steve Bellovin, http://www.research.att.com/~smb
"the primary purpose of a firewall is to keep the bad guys away from the buggy code. Firewalls are the networks' response to the host security problem."
a pretty good sound bite. :)
Add to that that you don't really know what's safe or unsafe, and that you have some services that are convenient for insiders but don't have adequate, scalable authentication on which you can build an authorization mechanism, and you see why firewalls are useful.
Perfect? No, of course not. A good idea? Absolutely.
Er... perhaps. Who is configuring the "firewall"? What are its capabilities? How easy will it be to deploy new services? I, as an enduser, am abdicating most of my responsibility to or it is being hijacked by one or more network service providers. Ken is right. Firewalls, in general, seem to be a great place for blackhats to focus on. DoS is trivial, the degenerate case is encaps of everything into stuff that passes through the firewall (IP over port 80), and then we've just pushed the problem elsewhere, adding more complexity to the system for little if any improvment in the overall integrity. Sounds like the result is a system that is more fragile.
--Steve Bellovin, http://www.research.att.com/~smb
--bill (cynic) Noting that the nanog thread of the day has changed, but not n'cessly for the better. :)
On Wed, Mar 17, 2004 at 03:01:50PM -0800, bill said something to the effect of:
"the primary purpose of a firewall is to keep the bad guys away from the buggy code. Firewalls are the networks' response to the host security problem."
a pretty good sound bite. :)
Add to that that you don't really know what's safe or unsafe, and that you have some services that are convenient for insiders but don't have adequate, scalable authentication on which you can build an authorization mechanism, and you see why firewalls are useful.
Perfect? No, of course not. A good idea? Absolutely.
Er... perhaps.
Who is configuring the "firewall"? What are its capabilities?
You are. Your network engineer is. The needs of your network and staff dictate the demands and deploy a mechanism suitable enough to satisfy them. This is not a question others can answer for you in the hypothetical.
How easy will it be to deploy new services? I, as an enduser,
That will depend on the services. If you ask most to stream Kazaa into your cube at work, they'll laugh at you. If you want to route jellybeans-over-IP, you'll likely not be considered. If you're at the helm at the office or at home, then it's as easy as you make it and you can do what you want within the scope of your provider's AUP.. Again...competent security engineer...comes to mind...
am abdicating most of my responsibility to or it is being hijacked by one or more network service providers. Ken is right.
This is the job of the edge/customer/network administrator, or a 3rd party agent contracted to provide managed security services. Most NSPs do not do this (granular filtering) unless engaged (and paid) directly by the customer. Is that what has your dander up? This is the job/responsibility/whim of the subscriber, for the most part.
Firewalls, in general, seem to be a great place for blackhats to focus on.
What? No...unprotected systems are the great places for blackhats to focus on. Where are you getting this? I apologize for sounding potentially antagonistic, but I am having a difficult time discerning between devil's advocacy and counterintuition in your opinions regarding secure network praxes. Single points of failure are prime targets for attack, too, by the way. As are unchecked portals and ingress vectors. Eschewing security mechansims (physical, logical, DR, etc) contribute to both.
DoS is trivial,
Please tell me you did not just go there... Network outage is not trivial. Not ever. One more time...where are you getting your information? That clause is patently incorrect. Please remember virii and node subversion when you head in that direction, as well, as granular security is not just about DoS...
the degenerate case is encaps of everything into stuff that passes through the firewall (IP over port 80), and then we've just pushed the problem
What kind of firewall are you talking about? Who does this?
elsewhere, adding more complexity to the system for little if any improvment in the overall integrity. Sounds like the result is a system that is more fragile.
Broken record...from where did you derive this information? And how better do you propose to restrict access to a network than filtering/firewalling or somesuch similar level of access control? Or is it (as you have not yet answered this) your position that a network should remain open and unsecured? Not your service provider's network...but networks in general. What, in no uncertain terms, do you believe belongs keeping watch over your network perimeter? Also, what constitutes acceptable loss and/or outage in your organization? It is entirely possible and I am increasingly hopeful that you and I are simply talking about 2 totally separate things. For the record...the top 2 Achilles' heels to network security are improperly- protected edge devices (i.e., web servers, unpatched desktops, unsecured routers, etc), and protocol-related vulnerabilities (i.e., SNMP, DNS/BIND). Your concern for thwarted network application development leads me to enlist you and yours to fix inherently weak protocols (SMTP, for example) to make networking itself again more robust before I agree to see a security layer as superfluous. And then there are software purveyors to visit. --ra -- k. rachael treu, CISSP rara@navigo.com ..quis costodiet ipsos custodes?..
--Steve Bellovin, http://www.research.att.com/~smb
--bill (cynic)
Noting that the nanog thread of the day has changed, but not n'cessly for the better. :)
In message <200403172301.i2HN1o920765@karoshi.com>, bill writes:
"the primary purpose of a firewall is to keep the bad guys away from the buggy code. Firewalls are the networks' response to the host security problem."
a pretty good sound bite. :)
Thanks -- I've been using that line for about 10 years, and I haven't gotten tired of it yet....
Add to that that you don't really know what's safe or unsafe, and that you have some services that are convenient for insiders but don't have adequate, scalable authentication on which you can build an authorization mechanism, and you see why firewalls are useful.
Perfect? No, of course not. A good idea? Absolutely.
Er... perhaps.
Who is configuring the "firewall"? What are its capabilities? How easy will it be to deploy new services? I, as an enduser, am abdicating most of my responsibility to or it is being hijacked by one or more network service providers. Ken is right.
I don't have time to participate in this thread any more tonight -- tomorrow is the biweekly IESG call, and I still have several documents to review -- but I never said that ISPs should implement firewalls. In fact, in general that's a bad idea. Firewalls are the instantiation of a security policy; I don't want my ISP telling me what my security policy is or should be. To be sure, there is a market for a value-added ISP service that provides assorted types of filtering. But that's the sort of thing that's best done by consenting adults. More later.... --Steve Bellovin, http://www.research.att.com/~smb
No. Quite apart from the fact that you mean "authorized", not "authenticated", the primary purpose of a firewall is to keep the bad guys away from the buggy code. Firewalls are the networks' response to the host security problem.
No. let's imagine, that I have 4 hosts, without ANY security problems in software, and I'd like to provide WEB service. Firewall protects other services from outside access. Without it, you can slogin to me, if you know my password, even if host have not any bugs. (Of course, SecureID, hand scan etc... decreases a need for this.) Second. Not ANY network require FireWall. If network (grandma) do not allow any ACCESS fron Internet (grandma's netword do not allow access because it does not expose any IP device to outside network, using NAT for outgoing connections), it can live withourt any ACl and any firewall attributes - and be as secure as production network with expansive firewall(s). Key word is _ACCESS_. No ACCESS - no FireWall (cut wires). One Way Access - many different devices plays role of firewall (PNAT translator, for example, makes 99.9% of the work). More ACCESS required - mode COMPLICATED firewalls are required. So, key word is not PROTECTION but ACCESS.
OK, I've tried to stay out of this, but... On Thu, 2004-03-18 at 01:17, Alexei Roudnev wrote:
No. let's imagine, that I have 4 hosts, without ANY security problems in software,
Exactly how do you *prove* there are zero security problems with any of this software? I hate to say it, but a lot of the security issues we are faced with today is because people thought they could build secure software without worrying about a secure architecture. That's exactly what you are doing here.
Firewall protects other services from outside access.
A good firewall *should* be doing a whole lot more than that. It should also be giving you a good level of detail about what crosses your perimeter. It should also be doing some level of content checking to protect the servers behind it. It should also be stopping and alerting you if that Web server one day tries to TFTP out to the Internet. Etc. etc. etc.
Second. Not ANY network require FireWall. If network (grandma) do not allow any ACCESS fron Internet (grandma's netword do not allow access because it does not expose any IP device to outside network, using NAT for outgoing connections), it can live withourt any ACl and any firewall attributes
<sarcasm> Absolutely, because who cares if someone drops a call home Trojan on Grandma's system (via e-mail or nasty URL) which turns the system into a spam relay or a DDoS zombie. That would *never* happen, right? </sarcasm> Oh wait, I seem to remember that both of these problems are discussed on at least a weekly basis in this forum. A firewall can't prevent the above attacks, but it can give you a heads up that they happened.
- and be as secure as production network with expansive firewall(s).
Dude, *please* don't take this as a slam, but you really need to come more up to speed on this technology.
Key word is _ACCESS_. No ACCESS - no FireWall (cut wires).
Agreed, but in both of your examples were you say a firewall is not needed, you include some level of access. Now if you are going to cut the wires and ensure there are no 802.11 or dial-in access points, I'll agree so long as physical security is up to snuff.
One Way Access - many different devices plays role of firewall (PNAT translator, for example, makes 99.9% of the work).
Hey has anyone tested this lately? I beat up on a number of NAT only firewalls about 3 years ago and found that approximately half could be defeated by simply using loose source routing. Has anyone tested the latest round up of products for this "functionality"? HTH, Chris
Firewall protects other services from outside access.
A good firewall *should* be doing a whole lot more than that. It should
Do not overestimate. Firewall can make a little more than just restrict access and inspect few (very limited) protocols. It can not protect you from slow scans; it can not protect you from SSL / SSH / (any other encrypted protocol) volnurabilities, it can not protect your users from viruses in e-mail, etc etc. Proxy firewall (device which terminates _ALL_ protocols) can help in some cases (management access to your network by ssh) but can not with others (SSL site hosting , for excample).
also be giving you a good level of detail about what crosses your Very good level of details - 200 Mb of daily logs (IP, IP protocol = https). Any network statistics system can do it. Unfortunately, all this logs are 99% useless until you need forensics.
perimeter. It should also be doing some level of content checking to In reality, I can count all useful things firewall can do. I can not count (it is infinite) numbers of things it can not do.
In real life, protocol inspection is useful for SMTP and DNS. Sometimes, for http (but not https), SIP, few other _open_ protocols. That's all. Sometimes, it can recognize unusual behaviour of _your_ server and notify you (esp. if you maintain _default deny_ for some protocols). You are right about _checking outbound connections_ - firewall can help, if properly configured. Unfortunately, you can spend days, configuring your home firewall for outbound connections, even if you maintain a proxy. I do not think, that you will do it for grandma... You are right about possibility of weaknesses in some PNAT devices. This is a very big potencial for a problem / holes here. I'd like to see such tests you are talking about (security tests for PNAT devices).
On Thu, 2004-03-18 at 15:26, Alexei Roudnev wrote:
A good firewall *should* be doing a whole lot more than that. It should Do not overestimate. Firewall can make a little more than just restrict access and inspect few (very limited) protocols.
If this concerns you, just use a proxy instead of stateful inspection. Even better, use both to leverage the speed of the packet filtering and the application control of the proxy. Defense in-depth and all of that.
It can not protect you from slow scans;
If a firewall can't stop a scan because its slow, then the firewall is broken. If you are talking about detecting a port scan, then its a matter of how you parse the data. I can easily detect port scans as slow as 1 port/4 hours with Netfilter. I can push this out to 1 port/week if the source IP is on my "potentially hostile" list.
it can not protect you from SSL / SSH / (any other encrypted protocol) volnurabilities,
All depends on what you need. For example if you want to inspect payload, terminate the tunnel at the firewall or some external device (like an SSL accelerator) and then run the payload through a reverse proxy. If its outright blocking you want, just inspect for the initial handshake and drop as required. You only need to check the first couple of ACK's to do this correctly.
it can not protect your users from viruses in e-mail, etc etc.
I don't remember saying it would. What I do remember saying is that the firewall could be used to help detect outbound activity if the internal host becomes a zombie due to e-mail based viruses.
Very good level of details - 200 Mb of daily logs (IP, IP protocol = https). Any network statistics system can do it. Unfortunately, all this logs are 99% useless until you need forensics.
I guess its a matter of what you do with them. I personally find my firewall logs *very* useful and can ID a wide range of suspicious activity, even a few that are payload based despite the fact that the firewall does not log the payload. As for review time, 200 MB takes me maybe 20 minutes with my parsing script unless I find something *really* interesting that I want to drill in on. Then the time factor comes down to when my obsessive compulsive personality will let it go. ;-) But then again I'm one of *those* geeks that finds log review to be a fun way to spend a week night. I expect if I found it to be more of a chore I would also find them to be less than useful.
perimeter. It should also be doing some level of content checking to In reality, I can count all useful things firewall can do. I can not count (it is infinite) numbers of things it can not do.
So basically your argument is "its good at some things but not others so why bother?". Given that line of thinking, why bother with IDS because it can't detect Ethernet CRC errors? Why bother running a virus scanner because it can't keep your system patched. Why bother patching your systems because that does not help add the fabric softener during the rise cycle. A firewall is a tool, no more no less. The capability of that tool is 90% dependent on the person wielding the tool. If you can only find a limited number of applications for a firewall, I'm not surprised that you don't find it all that useful. That does not mean the same is true for the rest of us. HTH, C
participants (12)
-
Alexei Roudnev -
bill -
Bruce Pinsky -
Chris Brenton -
Eric Gauthier -
Erik Haagsman -
Gregory Taylor -
Kevin Oberman -
Peter Galbavy -
Petri Helenius -
Rachael Treu -
Steven M. Bellovin