RE: IPTables Based Firewall Testing

["Steve Bremer" <steveb () nebcoinc com>]

>  Well said, I tip my hat to you. 

And I to you as well.  I've enjoyed reading your perspective.

>  In your setup you've introduced more systems handling specific
> functions that a good firewall appliance would do in one box.

That's very true.  I believe in separating major functionality onto 
separate hosts to reduce the risk that the compromise of a single 
service would compromise everything (e.g. if our SMTP gateway is 
compromised, it won't affect the HTTP gateway).  I prefer building a 
"firewall infrastructure" rather than a "firewall".  I personally 
think it creates a more secure environment.  That may not be true in 
every environment however if the expertise isn't present.

By using PF and Netfilter together, the chances of a single 
vulnerability allowing an attacker to bypass both devices is 
extremely unlikely.  Having a single type of firewall means that any 
one vulnerability in that firewall could potentially be devastating 
to your internal LAN.

The other side to this argument is the increased complexity and 
resource requirements that using different firewalls creates.  It is 
true that each has their own configuration syntax, but once you've 
learned the concepts of packet filtering, it isn't too difficult to 
grasp a new syntax.  The resource requirements would vary depending 
on each situation.  

In our environment, I believe the benefits of using different 
firewalls outweighs the drawbacks by quite a bit.  This may not be 
true everywhere however.  

> supplementary equipment. If we compare that to a Checkpoint solution
> your ROI could easily be lower.

I'm sure our setup costs were quite a bit lower initially, but it 
would be interesting to see the costs over a period of 5+ years. 

>   Now there are a plethora of tools out there that make managing a
> *NIX firewall and proxy solutions loads easier but the same can be
> said for the appliance solution. I personally think handling a
> netfilter firewall is far easier then handling a PIX but I'm sure our
> Cisco guys on the list could argue the other way. 

Usually a person's familiarity with a product is a major factor in 
determining how easy it is to use/administer.  I would agree with you 
about using Netfilter vs a PIX personally, but I'll sure Cisco users 
would argue with us just as you stated.

>  All in all I'm a K.I.S.S. man, (Keep it simple stupid),
> especially when it comes to security. The more complicated your
> solution is, the easier for something to slip through the cracks or be
> overlooked.

I prefer the K.I.S.S method as well.  I believe our setup here is 
fairly easy to administer while meeting our security requirements at 
the same time.  Complexity is quite often bad for security.  However, 
making a modular firewall infrastructure doesn't have to be complex.  
In many ways, it makes it easier to administer in my opinion (e.g. I 
know that I don't have to worry about affecting SMTP traffic when I'm 
upgrading our HTTP proxy, restarting the dns cache on our SMTP 
gateway can't possibly affect our HTTP proxy, permitting one more 
internal host to access the time server in one of our DMZs can't 
accidentally allow traffic from the Internet into the DMZ, etc.)

All of the points you made about resources are valid as well.  6 of 
one, half a dozen of the other I guess...

Cheers!
Steve Bremer
NEBCO, Inc.
System & Security Administrator

---------------------------------------------------------------------------
----------------------------------------------------------------------------