Thursday, April 28, 2011

firewall-wizards Digest, Vol 57, Issue 13

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Proxies, opensource and the general market: what's wrong
with us? (david@lang.hm)
2. Re: Proxies, opensource and the general market: what's wrong
with us? (Tracy Reed)
3. Re: Proxies, opensource and the general market: what's wrong
with us? (ArkanoiD)
4. Re: Proxies, opensource and the general market: what's wrong
with us? (ArkanoiD)
5. Re: proxy firewalls -vs- packet filters (Marcus J. Ranum)
6. Re: Proxies, opensource and the general market: what's wrong
with us? (david@lang.hm)
7. Re: Proxies, opensource and the general market: what's wrong
with us? (david@lang.hm)


----------------------------------------------------------------------

Message: 1
Date: Thu, 28 Apr 2011 13:13:19 -0700 (PDT)
From: david@lang.hm
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <alpine.DEB.2.00.1104281308450.940@asgard.lang.hm>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

On Tue, 26 Apr 2011, ArkanoiD wrote:

>>
>>> As I am still running the OpenFWTK project, I have to admit I get
>>> little to *NO* support form Opensource community.
>>
>> I very rarely hear about openfwtk and I'm in the business. I know of
>> very few companies who have deployed or want to run proxies. Most just
>> stick with stateful packet filtering and maybe a squid/varnish proxy for
>> http and call it a day. In order to have community support you have to
>> have a community. There are 30 people in #shorewall on freenode.net and
>> for nearly 10 years now there has always been someone to help out
>> whenever I had an issue. The mailing list is quite active also. Tom
>> Eastep does a fantastic job of running the project working with the
>> community. openfwtk-devel at
>> http://sourceforge.net/mail/?group_id=192764 has 7 subscribers and 10
>> emails in the archive over years. And no IRC channel. It is barely
>> visible at all on the net. You don't get community support if you have
>> no community.
>
> Exactly how am i expected to get the community?

for one thing, release early, release often

the last release showing up on sourceforge under files is 2.0 in 2007,
with a snapshot release dated Aug 2010 and short of diving into CVS, no
other snapshots appear to be available. From the discussions we've been
having, you have been doing more work on this in the meantime, but you
need to do releases, even if they are small ones, showing progress and
fixes.

David Lang


------------------------------

Message: 2
Date: Thu, 28 Apr 2011 12:35:58 -0700
From: Tracy Reed <treed@ultraviolet.org>
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <20110428193558.GD3737@tracyreed.org>
Content-Type: text/plain; charset="iso-8859-1"

On Thu, Apr 28, 2011 at 08:05:20AM +0200, Magos?nyi ?rp?d spake thusly:
> But it is not. Network perimeter defence is an industry seriously
> hit by marketing bullshit from some vendors, who could not come out
> with a decent firewall, so redefined the term to be applicable to
> their products.

The proliferation of BS is a serious problem. Buzzwords are everywhere.
It is hard to know what really provides value/security and what is just
buzzwords and lengthening the bullet list of features to make the
product more attractive.

> Doing this they came out with a definition which goes against basic
> security principles and empties the meaning of the word to the
> extent which makes nearly pointless to have "firewalls".

I think it would be hard to make the argument that it is pointless to
have packet filters. How would defining a firewall as a packet filter go
against basic security principles? You could then simply say you need a
firewall (packet filter) AND these various other proxies and tools to
secure your network. Perhaps we are not really doing ourselves a favor
by overloading the word "firewall" to such an extent?

Just for fun I googled for the word "firewall" to find some sort of
definition and the first link is wikipedia:

http://en.wikipedia.org/wiki/Firewall_%28computing%29

Curiously, they list three generations of "firewall": packet filters,
application layer, stateful filters.

Pretty much every packet filter these days is stateful. But many
firewall implementations skipped the application layer functionality.

> This led to a state of affairs where there is practically no
> discussion about a lot of important questions of network perimeter
> defense, because the majority of the "firewall" people are kept in a
> darkness about the issue to the extent that they do not have the
> background even to ask the right questions.

What are some of the questions that you feel get overlooked?

> This means that even though those same vendors now would be in the
> position to implement actually meaningful features, they do not do
> it because they have conditioned their consumers to not think about
> such things.

I think they have simply failed to educate the customer of the value of
those features. The vendors are constantly looking for ways to
differentiate themselves in what has fast become a commodity market.
Why doesn't the customer care? If I see two boxes on the shelf with the
same price but one seems to offer more security than the other I'm going
to buy that one. But the additional perceived security just isn't there
for the customer.

> When you see someone trying to correct this "firewall = packet
> filter" nonsense, you actually see a vain attempt to correct these
> mistakes. Because the first step is to meaningfully discuss
> something is to have meaningful definitions.

I understand and appreciate that a firewall can be more than just a
packet filter. But to insist that a packet filter is not a firewall does
not seem to accomplish anything because then you have to define exactly
what a firewall really does require to be called a firewall which can
get quite complicated.

The idea that all of that functionality should be in one box or provided
by one vendor bothers me also. It seems to violate the UNIX philosophy
of do one thing and do it well.

--
Tracy Reed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20110428/84080441/attachment-0001.pgp>

------------------------------

Message: 3
Date: Fri, 29 Apr 2011 03:46:35 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20110428234635.GA13015@eltex.net>
Content-Type: text/plain; charset=koi8-r

On Thu, Apr 28, 2011 at 11:01:45AM -0700, david@lang.hm wrote:
>
> Ok, I'll take a look at that.
>
Please use CVS snapshot, the current one should be ok (I will probably mark it
with some tag), tarballs and rpms are too old.

> for an ssh proxy, what I minimally need is the ability to be a direct
> replacement for tn-gw and ftp-gw without it enabling tunneling.

That might be relatively easy if we are not going to dive deep in key management.
I hope I will make some hack (at least better one that patched openssh I used before) soon.

> something like tn-gw where the user connects to the firewall then
> specifies where to go from there for an interactive terminal session, with
> port forwarding
> disabled

Yes, it was the only thing it did provide.

> something like ftp-gw where an authenticated user is able to transfer
> files through the connection and log what's moved
>
> both of these authenticated to authsrv
>
> future enhancements:
>
> optionally allow port forwarding
>
> add the ability to do firewalling for the ports forwarded through ssh
>
> add the ability to specify what commands can be executed to a destination
> through the proxy (as opposed to the default login)
>
> add key management (for incoming, support using the ssh identity as the
> userid, with our without additional authentication with authsrv, for
> outbound, support different client certs for different userids, possibly
> for different userid/destination pairs) potentially doing the keyserver
> relay back to the client. This is the lowest priority item for me.

Sounds reasonable.

> >>I actually don't have an objection to the firewall being a collection of
> >>different tools gathered togeather (that's just good code re-use in the
> >>best opensource tradition), it may require some tweaks to code, or some
> >>scripts to create the appropriate config files for some of the tools, but
> >>that is far better than having to completely re-write the tools.
> >
> >That's why I was talking about "kickstart" -- a set of configuration
> >templates that eases this task.
>
> actually, I was not thinking in terms of templates, but rather something
> that would let you define access in terms of groups like the traditional
> authsrv entries in netperm-table and have a script that would create the
> corresponding config for squid (picking an example). I actually have
> something along these lines today that is a script running out fo
> cron that checks the timestamp on netperm-table and anytime it
> changes it looks for authsrv lines with http or https types and creates
> files for the groups allowing those groups to go to the destinations
> specified and then kicks squid with a reconfigure (I ahve other processes
> to do authentication for IPs to populate what the sources for each group
> are). This allows the use of a fairly mature tool without the people
> implementing the permissions having to worry about learning a different
> config file format. they just make authsrv entries and everything else is
> taken care of for them.

There is a tool like that to configure djbdns forwarder service (dnsctl).
Maybe other companion tools might be useful, to configure, say, packet filtering
(or VPN, or whatever else).

------------------------------

Message: 4
Date: Fri, 29 Apr 2011 03:50:30 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20110428235030.GB13015@eltex.net>
Content-Type: text/plain; charset=koi8-r

I think you are right. I guess i should make new snapshots once code passes functional
and regression testing (which in turn needs major improvement).

On Thu, Apr 28, 2011 at 01:13:19PM -0700, david@lang.hm wrote:
> >
> >Exactly how am i expected to get the community?
>
> for one thing, release early, release often
>
> the last release showing up on sourceforge under files is 2.0 in 2007,
> with a snapshot release dated Aug 2010 and short of diving into CVS, no
> other snapshots appear to be available. From the discussions we've been
> having, you have been doing more work on this in the meantime, but you
> need to do releases, even if they are small ones, showing progress and
> fixes.

------------------------------

Message: 5
Date: Thu, 28 Apr 2011 19:36:31 -0400
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] proxy firewalls -vs- packet filters
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4DB9F9FF.20105@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Bennett Todd wrote:
> Probably a naive question, but is there any possibility ipv6 might
> tear open a gap in the range of available firewall products that
> user-space application layer proxy firewalls could fill faster than
> the heuristics for packet filtering can run over enough toes to
> discover the necessary subtlties?

Probably a snarky answer, but I thought that when the switchover
to iPv6 happens, nobody'll need firewalls anymore.

mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenable.com


------------------------------

Message: 6
Date: Thu, 28 Apr 2011 18:21:35 -0700 (PDT)
From: david@lang.hm
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <alpine.DEB.2.00.1104281816580.7120@asgard.lang.hm>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

the fact that you need to direct me to use a CVS snapshot because all the
tarballs are too old is a realy good indicator of the problem.

I looked at openfwtk when it was first announced, and at that time it
wasn't ready to replace all the parts of fwtk that I use, so I didn't move
to it. i've checked back once in a while, but without seeing new releases
it hasn't seemed like there was anything new to test.

I would suggest moving to git or similar DVCS so that you can create a
fork for developing each new feature and then as each one gets done, merge
it in to the main trunk rather than having to either keep development out
of the main repository, or have each snapshot get a fairly random state of
functionality between all the development.

David Lang

On Fri, 29 Apr 2011,
ArkanoiD wrote:

> I think you are right. I guess i should make new snapshots once code passes functional
> and regression testing (which in turn needs major improvement).
>
> On Thu, Apr 28, 2011 at 01:13:19PM -0700, david@lang.hm wrote:
>>>
>>> Exactly how am i expected to get the community?
>>
>> for one thing, release early, release often
>>
>> the last release showing up on sourceforge under files is 2.0 in 2007,
>> with a snapshot release dated Aug 2010 and short of diving into CVS, no
>> other snapshots appear to be available. From the discussions we've been
>> having, you have been doing more work on this in the meantime, but you
>> need to do releases, even if they are small ones, showing progress and
>> fixes.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


------------------------------

Message: 7
Date: Thu, 28 Apr 2011 18:27:16 -0700 (PDT)
From: david@lang.hm
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <alpine.DEB.2.00.1104281821440.7120@asgard.lang.hm>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

one other SSH related thing, a SSH enabled version of cmd-gw

I hacked in support for simple authentication (validating the user with
authsrv) and then added the ability to do some tests and simple work
through it (do a ps to see what proxies are running, show what the rules
are for a given proxy, execute hping2 to see if you can get to the
destination on a given port, etc) and it has proven to be a wonderful tool
by allowing other teams to execute commands from the firewalls without
having to give them local logins. One thing that I have found is that I
need the ability to set permissions per command, not just allowing or
disallowing users (similar to how ftp-gw could be configured to allow get
but not put)

David Lang


On Fri, 29 Apr 2011, ArkanoiD wrote:

> On Thu, Apr 28, 2011 at 11:01:45AM -0700, david@lang.hm wrote:
>>
>> Ok, I'll take a look at that.
>>
> Please use CVS snapshot, the current one should be ok (I will probably mark it
> with some tag), tarballs and rpms are too old.
>
>> for an ssh proxy, what I minimally need is the ability to be a direct
>> replacement for tn-gw and ftp-gw without it enabling tunneling.
>
> That might be relatively easy if we are not going to dive deep in key management.
> I hope I will make some hack (at least better one that patched openssh I used before) soon.
>
>> something like tn-gw where the user connects to the firewall then
>> specifies where to go from there for an interactive terminal session, with
>> port forwarding
>> disabled
>
> Yes, it was the only thing it did provide.
>
>> something like ftp-gw where an authenticated user is able to transfer
>> files through the connection and log what's moved
>>
>> both of these authenticated to authsrv
>>
>> future enhancements:
>>
>> optionally allow port forwarding
>>
>> add the ability to do firewalling for the ports forwarded through ssh
>>
>> add the ability to specify what commands can be executed to a destination
>> through the proxy (as opposed to the default login)
>>
>> add key management (for incoming, support using the ssh identity as the
>> userid, with our without additional authentication with authsrv, for
>> outbound, support different client certs for different userids, possibly
>> for different userid/destination pairs) potentially doing the keyserver
>> relay back to the client. This is the lowest priority item for me.
>
> Sounds reasonable.
>
>>>> I actually don't have an objection to the firewall being a collection of
>>>> different tools gathered togeather (that's just good code re-use in the
>>>> best opensource tradition), it may require some tweaks to code, or some
>>>> scripts to create the appropriate config files for some of the tools, but
>>>> that is far better than having to completely re-write the tools.
>>>
>>> That's why I was talking about "kickstart" -- a set of configuration
>>> templates that eases this task.
>>
>> actually, I was not thinking in terms of templates, but rather something
>> that would let you define access in terms of groups like the traditional
>> authsrv entries in netperm-table and have a script that would create the
>> corresponding config for squid (picking an example). I actually have
>> something along these lines today that is a script running out fo
>> cron that checks the timestamp on netperm-table and anytime it
>> changes it looks for authsrv lines with http or https types and creates
>> files for the groups allowing those groups to go to the destinations
>> specified and then kicks squid with a reconfigure (I ahve other processes
>> to do authentication for IPs to populate what the sources for each group
>> are). This allows the use of a fairly mature tool without the people
>> implementing the permissions having to worry about learning a different
>> config file format. they just make authsrv entries and everything else is
>> taken care of for them.
>
> There is a tool like that to configure djbdns forwarder service (dnsctl).
> Maybe other companion tools might be useful, to configure, say, packet filtering
> (or VPN, or whatever else).
>
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 57, Issue 13
************************************************

No comments:

Post a Comment