Wednesday, November 28, 2007

firewall-wizards Digest, Vol 19, Issue 28

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Firewalls that generate new packets.. (Tina Bird)


----------------------------------------------------------------------

Message: 1
Date: Tue, 27 Nov 2007 19:10:48 -0800
From: "Tina Bird" <tbird@precision-guesswork.com>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <00f801c8316c$46bb2d00$1701a8c0@lindesfarne>
Content-Type: text/plain; charset="us-ascii"


> That's really what I'm trying to get people to think
> about. What is a firewall? Is it just a router that has a
> tiny little bit of amplification to ACL+"established"?
> Or is it a device that does security at higher layers,
> including some layer-7 awareness? If it's doing layer-7
> stuff, can it be excused from worrying about fragment
> re-assembly (how could it possibly?) or re-ordering?
>
> Is it possible that a "firewall" is largely "a router
> with a sticker on it that says 'firewall'?"
>
> Unless it's doing a lot of useful "deep" stuff at
> layer-7, I'd say that might be the situation.
>
> The question I want you all to start asking is:
> "What's 'deep' about that?"
>
> You didn't ask about the "stateful inspection" stuff and
> look what happened. Now that they know you're suckers
> they're gonna hit you with another load.
>
> mjr.

back in the day, when i picked sidewinder over checkpoint, cisco, or any of
the other firewall vendors out there [due to the fact that sidewinder was
built on a mandatory-access-control based operating system, right from the
start, and that i could easily use OS tools, not firewall tools, to monitor
the traffic the firewall was allowing through], my working definition of
firewall was "device that *separates* the internal network from the
internet," where "separates" meant there was a network connection from the
internal machine to the firewall, and a separate connection from the
firewall to wherever...and in between there was something that DIDN'T ROUTE
TRAFFIC, that knew at least a little about the most dangerous protocols and
let me make access control decisions based on what the traffic contained. so
yes, in 1996 i could control who in the company got to use FTP "put" vs. FTP
"get." not a huge thing, maybe. but enough to separate sidewinder from the
competition at least at that point, especially when combined with the
OS-level security that to this day, i don't think any of the competition can
touch.

through a really ugly-but-effective architecture, sidewinder was even able
to isolate SMTP in distinct zones, years ahead of the competition.

i firmly believe that the firewall an admin finds easiest will always be the
first one she used, like most other apps and tools. i'm therefore grateful
that i picked a system that did thing like provide daily reports *out of the
box* on traffic levels, top ten dests, and that sort of thing. that let me
easily verify that the traffic going through the firewall agreed with what i
had configured in the policy.

when i finally had to pick up other brands of firewalls, i discovered that a
lot of things i'd taken for granted (like network address translation) on
the sidewinder had to be manually configured on a lot of other systems, and
that a lot of the tricks i'd developed to check my own work (or my
co-administrator's work) didn't work any more. but worst of all, i
discovered that checkpoint and the like **allowed network connections
directly between the internal and the untrusted networks** after a few rules
were applied. THEY MISSED THE WHOLE POINT!

if i can't have marcus' airgap firewall, at least give me something that
does not require routing to be enabled on the box, and gives me *some* kind
of isolation between my network and the Evil Outside.

i've never understood how *marketing* could obfuscate that *simple* fact --
direct connection vs. terminated connection -- which to me seems like *such*
an easy way to protect things...thus my, uh, attitude towards marketing
became set rather early in my career, alas...

cheers -- tbird

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 19, Issue 28
************************************************

No comments:

Post a Comment