Search This Blog

Thursday, July 30, 2009

firewall-wizards Digest, Vol 39, Issue 10

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Firewall rules order and performance (Eric Gearhart)
2. Re: Firewall rules order and performance (Behm, Jeff)
3. Re: Firewall rules order and performance (K K)
4. Re: Firewall rules order and performance (K K)
5. Re: Firewall rules order and performance (Marcus J. Ranum)


----------------------------------------------------------------------

Message: 1
Date: Wed, 29 Jul 2009 14:28:38 -0700
From: Eric Gearhart <eric@nixwizard.net>
Subject: Re: [fw-wiz] Firewall rules order and performance
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<5792267e0907291428k46eb6b2cg8042c618cc2acfea@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On Wed, Jul 29, 2009 at 10:27 AM, <jdg.ieee@free.fr> wrote:
> Selon Eric Gearhart <eric@nixwizard.net>:
>> On Mon, Jul 27, 2009 at 1:21 AM, Jean-Denis Gorin<jdgorin@computer.org>
>> wrote:
>> > Who remember that firewalls (as application gateways) was designed to solve
>> > (or to ease a lot) the patch management problem?
>> > Now, we are back to patch management as the solution for all problems
>> > because dumb people (managers, marketers, buyers, system admins, network
>> > admins, developers, or whatever fit your situation) are unable (or
>> > unwilling) to understand what is a firewall, and what is it due for...
>>
>> Part of the problem with your argument is that in order for e,g, a web
>> server to be reached, port 80 (and maybe port 443) have to be allowed
>> through the firewall. That fact alone means that the webservers have
>> to be patched, because as long as the firewall is allowing legitimate
>> traffic through, it could also be allowing malicious traffic
>> through...
>
> The problem with your argument is that you don't know what is a firewall... ;)
> (no offense intended)
>
> A firewall IS NOT a layer 3 filter (yes, I know that most of the marketing folks
> told you that a "stateful packet inspection" thing is a firewall, but that's
> WRONG in a lot of different ways...).
> A firewall is layer 7 proxy (also known as application gateway). So, you don't
> need to patch your application, nor the underlying OS because they are
> completely concealed from the outside.

http://en.wikipedia.org/wiki/Firewall#First_generation_-_packet_filters
(I know, I know, don't cite WP... but it looks reasonably accurate)
makes it sound like the term started with "packet filter," then
evolved to stateful packet inspection, then the third generation of
the term evolved into your definition...

Isn't something that's actively looking at application traffic more of
an application-level IPS, such as OSSEC or something along those
lines?

I will sheepishly admit that the original post included the term
"application gateway" specifically though... well played

--
Eric
http://nixwizard.net


------------------------------

Message: 2
Date: Wed, 29 Jul 2009 07:44:40 -0500
From: "Behm, Jeff" <jbehm@burnsmcd.com>
Subject: Re: [fw-wiz] Firewall rules order and performance
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<1217D5F18AEF15499BF1047D8F407D56213749@kcm-exch-001.burnsmcd.com>
Content-Type: text/plain; charset="us-ascii"

On Tuesday, July 28, 2009 4:06 PM Eric Gearhart said:

>On Mon, Jul 27, 2009 at 1:21 AM, Jean-Denis Gorin<jdgorin@computer.org>
wrote:
>> Who remember that firewalls (as application gateways) was designed to

>> solve (or to ease a lot) the patch management problem?

>Part of the problem with your argument is that in order for e,g, a web
>server to be reached, port 80 (and maybe port 443) have to be allowed
>through the firewall. That fact alone means that the webservers have to
>be patched, because as long as the firewall is allowing legitimate
>traffic through, it could also be allowing malicious traffic through...

True, but if your firewall is stopping (I won't argue whether or not
that
is actually occurring or not) traffic to all the other ports, wouldn't
that imply that your patch management *has* been eased "a lot?"

No doubt you have to patch, but "critical" patches for services not
exposed
(thanks firewall) at least lend some time to have some sense of order,
rather
than having to patch every time the sun rises.

Jeff


------------------------------

Message: 3
Date: Tue, 28 Jul 2009 19:19:38 -0500
From: K K <kkadow@gmail.com>
Subject: Re: [fw-wiz] Firewall rules order and performance
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<dc718edc0907281719p1bef9a96k202abbc287b2ec89@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Only if your "firewall" is a lowly stateful inspection packet filter,
and is not deeply aware of the higher level protocols...

The idea behind "deep inspection" and protocol validating proxy
firewalls was in part to filter out attacks before they reach
vulnerable servers/clients. They do make the attacker's job more
difficult.

KK

On 7/28/09, Eric Gearhart <eric@nixwizard.net> wrote:
> On Mon, Jul 27, 2009 at 1:21 AM, Jean-Denis Gorin<jdgorin@computer.org>
> wrote:
>> Who remember that firewalls (as application gateways) was designed to
>> solve (or
>> to ease a lot) the patch management problem?
>> Now, we are back to patch management as the solution for all problems
>> because
>> dumb people (managers, marketers, buyers, system admins, network admins,
>> developers, or whatever fit your situation) are unable (or unwilling) to
>> understand what is a firewall, and what is it due for...
>
> Part of the problem with your argument is that in order for e,g, a web
> server to be reached, port 80 (and maybe port 443) have to be allowed
> through the firewall. That fact alone means that the webservers have
> to be patched, because as long as the firewall is allowing legitimate
> traffic through, it could also be allowing malicious traffic
> through...
>
> --
> Eric
> http://nixwizard.net
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>

--
Sent from my mobile device


------------------------------

Message: 4
Date: Wed, 29 Jul 2009 09:36:07 -0500
From: K K <kkadow@gmail.com>
Subject: Re: [fw-wiz] Firewall rules order and performance
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<dc718edc0907290736u15f701a2r19aff049cde72400@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

A good example of this is the BIND9 bug released yesterday. A very
good firewall has a DNS proxy and denies malformed packets, or can be
set to filter out 'nsupdate' type packets.

Even "iptables" can be set to drop these packets, with a one-line rule change.

On 7/28/09, K K <kkadow@gmail.com> wrote:
> Only if your "firewall" is a lowly stateful inspection packet filter,
> and is not deeply aware of the higher level protocols...
>
> The idea behind "deep inspection" and protocol validating proxy
> firewalls was in part to filter out attacks before they reach
> vulnerable servers/clients. They do make the attacker's job more
> difficult.
>
> KK
>
> On 7/28/09, Eric Gearhart <eric@nixwizard.net> wrote:
>> On Mon, Jul 27, 2009 at 1:21 AM, Jean-Denis Gorin<jdgorin@computer.org>
>> wrote:
>>> Who remember that firewalls (as application gateways) was designed to
>>> solve (or
>>> to ease a lot) the patch management problem?
>>> Now, we are back to patch management as the solution for all problems
>>> because
>>> dumb people (managers, marketers, buyers, system admins, network admins,
>>> developers, or whatever fit your situation) are unable (or unwilling) to
>>> understand what is a firewall, and what is it due for...
>>
>> Part of the problem with your argument is that in order for e,g, a web
>> server to be reached, port 80 (and maybe port 443) have to be allowed
>> through the firewall. That fact alone means that the webservers have
>> to be patched, because as long as the firewall is allowing legitimate
>> traffic through, it could also be allowing malicious traffic
>> through...
>>
>> --
>> Eric
>> http://nixwizard.net
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>>
>
> --
> Sent from my mobile device
>

--
Sent from my mobile device


------------------------------

Message: 5
Date: Thu, 30 Jul 2009 03:49:20 -0400
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Firewall rules order and performance
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4A715080.10509@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Eric Gearhart wrote:
> makes it sound like the term started with "packet filter," then
> evolved to stateful packet inspection, then the third generation of
> the term evolved into your definition...

Wikipedia has it wrong. First was some packet filtering. Then,
it appears Dave Presotto at Bell Labs started at layer-7 with
circuit relays. Cisco added "established" to IOS - is that
"stateful" or not? Man in the middle layer-7 proxies came next,
then Geoff Mulligan at Sun and Bob Braden at ISI started on
"Sunscreen" and "Visas", respectively. "Stateful packet
inspection" a la Checkpoint didn't enter the scene until
relatively late. Sunscreen was already selling poorly but
in the market, and the proxy firewall vendors - DEC/Altavista,
Raptor, TIS, ANS, Milky Way, and Harris - were selling the hell
out of layer-7 solutions.

mjr.


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 39, Issue 10
************************************************

No comments: