Wednesday, April 27, 2011

firewall-wizards Digest, Vol 57, Issue 7

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Proxies, opensource and the general market: what's wrong
with us? (ArkanoiD)
2. Re: Proxies, opensource and the general market: what's wrong
with us? (Claudio Telmon)
3. How to keep firewall rules clean and up-to-date (Ilias -)
4. Re: Proxies, opensource and the general market: what's wrong
with us? (Magos?nyi ?rp?d)
5. Re: Proxies, opensource and the general market: what's wrong
with us? (Magos?nyi ?rp?d)


----------------------------------------------------------------------

Message: 1
Date: Tue, 26 Apr 2011 17:03:27 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: Magos?nyi ?rp?d <mag@magwas.rulez.org>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20110426130327.GA11702@eltex.net>
Content-Type: text/plain; charset=koi8-r

On Tue, Apr 26, 2011 at 10:03:04AM +0200, Magos?nyi ?rp?d wrote:

> 3. Actually using real firewalls meaningfully needs a level of maturity
> which very few enterprises possess.
> a) As we all know, the firewall operator is the one who should chase
> down programming bugs at the end of the day simply because s/he is in
> the position to see all parts of the puzzle. It is a big burden, and
> easier just to allow anything through than make a real solution. And the
> one who should solve the problem is not the firewall operator. You need
> a very strong exception management procedure to handle only that aspect
> (ITIL as used today is just not enough for this). And we were talking
> about only simple breaches of the protocol. It happens everywhere, the
> http proxy to the outer world is being a prominent example of how
> impossible this mission could get.

There are some right things happening, though. I see many firewalls are now
capable of dealing with http based appliactions quite complex ways.
Looks like FOSS is lagging behind again (except WAF part) :-(

[...]

> b) Now let's talk about the cases when you need more than check for
> protocol compliance. The first question is: how will you identify the
> security function you have to implement in the firewall? The answer is
> easy: from the design documentation of the system protected. So you
> first need meaningful design documentation (mission impossible one), a
> security assessment of that on a meaningful level (mission impossible
> two), and a good procedure to turn the security problems of the
> protected system to requirements against the environment. This needs a
> strong enterprise architecture (mission impossible #3 because of COTS
> products), and very high procedural maturity.

Sure, thats where opensource tools could shine, but things are quite different in so-called "real world" :-(

[...]

> the GPL side. Because open source is about community, and reaching
> critical mass is very hard, especially if you come with a nich? product
> aimed at the enterprise. This is a feat neither FWTK nor Zorp have been
> able to reach.

Quite amazing, but fwtk (old TIS once) was there once. But it was 15 years ago :-(
Easy to use "firewall-oriented" Unix toolboxes like Smoothwall, Shorewall, IPCop, m0n0wall etc
have reached that quite easy, but they are not really "aimed at the enterprise",
they are aimed to be user-friendly at low end/soho. I was referring to it as "cheapo crap",
well, it sounds too rude, but it was just intended to describe this positioning.

Maybe I should start with designing simple kick-start tools for newbies? Will it help?

[...]

> have learned to live with it long ago. And they cannot afford to have a
> solution which needs much thinking: you can build a small company on a
> handful of brilliant people, but enterprises are run by Average Joes.
> So offering a product with features to the enterprise is a bad move. You
> should give them a solution to some problem that hurts, and it should be
> dead simple. We have lost at this point forever:)

I think you are right. I did force myself to read the whole CMM document and the only
conclusion I got from it was "It is pretty complicated way to get things done (even with
terrible overhead, but still done) if every person involved is either a moron, a dumbass, saboteur,
just clueless or all of the above".

> 6. The world is changing. This means that new buzzwords coming up,
> followed dutifully by the market. Fortunately new buzzwords usually mean
> the same old things. Those ideas which have been too immature 20 years
> ago, reemerge later in a different name and shape. You are looking for
> application level firewall? Look at "xml firewall" and "SOA firewall".
> They are out there. Yes, they are specialized into a very tiny subset of
> the problem space (and the rest is still uncovered), but maybe that is
> the most important part anyway.

XML/SOA firewalls were expected to have great future, but they are useless unless you
have detailed system design documents with data flow described in the tiniest details and
you are ready to spend about 10% of resources (or even more) used to implement the system
itself on security related issues.

In real world it means "almost never".

Some enterprises buy it anyways, because "XML firewall" sounds cool.

> I am also seeing labeling and
> information flow control gaining momentum. You should be very familiar
> with both TNI and the modern enterprise architecture to catch a glimpse
> of it, but it is there and growing. And our profession is changing, too.

That's amazing, because from the very beginning it was quite obvious that labeling
and information flow control is the foundation of information security.

Despite that, people ignored it for years, until they got better ad hoc labeling tools with DLP.
Better later than never :-)
Again, opensource solutions are barely visible here :-(

> In the good old days when fwtk have born, we were some kind of unix
> people. Then we became network people. Now I would say that firewalls
> are about architecture. And they never be the same again.

It was always about architecture :-)

> As a summary, open source application level firewalls have two serious
> problems. One is that open source aimed at the enterprise is not a good
> bet right now. I think it will change (there is progress), but we need
> years for that. The other that application level firewalls as you and me
> think about them are practically dead right now. No problem, it is still
> - and ever be - a nich? on which we can feed some tens of programmers,
> but if you want to get out from that dead-end, you have to have a good
> bet on where the industry will go, and play it. (I have my bet, BTW.)

I guess the first thing we do need is a good companion endpoint security solution,
capable of data discovery and classification as well..

------------------------------

Message: 2
Date: Tue, 26 Apr 2011 10:51:35 +0200
From: Claudio Telmon <claudio@telmon.org>
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4DB68797.9080407@telmon.org>
Content-Type: text/plain; charset=ISO-8859-1

On 04/24/2011 07:27 PM, ArkanoiD wrote:
> In early days, proxy firewalls and opensource (or just "crystal box" :-) solutions dominated the market.

Hi,
proxy firewalls are almost dead also as closed source products. They
lack the flexibility needed for dealing with new protocols, especially
those based on UDP which are much more common now. IMHO this is exactly
why as fwtk died, not many cared about openfwtk. Currently, for what I
can see, there are almost only reverse proxies, almost nobody puts
proxies in front of the Internet.

WRT performance, I agree with Tracy that most networks don't need the
Gbps speeds in front of the Internet, but many don't feel comfortable
with 100 Mbps when dealing with local traffic, and most
security-conscious companies don't just have firewalls in front of the
Internet. But, there are solutions: ntop's PF_RING
http://www.ntop.org/PF_RING.html is an example of how much can be
achieved when a system is not general purpose.

IMHO the problem is, for many years firewalls have been "trivial" tools
that had little firewalling features, fighting on performance,
integration with e.g. VPN and load balancers etc. Vendors had to invent
the "deep packet inspection" in order to say that they actually *do*
some checks ;) But still, the recent problems with split handshake seem
to show that some/many firewalls don't even enforce proper protocol
syntax (how could they otherwise be confused on the direction of
protocol sessions, no matter how the handshake happened?) and still
nobody cares. It is "normal" that a firewall mostly enforces protocols
up to tcp, and then something else (IPS, WAF, etc) deals with "content".
And I know many companies that don't even enable the "deep packet
inspection" features of their high-end firewall, fearing to create a
bottleneck ;) So, still nobody cares about what the firewall actually
can do ;) I agree with Marcus that APT could increase the attention on
what's happening on the network, but since most companies don't really
understand security, most will happily buy some DLP product, put it
somewhere and forget it, since more effective solutions would need to
have somebody reading and understanding the reports, and that costs
money (OPEX) ;)

An OSS firewall would need to either provide something "new" and
interesting that current products don't have, or provide at least the
same "features" of current products, including integration with load
balancing, vpn, etc. Also, proxies could be used for e.g. some addresses
and some protocols, and keep the option to use packet filtering for
others. I know that this can be done, but not many have the skills
required to assemble all of these components, so all of this should be
provided as a "package", or else the project wouldn't reach the critical
mass for success.

If you look for a community, you could look at OWASP community: while
"testing" is much more funny than protecting ;), you could find some
help there. I don't agree with Marcus that you can't fight with 20
engineers, almost all OSS projects do, and their success or failure is
hardly related to this kind of competition.

Regards,

- Claudio

--

Claudio Telmon
claudio@telmon.org
http://www.telmon.org

------------------------------

Message: 3
Date: Tue, 26 Apr 2011 13:12:06 +0200
From: Ilias - <ilias_pavilion@live.nl>
Subject: [fw-wiz] How to keep firewall rules clean and up-to-date
To: <firewall-wizards@listserv.icsalabs.com>
Message-ID: <COL105-W34074389C8810B0636FF8EEB990@phx.gbl>
Content-Type: text/plain; charset="iso-8859-1"


Hello,

What do you do to keep your firewall rules clean and up-to-date?
Procedures, for which?

Keep in mind;

-Servers that change from IP
-Server which has been discarded
etc.

Thanks in advance
Best regards,
Ilias



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20110426/63946731/attachment-0001.html>

------------------------------

Message: 4
Date: Tue, 26 Apr 2011 10:17:10 +0200
From: Magos?nyi ?rp?d <mag@magwas.rulez.org>
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4DB67F86.5010608@magwas.rulez.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Dear Ark,

I am in the position that I see both the open and closed source market,
both from a vendor's and the enterprise perspective. And I see this:

1. Enterprise firewall is just an item on the checklist to be ticked,
because auditors want it. What the CIO wants that they should have a big
name, low TCO, and don't get into the way of traffic. And there is no
one who could tell him why the enterprise needs real firewalls, because

2. honestly no one have a clue.
a) Yes, they might have a faint idea about domain separation, and that's
all. Try to talk to a "firewall expert" about information flow control
policy, Bell-LaPadula and Clark-Wilson model, interdependences of
security functions in an enterprise, Trusted Network Interpretation. You
will see glassy eyes. They haven't even heard about the concept of
crystal box. The log analysis expert haven't heard about Artificial
Ignorance in his whole profession. Ridiculous. (Of course this is not
true to the readers of this list, but this is what I am seeing daily out
in the wild.)
b) An application level firewall is an inherently complex beast. We see
firewall operators struggling to catch the concepts behind Zorp. An
average firewall operator needs a week of hands-on training. Of course
fwtk is simpler, you just need a competent unix and network
administrator to use that, which is also in shortage in these days,
especially in this combination. While with a simple software it is
possible to drive marketing with the open source version, application
level firewall is not that category. (Honestly for a long time we did
not do anything with syslog-ng beyond some occasional bug fixing and
playing around with it in free time. And suddenly companies started to
ask whether they can pay us money for it. Sure:)

3. Actually using real firewalls meaningfully needs a level of maturity
which very few enterprises possess.
a) As we all know, the firewall operator is the one who should chase
down programming bugs at the end of the day simply because s/he is in
the position to see all parts of the puzzle. It is a big burden, and
easier just to allow anything through than make a real solution. And the
one who should solve the problem is not the firewall operator. You need
a very strong exception management procedure to handle only that aspect
(ITIL as used today is just not enough for this). And we were talking
about only simple breaches of the protocol. It happens everywhere, the
http proxy to the outer world is being a prominent example of how
impossible this mission could get.
b) Now let's talk about the cases when you need more than check for
protocol compliance. The first question is: how will you identify the
security function you have to implement in the firewall? The answer is
easy: from the design documentation of the system protected. So you
first need meaningful design documentation (mission impossible one), a
security assessment of that on a meaningful level (mission impossible
two), and a good procedure to turn the security problems of the
protected system to requirements against the environment. This needs a
strong enterprise architecture (mission impossible #3 because of COTS
products), and very high procedural maturity.

4. We have a IT governance model out there which most enterprises do.
The most important part of it that (licence) fees and actual work done
have nothing to do with each other. In most enterprises you cannot just
deploy an open source solution. To be able to do this, it should be
rebranded to have a "Oracle" label on it :) Seriously: open source based
IT governance is something you and me might know how should be done, but
IT managers have yet to learn. In the meantime you have two ways: you
are either a system integrator, and introduce open source as part of the
integration activities to support functionality of braindead broken COTS
software, or you create a "paying" version of the open source one.
Enterprises are very happy to buy paying syslog-ng and Zorp for heaps of
money when they use only the GPL features. They just cannot think out of
the box. Unfortunately with this governance attitude one have to be very
creative to be able to come up with a business model which is suited to
the GPL side. Because open source is about community, and reaching
critical mass is very hard, especially if you come with a nich? product
aimed at the enterprise. This is a feat neither FWTK nor Zorp have been
able to reach. You should live with the fact that people are people, and
several downloads daily are not enough to start the chain reaction. (I
am now trying to persuade my friends to go for a business model for our
Zorp product lines (pro and GPL) which is more aligned with what we are
actually doing. But they also have picked up some bad habits in the
passing years, so we will see.)

5. Complex software aimed at the enterprise is not about features, or at
least not the way one would think of it at first. Take a good look at
SAP. Honestly, I think that their software is crap from ancient times.
But they deliver it professionally, the main point is beeing procedures.
Because what enterprises are struggling with is not quality of software:
they have learned to live with bad software (this is why they need
firewalls at the first place), actually they have never had the
opportunity to use anything actually useable: there is simply no
software out there which would cover the needs of a complex enterprise.
Their main problem is how to run their procedures in a less suboptimal
way than they are doing today. And SAP is helping them in this: they are
given business procedures and IT support procedures. Those are not the
best ones, and they are paying orbital amounts for it, but at least
there is a clear recipe which the enterprise can follow. Or take a look
at Oracle AIA, the most exorbitantly priced component of the SOA suite:
it is not much more than a set of configurations, some of them directly
going against the SOA principles. But there is an enterprise data model
in it. Not a good one, again, at least not aligned with the sector I am
mostly working for. But I see enterprises dumping a lot of work to jump
on the AIA bandwagon. They got something which they can follow without
thinking much, and they don't care about some small misalignments: they
have learned to live with it long ago. And they cannot afford to have a
solution which needs much thinking: you can build a small company on a
handful of brilliant people, but enterprises are run by Average Joes.
So offering a product with features to the enterprise is a bad move. You
should give them a solution to some problem that hurts, and it should be
dead simple. We have lost at this point forever:)

6. The world is changing. This means that new buzzwords coming up,
followed dutifully by the market. Fortunately new buzzwords usually mean
the same old things. Those ideas which have been too immature 20 years
ago, reemerge later in a different name and shape. You are looking for
application level firewall? Look at "xml firewall" and "SOA firewall".
They are out there. Yes, they are specialized into a very tiny subset of
the problem space (and the rest is still uncovered), but maybe that is
the most important part anyway. I am also seeing labeling and
information flow control gaining momentum. You should be very familiar
with both TNI and the modern enterprise architecture to catch a glimpse
of it, but it is there and growing. And our profession is changing, too.
In the good old days when fwtk have born, we were some kind of unix
people. Then we became network people. Now I would say that firewalls
are about architecture. And they never be the same again.

As a summary, open source application level firewalls have two serious
problems. One is that open source aimed at the enterprise is not a good
bet right now. I think it will change (there is progress), but we need
years for that. The other that application level firewalls as you and me
think about them are practically dead right now. No problem, it is still
- and ever be - a nich? on which we can feed some tens of programmers,
but if you want to get out from that dead-end, you have to have a good
bet on where the industry will go, and play it. (I have my bet, BTW.)

On 2011-04-24 19:27, ArkanoiD wrote:
> In early days, proxy firewalls and opensource (or just "crystal box" :-) solutions dominated the market.
>
> Now both are either extinct or forced to an ulgy low end (for opensource, it usually means having no
> security-centric framework, no common API, no real code review -- just a bunch of "functionally fit"
> free things installed on a linux box with some simple web interface). For proxy firewalls the future is
> even more questionable. Multiple state-of-the-art technology leaders were merging (quite obviously being
> unable to stay competitive with cheapo crap) until there was only One left.. SC, later bought by McAfee.
> And now McAfee is owned by Intel and it seems to show no interest in high end firewall solutions at all,
> they seem to think they just bought an "antivirus company".
>
> I asked guys on LinkedIn (having to admit LinkedIn security community sucks big time, some sane people are still there :-)
> , if they still have some interest in opensource firewall solutions. The short answer
> was "NO". The long ones were:
>
> -- It is all about performance, we want as many Gbits per $ as possible, so ASIC is only way
>
> -- It is all about features and support, no free solution fits.
>
>
> And the second point seems to be pretty valid. We have *NO* product that is a match for current "market leaders".
> It does not mean it is impossible: it is quite obviously possible, but we still do not have it.
>
> You may take OpenFWTK, Prelude, Snort, ClamAV, some unix of you choice and.. still not get really the same.
> Protocol support is not that good, no common management interface and not really ready for enterprise which
> is not full of geeks at all, management overhead and TCO are going to jump up beyond any reasonable limit.
>
> OpenDLP is just a sad joke, running a bunch of regexps against your data is not the thing to be called DLP.
>
> As I am still running the OpenFWTK project, I have to admit I get little to *NO* support form Opensource community.
> The single reason the project is still alive is occasional donations and paid feature requests from *commercial* vendors who
> use some OpenFWTK components in their products. Maybe once a year or two I receive a bug report or even a patch or some half-baked
> piece of documentation. I appreciate that, but most of the times I never hear from those people again.
> Despite that, Sourceforge shows several downloads/checkouts daily, but the feedback is close to zero. Once I googled for
> OpenFWTK I found some japanese site with patches they did not bother even to send me, and there was no contact email and
> no way to send them any questions as comment form was protected with captcha in japanese!
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


------------------------------

Message: 5
Date: Tue, 26 Apr 2011 11:08:56 +0200
From: Magos?nyi ?rp?d <mag@magwas.rulez.org>
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <4DB68BA8.3030703@magwas.rulez.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

On 2011-04-26 02:29, Marcus J. Ranum wrote:
> I agree with you that it's not necessarily "crap" but OSS
> generally means "free" which also means that one or two
> OSS solutions suck all the oxygen out of the bottom of the
> market - while the commercial offerings dominate the middle
> and the top. If you get into a feature war with a commercial
> product that has 20 engineers working on it, full-time, you
> are not going to win if you're a typical OSS project.

I would differ here. The OSS projects having momentum have much more
(and better) engineers working on them in full time than any commercial
venture could pay for. I especially like the "better" part. Imagine
Linux Kernel Inc., Orlando hiring 300 kernel hackers. Would they be all
up to the job? Now imagine 300 companies worldwide hiring one kernel
hacker per company. One who have to be good enough to create patches
accepted upstream, because the viability of the products (hence the
company) depends on it, and in turn gets THE dream job of anyone who
knows what open source is. High standards and high motivation.

Well, one can do a development project either professionally or
unprofessionally, and in both cases it can be open source or closed one.
The difference between OSS and closed source is whether one believes in
other things than money. (And even this is less and less true, as open
source as a business model gains momentum.)

Granted, doing an open source project professionally today is much
harder than it should be.

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 57, Issue 7
***********************************************

No comments:

Post a Comment