Search This Blog

Wednesday, April 27, 2011

firewall-wizards Digest, Vol 57, Issue 9

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Proxies, opensource and the general market: what's wrong
with us? (david@lang.hm)
2. Re: Proxies, opensource and the general market: what's wrong
with us? (david@lang.hm)
3. Re: Proxies, opensource and the general market: what's wrong
with us? (David Lang)
4. Re: Proxies, opensource and the general market: what's wrong
with us? (ArkanoiD)
5. Re: Proxies, opensource and the general market: what's wrong
with us? (Claudio Telmon)
6. Re: Proxies, opensource and the general market: what's wrong
with us? (David Lang)
7. Re: How to keep firewall rules clean and up-to-date (TAS)


----------------------------------------------------------------------

Message: 1
Date: Wed, 27 Apr 2011 11:15:14 -0700 (PDT)
From: david@lang.hm
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <alpine.DEB.2.00.1104271110360.4482@asgard.lang.hm>
Content-Type: text/plain; charset="us-ascii"; Format="flowed"

On Tue, 26 Apr 2011, Timothy Shea wrote:

> On Mon, Apr 25, 2011 at 4:24 PM, Tracy Reed <treed@ultraviolet.org> wrote:
>
>> On Sun, Apr 24, 2011 at 09:27:34PM +0400, ArkanoiD spake thusly:
>>
>> I don't know what "functionally fit" means either.
>>
>> As for web interfaces, most of the Linux firewalls I've used (especially
>> Shorewall, my favorite) have no web interface. I really don't want
>> someone managing my firewall who requires a web interface. I also like
>> to version control my firewall configs and back them up within my normal
>> backup infrastructure which most web interfaces cannot handle.
>>
>> This comment makes me think you are the only 'security person' in your
> organization. I work for a security team. I'm just one part of that team
> and we run lots of firewalls. And the biggest issue with having a large
> number of firewalls with a big team is management. I care that I can manage
> them all from a central interface, that I can manage who does changes, that
> I can audit changes, and back out changes when needed. Also - passing
> audits is easier (not that's a security concern - but it is a time saver).
> We have a lot of different people playing in this environment and need tools
> robust enough to deal with that.

I work in a company where there are a lot of people involved. I also
strongly prefer having config files and command line tools rather than web
interfaces.

config files and command line tools are _far_ easier to automate, and
automation does far more to reduce errors than having a web interface.

>
>>> I asked guys on LinkedIn (having to admit LinkedIn security community
>>> sucks big time, some sane people are still there :-) , if they still
>>> have some interest in opensource firewall solutions. The short answer
>>> was "NO". The long ones were:
>>>
>>> -- It is all about performance, we want as many Gbits per $ as
>>> possible, so ASIC is only way
>>
>> The number of infrastructures that need firewalls which are transferring
>> < 100Mb/s are far greater in number than those pulling > 1Gb/s. Do all
>> your LinkedIn pals work for Google, Facebook, etc? I have deployed lots
>> of firewalls and only a few ever handled more than a few hundred
>> megabits. The vast majority transfer at most on the order of single
>> megabits. Yet some of these single-digit-Mb/s firewalls protect large
>> numbers of credit card data and have serious security requirements.
>>
>
> Anyone who internally segments their network has high bandwidth
> requirements. I'm replacing a firewall right that has gig interfaces
> because its dropping packets. And I have never worked for a 'google'.

I have a network that is highly segmented internally. I also do most of
the segmentation with proxies (including a few of the old FWTK proxies), I
very seldom find that there are really problems with bandwidth on the
network. I've had many cases where people argued that we couldn't put the
proxies in place because they would cause unacceptable performance
problems, and every time that I have challenged them to measure before and
after performance of their application, the difference has been in the
noise.

David Lang
-------------- next part --------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

------------------------------

Message: 2
Date: Wed, 27 Apr 2011 11:28:19 -0700 (PDT)
From: david@lang.hm
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <alpine.DEB.2.00.1104271122250.4482@asgard.lang.hm>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

On Tue, 26 Apr 2011, ArkanoiD wrote:

> On Tue, Apr 26, 2011 at 10:03:04AM +0200, Magos?nyi ?rp?d wrote:
>
>> 3. Actually using real firewalls meaningfully needs a level of maturity
>> which very few enterprises possess.
>> a) As we all know, the firewall operator is the one who should chase
>> down programming bugs at the end of the day simply because s/he is in
>> the position to see all parts of the puzzle. It is a big burden, and
>> easier just to allow anything through than make a real solution. And the
>> one who should solve the problem is not the firewall operator. You need
>> a very strong exception management procedure to handle only that aspect
>> (ITIL as used today is just not enough for this). And we were talking
>> about only simple breaches of the protocol. It happens everywhere, the
>> http proxy to the outer world is being a prominent example of how
>> impossible this mission could get.
>
> There are some right things happening, though. I see many firewalls are now
> capable of dealing with http based appliactions quite complex ways.
> Looks like FOSS is lagging behind again (except WAF part) :-(
>
> [...]
>
>> the GPL side. Because open source is about community, and reaching
>> critical mass is very hard, especially if you come with a nich? product
>> aimed at the enterprise. This is a feat neither FWTK nor Zorp have been
>> able to reach.
>
> Quite amazing, but fwtk (old TIS once) was there once. But it was 15 years ago :-(
> Easy to use "firewall-oriented" Unix toolboxes like Smoothwall, Shorewall, IPCop, m0n0wall etc
> have reached that quite easy, but they are not really "aimed at the enterprise",
> they are aimed to be user-friendly at low end/soho. I was referring to it as "cheapo crap",
> well, it sounds too rude, but it was just intended to describe this positioning.
>
> Maybe I should start with designing simple kick-start tools for newbies? Will it help?

the biggest problem is that newbies don't realize they need this sort of
thing. they keep hearing the mantra that a firewall is just a packet
filter (possibly with 'deep packet inspection' and that the firewall
should _not_ be doing anything else, anything else is the job of a
separate box, be it a WAF (which they don't think is a firewall, even
though the F stands for firewall), IPS, or XML filter.

> [...]
>
>> 6. The world is changing. This means that new buzzwords coming up,
>> followed dutifully by the market. Fortunately new buzzwords usually mean
>> the same old things. Those ideas which have been too immature 20 years
>> ago, reemerge later in a different name and shape. You are looking for
>> application level firewall? Look at "xml firewall" and "SOA firewall".
>> They are out there. Yes, they are specialized into a very tiny subset of
>> the problem space (and the rest is still uncovered), but maybe that is
>> the most important part anyway.
>
> XML/SOA firewalls were expected to have great future, but they are useless unless you
> have detailed system design documents with data flow described in the tiniest details and
> you are ready to spend about 10% of resources (or even more) used to implement the system
> itself on security related issues.
>
> In real world it means "almost never".
>
> Some enterprises buy it anyways, because "XML firewall" sounds cool.

even for WAF, IPS, and XML filters, there is the huge problem of figuring
out how what to configure them to allow. What's needed is tools that can
look at samples of 'good' traffic and create the rules to match (and do it
in such a way that the rules learned from dev/QA can be easily used in
production rather than having to learn what's 'normal' in an environment
where hostile traffic is common)

David Lang


------------------------------

Message: 3
Date: Wed, 27 Apr 2011 13:52:48 -0700
From: David Lang <david@lang.hm>
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: <firewall-wizards@listserv.cybertrust.com>
Message-ID: <0339bdc2b5298df0208d679c09790356@lang.hm>
Content-Type: text/plain; charset=UTF-8; format=flowed

On Tue, 26 Apr 2011 10:51:35 +0200, Claudio Telmon wrote:
> On 04/24/2011 07:27 PM, ArkanoiD wrote:
>> In early days, proxy firewalls and opensource (or just "crystal box"
>> :-) solutions dominated the market.
>
> Hi,
> proxy firewalls are almost dead also as closed source products. They
> lack the flexibility needed for dealing with new protocols,
> especially
> those based on UDP which are much more common now. IMHO this is
> exactly
> why as fwtk died, not many cared about openfwtk. Currently, for what
> I
> can see, there are almost only reverse proxies, almost nobody puts
> proxies in front of the Internet.

however, as proxy firewalls are dieing, new devices with the type of
checking that proxies do are becoming more common.

doing the checking with a proxy listening to a specific port should be
significantly easier thatn checking for all protocols on all connections
passing through the devices.

unfortunantly maintaining this sort of checking requires a _lot_ of
work.

opensource projects work when they hit the point of becoming 'good
enough' for people to use, at which point they really start to gain
momentum as all the different people start to work to add the 'one extra
feature that I want' to the base.

open projects implementing proxies have a really hard time here,
because most people have bought into the marketing that all a firewall
should be is a packet filter, so proxies aren't going to be used by
anyone who can just use a packet filter, and the available proxies don't
do a lot of things that the commercial tools do, so the gap where
someone has decided that packet filters are not good enough, and where
they need features that only the commercial tools offer is pretty
narrow.

I think there is some room for a HTTP or XML firewall checker to be
implemented and satisfy a lot of needs (technical needs that is, when
management makes a decision that "all firewalls are going to be Cisco"
or even "all firewalls must be commercial appliances" that trumps all
technical issues), but right now I am not aware of any free tools in
these spaces, completely ignoring the 'learning modes' of many of the
commercial offerings.

When a new project is supposed to be a replacement for an existing
tool, it needs to be able to do, if not everything that the old project
could do, at least the subset of features that the old project did that
users need.

openfwtk hasn't hit this yet for me as the key thing that I use FWTK
for is the authenticated proxies and the last I checked it doesn't have
an authsrv equivalent (or the ability for it's proxies to tie in to an
authentication source). openfwtk also isn't the complete solution that
Arknoid painted it to be, for many things it just says 'use tool X',
which is a good thing to avoid re-inventing the wheel, but it doesn't
result in the firewall API that he is looking for.

David Lang

------------------------------

Message: 4
Date: Thu, 28 Apr 2011 01:12:59 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20110427211259.GA30410@eltex.net>
Content-Type: text/plain; charset=koi8-r

On Wed, Apr 27, 2011 at 01:52:48PM -0700, David Lang wrote:
>
> I think there is some room for a HTTP or XML firewall checker to be
> implemented and satisfy a lot of needs (technical needs that is, when
> management makes a decision that "all firewalls are going to be Cisco"
> or even "all firewalls must be commercial appliances" that trumps all
> technical issues), but right now I am not aware of any free tools in
> these spaces, completely ignoring the 'learning modes' of many of the
> commercial offerings.

At the moment I am trying to offload non protocol-related http checks to external
ICAP filters.. For XML, I have some raw prototype, but I do not like the fact it
is based on libxml2 and inherits all potential vulnerabilities (as it is a huge
piece of code) and still there is a lack of automated tool that can be used to
"formalize" "normal" xml flow to check for anomalies later. For several well-documented
protocols it is not needed, but aiming at SOA it is probably a must :-(
>
> openfwtk hasn't hit this yet for me as the key thing that I use FWTK
> for is the authenticated proxies and the last I checked it doesn't have
> an authsrv equivalent (or the ability for it's proxies to tie in to an
> authentication source).

You must be missing something, authsrv is the part that required several fixes, so it
is there for sure, a few years at least and it is really improved much. Multiple groups per user are allowed, authentication
sources may be checked against netperm-table (you may write rules that restrict authentication
to a given proxy, or a given host), unix local socket is supported as transport to avoid writing
complicated "loopback prevention" rules, etc etc.

I am thinking about adding radius and/or pam backends support, but still had no time to implement that.

> openfwtk also isn't the complete solution that
> Arknoid painted it to be, for many things it just says 'use tool X',
> which is a good thing to avoid re-inventing the wheel, but it doesn't
> result in the firewall API that he is looking for.

Unfortunately it still is not :-( Lack of resources, that's is. Reimplementing full IMSpector, GreenSQL and privoxy
functionality is not non-trivial, it is just time consuming. Until that you need extra tools.

There is noting wrong in the fact you need other tools that are outside OpenFWTK scope, though, like Prelude, log analyzers,
etc.

------------------------------

Message: 5
Date: Wed, 27 Apr 2011 23:59:52 +0200
From: Claudio Telmon <claudio@telmon.org>
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4DB891D8.5030905@telmon.org>
Content-Type: text/plain; charset=ISO-8859-1

On 04/27/2011 10:52 PM, David Lang wrote:

> however, as proxy firewalls are dieing, new devices with the type of
> checking that proxies do are becoming more common.
>

I don't think so. No product that I'm aware of has the same "default
deny" on the low level attacks that a proxy has. Again, the recent
"split handshake" problems are a clear example: packet filters "try to
guess" the proper session state, while there is no way to cheat a proxy
into letting a connection in if it's not permitted (up to TCP/UDP, I
mean). Packet-handling tools, be it filters, IDS or something else,
however, are probably "good enough" for the market.

> doing the checking with a proxy listening to a specific port should be
> significantly easier thatn checking for all protocols on all connections
> passing through the devices.
>

It is, actually, if it's TCP. For what I remember as I wrote some code
in this area, UDP is much more of a nightmare. This is why I say that
proxies are good for some protocols (e.g. http) where you can benefit
from tight controls, but you still need a packet filter underneath for
other protocols: you can't punch a hole in a proxy for a new, unknown
and "essential" protocol.

ciao

- Claudio

--

Claudio Telmon
claudio@telmon.org
http://www.telmon.org

------------------------------

Message: 6
Date: Wed, 27 Apr 2011 13:59:11 -0700
From: David Lang <david@lang.hm>
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: <firewall-wizards@listserv.cybertrust.com>
Message-ID: <6b68d4def3b74e1a8f865e9193773af0@lang.hm>
Content-Type: text/plain; charset=UTF-8; format=flowed

On Tue, 26 Apr 2011 00:25:37 -0700, Tracy Reed wrote:
>
> I understand packet filters and proxies to be firewalls. A lot of the
> rest of
> the stuff (DLP, endpoint discovery, OCR, etc. etc.) seem like
> separate pieces
> of software. Security related, sure, but not firewalls.
>
>> > Depends on what you mean by "real". I know tons of people look at
>> the
>> > Linux firewall code.
>>
>> You mean packet filter code? :-)
>
> Yes. Here we have a problem somewhat like the classical meaning of
> "hacker" vs
> the common meaning of "hacker". And this firewall vs packet filter
> debate may
> not even have that much legitimacy. I can find a number of people who
> still
> subscribe to the classical idea of a hacker but a few of the denizens
> of this
> mailing list are the only ones I know of who insist on issuing a
> correction
> when someone calls a packet filter a firewall. It just seems like
> pointless
> snobbery.

however, this issue is key to the problem

I don't object to a packet filter being defined as a firewall.

however I do object when people define packet filter == firewall and
say that anything other than packet filters is not a firewall (and
doesn't belong as part of a firewall), but is instead something else.

A firewall is a device that controls access through it.

or

A firewall is a device or software that you use to implement your
security policy.

this can be via packet filters, proxies, IPS, or anything else.

don't try to define it more narrowly. a few of the big vendors have
done the industry a HUGE disservice by redefining the term 'firewall' to
mean a packet filter, and nothing but a packet filter.

David Lang

------------------------------

Message: 7
Date: Thu, 28 Apr 2011 03:36:38 +0530
From: TAS <p0wnsauc3@gmail.com>
Subject: Re: [fw-wiz] How to keep firewall rules clean and up-to-date
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <BANLkTikLuqZrE-VS+YMG89oTeW2tOzHJFQ@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

A disciplined process around the movement of infrastructure should be
of immense help

-
TAS
http://twitter.com/p0wnsauc3


On 26 April 2011 16:42, Ilias - <ilias_pavilion@live.nl> wrote:
> Hello,
>
> What do you do to keep your firewall rules clean and up-to-date?
> Procedures, for which?
>
> Keep in mind;
>
> -Servers that change from IP
> -Server which has been discarded
> etc.
>
> Thanks in advance
> Best regards,
> Ilias
>
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 57, Issue 9
***********************************************

No comments: