Search This Blog

Monday, November 26, 2007

firewall-wizards Digest, Vol 19, Issue 22

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Firewalls that generate new packets.. (Marcus J. Ranum)
2. Re: Firewalls that generate new packets.. (Paul Melson)
3. Re: Firewalls that generate new packets.. (Cat Okita)
4. Re: Firewalls that generate new packets.. (Dave Piscitello)
5. Re: Firewalls that generate new packets.. (Chris Blask)
6. Re: Opinions wanted... (dlang@diginsite.com)


----------------------------------------------------------------------

Message: 1
Date: Sun, 25 Nov 2007 21:41:29 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <6.2.0.14.2.20071125210211.04a2a900@ranum.com>
Content-Type: text/plain; charset="us-ascii"

One of the fun questions I used to ask my firewalls tutorial
attendees (back in the day) is:
What is a stateful inspection firewall? I.e.: what does it DO?

The answers are usually illuminating. Nobody seems to
actually know. But after some hemming and hawwing you
can often converge on something like:
"A stateful firewall builds virtual session state based on its
permission tables and tracks packets back and forth."
That opens some fun questions like: "What does it apply
to do this tracking?" And the usual answer is something
like:
- source
- destination
- source port
- destination port
- and _MAYBE_ sequence number (or maybe just a 1 in stream->permit)
What about packets that are out of window? What's the size of the window?
How is the window computed? What about packets out of sequence? What
about fragments? What about overlapping packet fragments? Well, the
answers to those questions seem fairly hard to get, for virtually all of the
commercial firewalls. But, gee, the answers to those questions (which would
comfortably fit on a post-it note) are the entire "design" of a "stateful
firewall" right there.

Isn't that kind of amazing? People look at these "stateful firewalls" as
if they're somehow doing something IMPORTANT but they're basically
a router with "established" and a kind of "synthetic established" for UDP.
People, that's barely a security device at all - 99% of what you're
getting is the "firewall" sticker on the front.

The value these devices offer above and beyond router ACLs is so
ridiculously marginal that there's no justification in my mind for their
additional cost. Sure, they "do something" with UDP, but the significant
stuff you'll bump into with UDP is all layer-7 regarding DNS. In fact,
the value proposition of a "stateful firewall" is effectively zero and you
can replace it with some layer-7 hardening and a router with port-level
ACLs. Note that layer-7 hardening is already required - which is a
darned good thing because "stateful firewalls" do - well - what DO
they do - at layer-7? Layer-7 is where all the interesting attacks are,
nowadays, right?

I submit to you that the reason it's hard to find out what a "stateful
firewall" actually does is because they do so little that it is positively
embarrassing.

Not to let the proxies off the hook - most proxies are also mysterious
black boxes that work at layer-7 and "do something" - but, what?
The original value of the proxy concept was not to have a proxy
that works cleanly and easily with everything. The original value of
the proxy concept was protocol minimization. You only need
5 operations to send me an SMTP email message - so those are
the 5 operations you get, and nothing more. That whole model
started to fall apart in the mid 1990s when there was a plethora
of new bad software that implemented the existing bad protocols
in new bad ways. And, of course, there are the standards pukes,
constantly working to add new important bad options to existing
bad software, so as to make the firewalls increasingly complex.
The market reality of the firewall industry has forced the proxy
vendors (I guess it's really Secure Computing, now...) to compete
with the "stateful inspection" crap by handling more protocol
options and variant forms. Too bad.

Security is such a disaster because we're fighting and losing
a battle with software complexity and extravagantly stupid
software specifications. Firewalls, rather than acting as bastions
against the complexity, have "adapted" by succumbing to
that complexity themselves.

In another 10 years, if I'm still around, I'll probably work
up the energy for an "I told you so" posting. But I've done
that so many times I'm getting as tired of doing it as you
guys probably are of hearing it.

mjr.

------------------------------

Message: 2
Date: Sun, 25 Nov 2007 21:51:46 -0500
From: "Paul Melson" <pmelson@gmail.com>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<40ecb01f0711251851x1652893dj7f7de0a40a0a9150@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On Nov 25, 2007 11:31 AM, Bill McGee (bam) <bam@cisco.com> wrote:
> Yes, PIX/ASA has a different OS tham IOS. That's on purpose. Lots of folks
> have policies which require that their security is different from their
> infrastructure.

Are you sure it's not just that PIX was originally BorderWare and that
IOS runs (or ran) on m68k processors while the PIX codebase is x86?
Chris Blask subscribes to this mailing list, you know.


> Of course, we also offer the IOS Firewall, which is another Enterprise-Class firewall with full
> routing functionality. The biggest advantage with these solutions, based on thousands of
> interviews with customers, is how fully they integrate with the network.

Are you sure it's not the difference in hardware platforms again?
Combining IOS and PIX OS is too complicated to be worth the effort.
That's OK. I'm not trying to start a flame war, but I'm a little
offended that you didn't think anybody here would know the real
answers.


PaulM


------------------------------

Message: 3
Date: Sun, 25 Nov 2007 23:00:27 -0500 (EST)
From: Cat Okita <cat@reptiles.org>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <20071125225721.Q63953@gecko.reptiles.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

On Sun, 25 Nov 2007, Paul Melson wrote:
> Are you sure it's not just that PIX was originally BorderWare and that
> IOS runs (or ran) on m68k processors while the PIX codebase is x86?
> Chris Blask subscribes to this mailing list, you know.

I think I'm missing your point. If I recall correctly, the PIX had
nothing at all to do with Borderware, unless you count using x86-based
hardware.

> Are you sure it's not the difference in hardware platforms again?
> Combining IOS and PIX OS is too complicated to be worth the effort.
> That's OK. I'm not trying to start a flame war, but I'm a little
> offended that you didn't think anybody here would know the real
> answers.

I believe the same could be said of multiple posters to the list.

cheers!
==========================================================================
"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet. This is the defining metaphor of my life right now."


------------------------------

Message: 4
Date: Mon, 26 Nov 2007 07:49:24 -0500
From: Dave Piscitello <dave@corecom.com>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <474AC0D4.40103@corecom.com>
Content-Type: text/plain; charset="iso-8859-1"

I suspect that the moderator allowed this post to comment on the
revisionist part of this email.

In all other respects, this post is inappropriate. As a rule, statements
like "no other solution can even pretend to approach" and "bought by
more organizations than the next several competitors combined" are
entirely out of bounds on a technical list.

They do not help the community share expertise and improve the global
security baseline.

Please find another venue if this is what you intend to bring to the table.

Bill McGee (bam) wrote:
> Yes, PIX/ASA has a different OS tham IOS. That's on purpose. Lots of
> folks have policies which require that their security is different from
> their infrastructure. Of course, we also offer the IOS Firewall, which
> is another Enterprise-Class firewall with full routing functionality.
>
> The biggest advantage with these solutions, based on thousands of
> interviews with customers, is how fully they integrate with the network.
> The ability to collect and share information with the network, detect
> and respond to events across the entire network, and dynamically adjust
> the security of virtually every device in the network, globally, based
> on real time event information is something no other solution can even
> pretend to approach. Integration, adaptability, and collaboration with
> the network is why the Cisco firewall solutions are bought by more
> organizations than the next several competitors combined.
>
>
> Bill McGee
> Senior Marketing Manager
> Security Solutions
> Cisco Systems, Inc.
>
> -----Original Message-----
> From: Paul D. Robertson [mailto:paul@compuwar.net]
> Sent: Sunday, November 25, 2007 07:42 AM Pacific Standard Time
> To: Firewall Wizards Security Mailing List
> Subject: Re: [fw-wiz] Firewalls that generate new packets..
>
> On Mon, 19 Nov 2007, ArkanoiD wrote:
>
> > Which always made me wonder: Pix have almost nothing common with IOS
> > routers except Cisco label on it. For ASA, things chaged a bit, but the
> > "firewall" part of the device is still the same.
>
> Sure, it has plenty of things in common:
>
> It's a network device, just like the routers are.
> It's sold to the same people.
> It's sold by the same people.
>
> My pictures have nothing to do with IT or INFOSEC, but I make most of my
> sales to the same customers. Most of that is the sales opportunity- the
> last two on my list- but I'd like to think at least part of it is that
> they know the level of quality they'll get from me in anything I sell
> them.
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal opinions
> paul@compuwar.net which may have no basis whatsoever in fact."
>

http://www.fluiditgroup.com/blog/pdr/
> Art: http://PaulDRobertson.imagekind.com/
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dave.vcf
Type: text/x-vcard
Size: 220 bytes
Desc: not available
Url : https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071126/6094fbad/attachment-0001.bin


------------------------------

Message: 5
Date: Sun, 25 Nov 2007 22:33:57 -0800 (PST)
From: Chris Blask <chris@blask.org>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>, Paul Melson
<pmelson@gmail.com>, bam@cisco.com, "Paul D. Robertson"
<paul@compuwar.net>
Message-ID: <979320.47681.qm@web33803.mail.mud.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1

Hi folks!

I'm about to launch into as much clarification of this as
seems possible, though I don't hold out infinite amounts of
hope that it will make anything clearer than it already is.
I've considered various caveats to place before all of
this but discarded them one by one with the painfully
learned knowledge that they are as likely to confuse things
even further.

o PIX was an acquired product by Cisco, though it was PIX
(Private Internet Exchange, by Network Translation Inc
[NTI]) not BorderWare. PIX was created by John Mayes as a
NAT gateway and originally based on Plan 9.

o BorderWare was dreamt up by myself (with Clyde Stevens
and Paul Hunt at a Chinese restaurant in Toronto), around
the same time.

o The two products to my knowledge were the first NAT
products on the market. John Mayes and myself had an
interesting lunch of chili dogs at Internet World '94 where
we eyed each other and concluded that we weren't really
competing since PIX wasn't a firewall (which John summarily
rectified... ;~).

o BorderWare was purchased by Secure Computing for its
channel strategy (which I will also claim credit for,
slings and arrows invited), which Secure summarily screwed
up.

o Cisco bought NTI in '96 as part of a paroxysm of buying
Internet product companies (they also bought the Centri
Windows NT firewall at the same time, leading to CSPM and
indirectly to MARS, which they bought again).

o I ended up at Cisco in '98 as the Centri PM, killed it
almost immediately and took over PIX - which had its own
issues at the time culminating with word that it would be
killed as well.

o Bill McGee had been the driving force behind the best
BorderWare VAR around, we had worked together in other
ventures between several of these events and become very
good friends, so I got him hired to help with the growing
PIX juggernaut.

o After PIX got straightened out I ended up responsible
for IOS FW as well, the main upshot of which that sticks
with me is that I spent a lot of time responding to "how do
we position one *vesus* the other?" with "some people want
dedicated firewalls, others like using routers, they are
usually different groups and ultimately security needs to
embed itself throughout the infrastructure so help them as
they are ready to accept help."

o PIX and IOS command line similarity has long been a goal
to make things simpler for folks, though complete codebase
assimilation is a challenge both for the reasons stated
(hardware for starters) and other reasons.

o Now, since it is simply the case that IOS and PIX began
life as different critters it is true what has been said
here about origins.

o It is also true that many people and organizations have
promoted and/or enshrined in policy that there should be
multiple layers of firewall security wrapping the company
jewels, and that these layers should specifically come from
different code bases.

o The fact that Cisco has come about having a set of
firewall products that fortuitously match a set of
desires/needs of the market - whether that was initially
intentional or not - has not been lost on the company and
people like Bill and I who had hands in directing the
technical and marketing aspects of such things. It is
therefore also quite defensibly true what Bill said: <sic>
"That is on purpose".


So, with all of this said, it is more a matter of semantics
than history that is at issue in this thread. What was the
morphology of code and intent that has resulted in PIX and
IOS FW and Cisco's messaging/direction today? If anyone
knows better than I please jump in, but in the end it
doesn't seem any more bizarre to me than any other story
(lets talk NAI, for example...).

Bill may be a marketing geek (which I have previously and
often noted is an art under-rated by engineering geeks),
but his words are not false. My biases on topic can be
perhaps extrapolated from all the preceeding but I won't
try to clarify those further (the cynical will read those
into my comments in the worst light, anyway).

-cheers!

-chris

PS - Paul R, my posts seem to again not be making the list,
so please forward this up there for me if you can't for
some reason let it go direct. Obviously it would seem
twisted for Bill to repost it since I am effectively
defending him, so Paul M, if you could be so kind, forward
it to the list for me if it doesn't otherwise make it.


--- Paul Melson <pmelson@gmail.com> wrote:

> On Nov 25, 2007 11:31 AM, Bill McGee (bam)
> <bam@cisco.com> wrote:
> > Yes, PIX/ASA has a different OS tham IOS. That's on
purpose. Lots of folks have policies which require that
their security is different from their infrastructure.
>
> Are you sure it's not just that PIX was originally
BorderWare and that IOS runs (or ran) on m68k processors
while the PIX codebase is x86? Chris Blask subscribes to
this mailing list, you know.
>
> > Of course, we also offer the IOS Firewall, which is
> another Enterprise-Class firewall with full
> > routing functionality. The biggest advantage with
> these solutions, based on thousands of
> > interviews with customers, is how fully they integrate
> with the network.

> Are you sure it's not the difference in hardware
platforms again? Combining IOS and PIX OS is too
complicated to be worth the effort.

> That's OK. I'm not trying to start a flame war, but I'm
a little offended that you didn't think anybody here would
know the real answers.

------------------------------

Message: 6
Date: Mon, 26 Nov 2007 04:05:17 -0800 (PST)
From: dlang@diginsite.com
Subject: Re: [fw-wiz] Opinions wanted...
To: firewall-wizards@listserv.icsalabs.com
Cc: firewall-wizards@listserv.cybertrust.com
Message-ID: <Pine.LNX.4.63.0711260404320.28248@qynat.qvtvafvgr.pbz>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

On Fri, 23 Nov 2007, Timothy Shea wrote:

> That being said - for your type of application I would lean toward
> CheckPoint Secure Platform (SPLAT) versus Sidewinder or Checkpoint
> running on Nokia and my reasoning is that I can normally use what ever
> hardware platform my server teams support versus buying an all in one
> appliance solution (checkpoint nokia, sidewinder).

for what little it's worth, the sidewinder appliances are Dell boxes, hardware
upgrades seem to be priced at commodity levels. they used to offer a software
only option, but have phased it out.

the checkpoint nokia hardware on the other hand is definantly a unique piece of
hardware, and upgrades are priced to match (even when the hardware is something
like RAM that isn't special)

David Lang

> t.s
>
> On Nov 21, 2007, at 10:40 AM, Kurt Buff wrote:
>
>> All,
>>
>> I've been working with Watchguards at my current employer for quite a
>> while, but we're looking to replace them.
>>
>> We've received a recommendation from one firm for Sidewinders (a 410
>> and a couple of 110s for the branch offices).
>>
>> We've received a recommendation against the Sidewinders from another
>> firm saying that they are too complex to manage easily, and require
>> extensive training to understand - they recommend Checkpoint instead.
>>
>> Neither seems to be completely out of our price range, so it would
>> seem to come down to concerns regarding initial implementation and
>> ongoing management.
>>
>> Are the Sidewinders that much more complex than Checkpoints?
>>
>> Is one "better" (for whatever that might mean to you) than the other -
>> that is, if you have experience with both, which would you prefer, and
>> why?
>>
>> I, of course, am excited to be learning a new platform, and want to
>> move away from some of the quirkiness of the ancient Fireboxes we
>> have, but want to make a reasonable recommendation to management.
>>
>>
>> Thanks,
>>
>> Kurt
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 19, Issue 22
************************************************

No comments: