Security Basics mailing list archives
RE: IPTables Based Firewall Testing
From: "Steve Bremer" <steveb () nebcoinc com>
Date: Thu, 18 Dec 2003 14:40:17 -0600
Well said, I tip my hat to you.
And I to you as well. I've enjoyed reading your perspective.
In your setup you've introduced more systems handling specific functions that a good firewall appliance would do in one box.
That's very true. I believe in separating major functionality onto separate hosts to reduce the risk that the compromise of a single service would compromise everything (e.g. if our SMTP gateway is compromised, it won't affect the HTTP gateway). I prefer building a "firewall infrastructure" rather than a "firewall". I personally think it creates a more secure environment. That may not be true in every environment however if the expertise isn't present. By using PF and Netfilter together, the chances of a single vulnerability allowing an attacker to bypass both devices is extremely unlikely. Having a single type of firewall means that any one vulnerability in that firewall could potentially be devastating to your internal LAN. The other side to this argument is the increased complexity and resource requirements that using different firewalls creates. It is true that each has their own configuration syntax, but once you've learned the concepts of packet filtering, it isn't too difficult to grasp a new syntax. The resource requirements would vary depending on each situation. In our environment, I believe the benefits of using different firewalls outweighs the drawbacks by quite a bit. This may not be true everywhere however.
supplementary equipment. If we compare that to a Checkpoint solution your ROI could easily be lower.
I'm sure our setup costs were quite a bit lower initially, but it would be interesting to see the costs over a period of 5+ years.
Now there are a plethora of tools out there that make managing a *NIX firewall and proxy solutions loads easier but the same can be said for the appliance solution. I personally think handling a netfilter firewall is far easier then handling a PIX but I'm sure our Cisco guys on the list could argue the other way.
Usually a person's familiarity with a product is a major factor in determining how easy it is to use/administer. I would agree with you about using Netfilter vs a PIX personally, but I'll sure Cisco users would argue with us just as you stated.
All in all I'm a K.I.S.S. man, (Keep it simple stupid), especially when it comes to security. The more complicated your solution is, the easier for something to slip through the cracks or be overlooked.
I prefer the K.I.S.S method as well. I believe our setup here is fairly easy to administer while meeting our security requirements at the same time. Complexity is quite often bad for security. However, making a modular firewall infrastructure doesn't have to be complex. In many ways, it makes it easier to administer in my opinion (e.g. I know that I don't have to worry about affecting SMTP traffic when I'm upgrading our HTTP proxy, restarting the dns cache on our SMTP gateway can't possibly affect our HTTP proxy, permitting one more internal host to access the time server in one of our DMZs can't accidentally allow traffic from the Internet into the DMZ, etc.) All of the points you made about resources are valid as well. 6 of one, half a dozen of the other I guess... Cheers! Steve Bremer NEBCO, Inc. System & Security Administrator --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- IPTables Based Firewall Testing Gareth Darby (Dec 16)
- <Possible follow-ups>
- RE: IPTables Based Firewall Testing Shawn Jackson (Dec 16)
- RE: IPTables Based Firewall Testing Shawn Jackson (Dec 18)
- RE: IPTables Based Firewall Testing Steve Bremer (Dec 18)
- Re: IPTables Based Firewall Testing Christos Gioran (Dec 18)
- RE: IPTables Based Firewall Testing Shawn Jackson (Dec 18)
- RE: IPTables Based Firewall Testing Steve Bremer (Dec 18)
- RE: IPTables Based Firewall Testing larsmith (Dec 19)
- RE: IPTables Based Firewall Testing Steve Bremer (Dec 18)
- RE: IPTables Based Firewall Testing Shawn Jackson (Dec 19)
- Re: IPTables Based Firewall Testing - apps Alvin Oga (Dec 19)
- Re: IPTables Based Firewall Testing - apps - url Alvin Oga (Dec 19)
- Re: IPTables Based Firewall Testing - apps Alvin Oga (Dec 19)