Firewall opinions wanted please

PIX firewalls are great if you configure them correctly for the application. 40 or less servers may not require something as complex, however if the data you are protecting is super-critical, I think a PIX might be your best solution.

Proxy firewalls (i.e. Linux, BSD or variant gateways) are good if you're into doing a internal IP network with a NAT access point. But remember dealing with proxies, there is no such thing as a 'TRUE' transparent proxy, and having to go through all of the complexities of port forwarding, packet mangling, etc. might be too much if you are simply trying to firewall your web servers and whatnot.

As discussed in a previous thread, I spoke about transparent bridging used for packet filtering and mangling. On a small application, that might be a good idea, because you get all of the true internet access (i.e. legit IPs, no proxying etc.) with the same ability to filter TCP, ICMP, UDP, IGMP etc. traffic.

Disadvantages to dealing with transparent bridging is that you run into the whole MAC address collision and excess over-head announcements being made from the bridge itself every time it sends a packet through.

The best option I guess is to figure out how important it is for you to have a firewall, what is the reason you need one and how important the data is on your servers. That will help you decide the best choice for a firewall or proxy application.

Greg

On Tue, Mar 16, 2004 at 05:01:22PM -0600, Gregory Taylor said something to the effect of:
..snip snip..

As discussed in a previous thread, I spoke about transparent bridging used for packet filtering and mangling. On a small application, that might be a good idea, because you get all of the true internet access (i.e. legit IPs, no proxying etc.) with the same ability to filter TCP, ICMP, UDP, IGMP etc. traffic.

Disadvantages to dealing with transparent bridging is that you run into the whole MAC address collision and excess over-head announcements being made from the bridge itself every time it sends a packet through.

The best option I guess is to figure out how important it is for you to have a firewall,

_Everyone_ (network connected) should have a firewall. My grandma should
have a firewall. Nicole, holding dominion over this business network and
its critical infrastructure, should _definitely_ have a firewall.

Curses. Budget constraints. Bah.

what is the reason you need one and how important the data is on your servers. That will help you decide the best choice for a firewall or proxy application.

See above.

The importance of the data is often more and issue of calculating things
like redundancy and storage. A firewall in this case should likely be
regarded as non-negotiable.

Be careful with transparent bridging in lieu of stricter edge filtering...
Also consider the efficacy and reward of firewall logs, application layer
filtering, and IDS integration (in a budget-friendly, open source flavor
of free...) down the road.

ymmv,
--ra

> _Everyone_ (network connected) should have a firewall. My grandma should
> have a firewall. Nicole, holding dominion over this business network and
> its critical infrastructure, should _definitely_ have a firewall.

By "firewall", do you mean "dedicated unit that does statefull filtering"
or just "something that will block packets"? We've successfully argued
to just about every group here at our University who came to us asking for a
"firewall" that, given what they wanted to achieve, they could accomplish the
same thing with simple ACLs...

I'm sure that the cost of the ACL's (i.e. $0.00) versus the cost of a firewall
also helped them in their decision...

Eric

On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the effect of:

> > The best option I guess is to figure out how important it is for you to have a firewall,
>
> _Everyone_ (network connected) should have a firewall. My grandma should
> have a firewall. Nicole, holding dominion over this business network and
> its critical infrastructure, should _definitely_ have a firewall.
>
  Why? When did the end2end nature of the Internet suddenly
  sprout these mutant bits of extra complexity that reduce
  the overall security of the 'net?

  Two questions asked, Two answers are sufficent.

Nope. One will do it. The day the first remote exploit or condition,
in protocol or application, that could potentially have given rise to such
and exploit made it possible for a user not in your control to gain control
of your box(en), firewalling became necessary. Then Internet is not exactly
end-to-end beyond pure fundamentals; it's more end-to-many-ends. And the
notion of "end-to-end" requires preservation of a connection between 2
consenting hosts, and preservation includes securement of that connection
against destructive mechanisms, which includes the subversive techniques and
intercetptions commonly associated with network security.

Denial of Service is as much a threat to availability and network
functionality as is power outage if it occurs. Before this turns to a "you
security freaks want to screw around with my network and don't care about
availability..."

Firewalls are logical interventions, costing as little as some processor
overhead. Dedicated appliances are only one deployment. Filters on
routers also qualify as firewalls. Am I correct in understanding that you
feel edge filtering is mutant lunacy and unnecessary complexity?

Regarding dedicated firewalls, please see Mr. Bellovin's previous post
regarding appropriate and competent administration. The lack thereof
presents the complication, not the countermeasure itself.

As for your assertion that firewalls "reduce the overall security of the
'net."...can you please elaborate on that, as well? Other factions might/do
argue that it's the other team refusing to lock their doors at night that
are perpetuating the flux of bad behavior as a close second to the ignorant
and infected.

--ra

Not _firewalling_, but access limitation. Grandma can live with PNAT
router - she do not need any firewall, if she do not grant external access
to anything. She can live with Windows _default deny_ setting. If grandma
have extra money, it is better to purchase anty-virus.

Moreover. Just for _ghrandma_, it can be cheaper do nothing than to invest
into security (bad thing for us, I know!) - because she lost '$0' in case
of intrusion... It explains shidespread of modern viruses, spam-trojans etc
(they cost '$0' to infected households in many cases).

It is as Wireless access - my friend have secured access point, but when I
tried, I could use unsecured access points of 2 his neighbourths.
They know abouth insecurity - but they do not lost anything, so they do not
want to spend $0.01 to improve it. And unfortunately, I can not blame them.

On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the

effect of:

> > > The best option I guess is to figure out how important it is for you

to have a firewall,

> >
> > _Everyone_ (network connected) should have a firewall. My grandma

should

> > have a firewall. Nicole, holding dominion over this business network

and

> > its critical infrastructure, should _definitely_ have a firewall.
> >
> Why? When did the end2end nature of the Internet suddenly
> sprout these mutant bits of extra complexity that reduce
> the overall security of the 'net?
>
> Two questions asked, Two answers are sufficent.

Nope. One will do it. The day the first remote exploit or condition,
in protocol or application, that could potentially have given rise to such
and exploit made it possible for a user not in your control to gain

control

of your box(en), firewalling became necessary. Then Internet is not

exactly

end-to-end beyond pure fundamentals; it's more end-to-many-ends. And the
notion of "end-to-end" requires preservation of a connection between 2
consenting hosts, and preservation includes securement of that connection
against destructive mechanisms, which includes the subversive techniques

and

intercetptions commonly associated with network security.

Denial of Service is as much a threat to availability and network
functionality as is power outage if it occurs. Before this turns to a

"you

security freaks want to screw around with my network and don't care about
availability..."

Firewalls are logical interventions, costing as little as some processor
overhead. Dedicated appliances are only one deployment. Filters on
routers also qualify as firewalls. Am I correct in understanding that you
feel edge filtering is mutant lunacy and unnecessary complexity?

Regarding dedicated firewalls, please see Mr. Bellovin's previous post
regarding appropriate and competent administration. The lack thereof
presents the complication, not the countermeasure itself.

As for your assertion that firewalls "reduce the overall security of the
'net."...can you please elaborate on that, as well? Other factions

might/do

argue that it's the other team refusing to lock their doors at night that
are perpetuating the flux of bad behavior as a close second to the

ignorant

Rachael Treu wrote:

_Everyone_ (network connected) should have a firewall. My grandma should

have a firewall. Nicole, holding dominion over this business network and its critical infrastructure, should _definitely_ have a firewall.

No, the applications should accept only authorized connections. If that would be the case, there would be no need to filter at packet level.

Pete

No, since this would be assuming that each application is perfect and
there's no such thing as buffer overflows and other software bugs
(including those in authentication routines). A firewall is an extra
line of defence in preventing malicious packets from reaching the
destination app and the more people have one the better (although I'm
not sure whether grandma would be too bothered)
It's not bulletproof (and could potentially contain a gut itself) but it
provides additional security, regardless of authenticaion of
connections.

On Wed, Mar 17, 2004 at 02:01:59PM -0500, Matthew Silvey said something to the effect of:

>
> As for your assertion that firewalls "reduce the overall security of the
> 'net."...can you please elaborate on that, as well? Other factions might/do
> argue that it's the other team refusing to lock their doors at night that
> are perpetuating the flux of bad behavior as a close second to the ignorant
> and infected.
>

to extend an abstraction:

these factions are arguing about the lock on the door, but it is the door
that is important. it is a feature of the house, a means of entering and
exiting. if you argue that all doors must have a lock then you can no longer
have the freedom of design and creation to decide whether your house will
have a door for pigeons, hamster, cats, or humans without deciding how each
specific door can be accessed by each specific creature.

By that rationale, why must any houses have doors at all?

Further, your analogy doesn't, I feel, hold water in this case.
Let's reverse that portion of said abstraction. I said all doors must
have locks and all edges filters. I did not expound upon to what extent
those edges are filtered. Saying that the doors must be locked does not
have anything to do with whether the doors are for pigeons, hamster, cats,
or humans... Access control balances this equation. You can lock a
pigeon door with a key that the pigeon can bear and the hamster...

Okay...this is getting absurd. Let's revert to netspeak.

Access control.

"if you argue that all doors must have a lock then you can no longer
have the freedom of design and creation to decide whether your house will
have a door for pigeons, hamster, cats, or humans without deciding how each
specific door can be accessed by each specific creature."
  
Exactly. Absolutely! What is wrong with that? That is my point.

This is not an "information wants to be free" argument, guys. You have a
network connection, you have a responsibility to ensure that you manage
your risks and also that you do not enable it to be used to harm others.

You build a corporate intranet server and I want to get into it. Are you
going to let me? Or are you going to design it with the intent that only
corporate hamsters...er...employees can access that specific door. How
about your home network? Mind if I do a little recon and raid your personal
systems for password and personal info harvesting? Do you _use_ passwords,
for that matter? If the argument is really about a means of entering and
exiting and not locking or restricting access, then why bother? Do you
lock the front door to your house?

These wide-swinging doors of which you speak are not practical in terms
of government intelligence. Or physical border control. If your doors--
which given what you are describing are actually doorless doorways and more
closely resemble gaping maws--were appropriate edge deployments, then guards
should drop from perimeter and border walls, passwords should come off
machines, encryption should die, ATM PINs should be decommissioned, and so
on and so forth. Inarguably people complain that passwords are annoying to
maintain and enter and that firewalls are in the way a lot of the time.
Thankfully, many of those complaining are outsiders and intruders that
shouldn't be getting in, too. I imagine that vehicle thieves find door locks
to be a bit of an impairment to their livelihood, too.

This is about access control. Not everything out there is meant to be
collected and used by everyone else. Why do you have doors? So that
people can get in. Why do you lock them? So that only the appropriate
people can. The tenet of effective network security is to make the
holes punched into a network small enough to prevent unauthorized access,
but not so small that functionality is impaired.

It is the goal of security engineers (the decent ones at least) to
determine how things like access controls can best serve and protect,
interoperate with, and withstand the rigors of the network, not the other
way around. Now...how is it that a firewall deployed to protect the
deployer's network is crushing the fundamental network purism or kills
our inner rogue or pens in our data (free range packets, anyone?) These
methodologies are not conjured up in order to irritate those managing
the movement of traffic (legitimately). This is about flow control of
payload, as are stoplights and turnstyles and credit card companies asking
for your mother's maiden name and photo IDs and taking a number at the
butcher or DMV...

if you're selling services that consist of pushing http/dns/smtp/pop3 traffic
then you have a much easier time inserting and using any kind of filtering
system. but if your preventative system stifles the development of new
applications then you have a losing situation. any kind of filtering
automatically creates a roadblock for network application development.

If there is no network, there is no netapp development. Denial of
Service then presents something other than a roadblock? Or the hijacking or
prevention of development details and trade secrets? The owning of a
device or deletion of throngs of data to make room for warez...? Bandwidth
consumption due to other security violations...?

Develop in-house, behind edge filters. The only development that edge
filtering gets in the way of is rootkits that the nefarious are testing.
Make use of a competent security professional who knows how to tweak
filters properly for the task at hand and you won't have any "roadblocks"
except for those trying to roadblock the criminal element...

all
in all the cost of the IT staff is probably less than the cost of lost
development time. it sucks, but any delays on a development schedule can
translate to potential revenue lost.

And what kind of cost do you think is realized by your providers who are
required by contract and law to maintain security teams and respond to
security incidents? You are merely passing the buck here and shifting
collateral damage.

I'm going to try to climb down from this soapbox now. Remember...we're
all friends here. Neither side wants to halt innovation or network
utilization.

--ra

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Erik Haagsman wrote:

No, the applications should accept only authorized connections. If that
would be the case, there would be no need to filter at packet level.

No, since this would be assuming that each application is perfect and
there's no such thing as buffer overflows and other software bugs
(including those in authentication routines). A firewall is an extra
line of defence in preventing malicious packets from reaching the
destination app and the more people have one the better (although I'm
not sure whether grandma would be too bothered)
It's not bulletproof (and could potentially contain a gut itself) but it
provides additional security, regardless of authenticaion of
connections.

And I think you have hit it right on the head...another line of defense.
Everything I've ever read about security (network or otherwise) suggests
that a layered approach increases effectiveness. I certainly don't trust a
firewall appliance as my only security device, so I also do prudent things
like disable ports and applications that are not in use on my network and
enforce authentication and authorization for access to legitimate services.

- --

Guys...firewall is as generic a term as any. Saying grandma needs a
router does not mean that an M20 is interchangeable with her Linksys.

The definition of firewall[1]:
1. A fireproof wall used as a barrier to prevent the spread of fire.
2. Computer Science. Any of a number of security schemes that prevent unauthorized users from gaining access to a computer network or that monitor transfers of information to and from the network.

By that rationale, firewall includes ACLs, filtering, and the umpteen
built-in apps that ship standard with home CPE/routers that _call
themselves_ firewall software.

I am absolutely talking access control. Not about an HA Netscreen500
pair with VRRP off redundant switch fabric and H.323 support.

As for your cost commentary, you are absolutely right. I said grandma
needs a firewall, not that she has one or will buy one. That is the
unfortunate disparity between prudence and practical application.

--ra

[1]http://dictionary.reference.com/search?q=firewall

Good point...and that's exactly why in some cases, especially in SOHO
and SMB oriented products, both hardware as well as software vendors can
be part of the security problem by advertising their products as the
definite solution to all security holes. Truely securing even a single
server or host connected to the Internet entails a lot more than just
blocking a few ports, let alone securing a network. By marketing "the
perfect solution" to no-too-clueful admins the actual security holes
only get bigger and harder to track.

On Wed, Mar 17, 2004 at 12:19:53PM -0500, Eric Gauthier said something to the effect of:

> > _Everyone_ (network connected) should have a firewall. My grandma should
> > have a firewall. Nicole, holding dominion over this business network and
> > its critical infrastructure, should _definitely_ have a firewall.

By "firewall", do you mean "dedicated unit that does statefull filtering"

No.

or just "something that will block packets"? We've successfully argued
to just about every group here at our University who came to us asking for a
"firewall" that, given what they wanted to achieve, they could accomplish the
same thing with simple ACLs...

  fire'wall
1. A fireproof wall used as a barrier to prevent the spread of fire.
2. Computer Science. Any of a number of security schemes that prevent unauthorized users from gaining access to a computer network or that monitor transfers of information to and from the network.

I'm sure that the cost of the ACL's (i.e. $0.00) versus the cost of a firewall
also helped them in their decision...

This is just a semantic issue. I am putting any packet-level inspection
engine deployed as an access control means into the category of "firewall."
The confusion here would be akin to my retorting with "how on earth are
deploying lists of system object access rights going to protect a network
edge?" ACL has alternate meanings, as well[1].

A sample of what some vendors call some things:

Cisco: router packet-level access control = ACL
Microsoft: OS object permissioning schema = ACL
Linksys: router packet-level access control = firewall
Juniper: router packet-level access control = firewall filter

On Wed, Mar 17, 2004 at 09:48:30AM -0800, Kevin Oberman said something to the effect of:
..snip snip..

I dislike firewalls for many applications, although I have a Sonic Wall
on my cable modem. On the whole, they lead to false belief that
firewalls really make you safe. They also block many interesting
applications. Things like H.323 conferencing are made vastly more
complex by firewalls with no easy or canned work-arounds.

H.323 is its own complex, unweildy mutant (though a lovely one at that),
and it is unfair to throw the baby out with the bathwater in that case.
Something like saying that it's rough configure MPLS on your cable modem
at home so we should do away with those.

Configured properly, firewalls handle H.323 just fine.

As for false beliefs...

Seat belts aren't guaranteed to save your life if you wrap your car around
a tree, but they improve the chances that you won't pierce the windshield
with your face.

That lid on your coffee cup has a hole in it so you can drink out of it,
but that can spill, too.. Still...which way would you rather have
that cup--lidded or lidless-- when it goes flying out of your cupholder
and into your lap?

A stoplight doesn't actually physically stop traffic. Having a green
light in your direction doesn't actually guarantee that the intersecting
traffic won't plow into you.

Sometimes parachutes don't open properly parachute not open properly,
but can you imagine if people gave up skydiving altogether, or skydived
without them, refusing to be lulled into a false sense of safety?

Hrm.

This now becomes an issue of adequate education and precaution. It's not
the fault of the technology if its users are ill-informed...

One large research site I work closely with has directly opted for IDS
with a bad attitude (love that description) which has successfully
blocked many intrusion and DOS attempts with no major failures. Slammer
did overwhelm it, but it did the same for most everything.

IDS that reacts is, by classical definition, firewalling. The IDS component
merely detects the anomaly. To react is a firewall function.

Does IDS not smack of that false sense of security you mentioned? If
admins refuse to acknowledge attack conditions because the IDS didn't
squawk, does that guarantee that the network is totally peaceful?

The end-to-end nature of the net is really, really important, but is
being blocked more and more by those who thing the net is web browsing
and e-mail clients and that everything else is simply an annoyance. This
attitude is hamstringing network development already and may end up
turning the commercial Internet into a permanently limited tool with
fewer real capabilities that the ARPANET had before TCP/IP replaced NCP.

This is a very valid concern. Unfortunately, aside from those in pure
academia, this is the bread and butter for most of us. The HTML-for-the-masses
and email-happy vox populi are the ones subscribing to providers and
buying bandwidth that we are trying to enable.

Grandma may need a firewall. (My sister DEFINITELY needs one.) But not
all network connections need or will benefit from a firewall. And many
system will exist with significant security flaws because the owners
believe that the firewall takes care of everything.

As do may owners that believe their Microsoft boxes do everything.
Or nothing. Or that nothing needs to be done to their MS boxes...

And I think you have hit it right on the head...another line of defense.
Everything I've ever read about security (network or otherwise) suggests
that a layered approach increases effectiveness. I certainly don't trust

a

firewall appliance as my only security device, so I also do prudent things
like disable ports and applications that are not in use on my network and
enforce authentication and authorization for access to legitimate

services.

Unfortunately, it decreases it.

If I turn off file sharing on Windows server, I'll increase security but
complicate support (in some cases).
If I run ids system, I spend time, verifying and approving changes done by
maintaineers. And so on.

So, it is very important to have a strong FIRST line of defense (inbound
firewalls) and last line (host IDS); it allows to bring little more
efficiency by keeping convenient (but not very secure) protocols inside your
internal network. Else, you end up in full paranoya.

Rachael Treu wrote:

Guys...firewall is as generic a term as any. Saying grandma needs a
router does not mean that an M20 is interchangeable with her Linksys.

You're preaching to a list with people on it who invented the terms you are
using *and* wrote the books. Stop lecturing and *listen*.

Peter