Tuesday, November 27, 2007

firewall-wizards Digest, Vol 19, Issue 25

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Firewalls that generate new packets.. (Paul D. Robertson)
2. Re: Firewalls that generate new packets.. (Jim Seymour)
3. Re: Firewalls that generate new packets.. (Paul Melson)


----------------------------------------------------------------------

Message: 1
Date: Mon, 26 Nov 2007 13:58:22 -0500 (EST)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: "Marcus J. Ranum" <mjr@ranum.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0711261354160.16124-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Mon, 26 Nov 2007, Marcus J. Ranum wrote:

> Bill McGee (bam) wrote:
> [...]
>
> BINGO!!! I hit on "convergence" "interoperability" "strategy"
> "feature parity" and "positioning"
>
> What do I win?

Your choice:

1. A copy of Cisco: A Beginner's Guide by Velte & Velte (Foreward by my
favorite Firewall-Wizards moderator)

2. One fine art print of your choice (But don't expect anything else for
Christmas)

3. A bucket of marketing fluff (Out of the dryer vent)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

http://www.fluiditgroup.com/blog/pdr/

Art: http://PaulDRobertson.imagekind.com/

------------------------------

Message: 2
Date: Mon, 26 Nov 2007 14:31:47 -0500 (EST)
From: jseymour@linxnet.com (Jim Seymour)
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <20071126193147.D1C3AE158@jimsun.linxnet.com>


"Marcus J. Ranum" <mjr@ranum.com> wrote:
>
> Jim Seymour wrote:
> >What
> >you're telling me is just skip the firewall entirely, and put together
> >a comprehensive set of "firewall router" packet filtering rules.
>
> That's not what I'm saying.
[snip]

I know that's not what *you're* saying, Marcus. That's what it looks
like Paul Melson is saying, tho. That's why it was Paul Melson I
quoted :).

Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/contact/scform.php>.


------------------------------

Message: 3
Date: Tue, 27 Nov 2007 09:52:19 -0500
From: "Paul Melson" <pmelson@gmail.com>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: <firewall-wizards@listserv.icsalabs.com>
Message-ID: <005301c83105$1cb1c8f0$4d00300a@ad.priorityhealth.com>
Content-Type: text/plain; charset="us-ascii"

> But you can achieve that with nothing more than a "firewall router." My
good ol' Livingston
> IRX-211 can do that. Even my (relatively) inexpensive Netopia DSL routers
can do that. That
> was Marcus' point.

I took Marcus' point to be that a state table is a relatively simple
mechanism and not worth much more than router access lists (which are not
typically stateful). To be clear, I'm not talking about hardware at all
here. A stateful firewall is anything that tracks TCP sessions in
conjunction with layer-3 ACLs. So if you can do it with a router or a Linux
box instead of an expensive appliance, it's still a stateful firewall for
the purpose of this conversation.


> What you're telling me is that, if I don't want to go to the effort,
intellectually, time-wise
> and financially, to obtain and install a proxying firewall, I need not
bother with a firewall
> at all. What you're telling me is just skip the firewall entirely, and
put together a
> comprehensive set of "firewall router" packet filtering rules.
>
> Right?

Not at all. My point is that the convenience of state tracking firewalls
translates directly into savings for the companies that use them. Because
without it, you must document and enforce policy for traffic on your network
in both directions. State tables allow your firewall to have a deny-all
default inbound policy and an allow-all default outbound policy. They allow
you to assume that the Internet cannot be trusted and that your internal
network can be.

Of course these are flawed assumptions. Of course this still leaves the
network exposed in some ways and allows things like bot C&C channels to be
whatever the malware authors want because it will be allowed by most
firewalls. But, the typical stateful firewall can quickly and easily reduce
network attack surface to the Internet with relatively little design or
planning. And that is, in my opinion, more than "a placebo."


PaulM

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 19, Issue 25
************************************************

No comments:

Post a Comment