Re: Protecting a datacentre with a firewall

[Mikael Olsson <mikael.olsson () clavister com>]

mag wrote:
> 2003-05-04, v keltezéssel Mikael Olsson ezt írta:
> > mag wrote:
> > > Also, PIXen are not just too suboptimal to be called firewalls,
> > > but also for intranet firewalling you need a level of flexibility
> > > you cannot achieve with a blackbox-style product, and with the
> > > so-called market leader firewalls.
> >
> > You're raising a big stink here. Especially when you continue
> > by touting a firewall that you contribute to yourself.
>
> I was telling the truth. We have found that no useable firewalls
> on the market, so we had to develop one.

You know... "Everything sucks, I'm gonna build something better!" 
is an OK thing to say before you've actually started.  
At this point, it just reeks of self interest.


> > Those "blackbox-style products" that you so rapidly dismiss as
> > useless will in many cases prove more valuable than any kind of
> > home-grown solution.  When something is too costly to maintain -
> > in terms of money or time (often the latter) - to maintain, it
> > doesn't get done.  It's that simple.
>
> If you do not know what you are doing, than do not do that, because
> you will do more harm than good. It's that simple.

Should I take that as "if you don't know the initimate details of
every protocol that business needs dictate that you pass through
your firewall, you shouldn't be a firewall admin"?

Sorry, that just does not compute.  That would exclude something
like ... well.. ALL firewall admins except a select few.  Not 
everyone is a programmer, and I for one wouldn't want to see the
Internet that would result from such a crazy restriction.

(I'll readily admit that I may have misinterpreted your statements
 here, though reading between the lines, it just seems to me that 
 this is what you are implying.)


> [more of "all firewalls suck except zorp"]
> For the better ones it means that they can control up to ten percent
> of the features of the protocol. Pathetic. I would consider shameful
> if we would deliver a proxy which cannot control all aspects of its
> protocol and its documentation would not start with a warning about
> that fact.

You know... I think I see where you're coming from here.
Looking at a network layout with a choke point and doing the risk
analysis dance easily leads to the conclusion "damn, but wouldn't it
be nice if we could control _everything_ here?".

Said and done - you take every protocol that you need to push through
and implement a server AND a client for it, and then put it in the 
firewall.  Now you can guarantee 100% protocol compliance.

What did this buy you?

- People can't SSH or send mail through port 80. That's nice. Sort of.
  Unless they run it through httptunnel, of course.

- People can't exploit a web server by talking POP3 to it.
  Oops, they couldn't do that to begin with.

- You can control what aspects of a protocol that people 
  can use, which might be nice for some protocols.

However:

- You still don't know how the receiving application is going
  to handle this 100% compliant protocol data.  You seldom
  exploit things by giving them a copy of /dev/urandom.  
  You usually need to keep (just) within the boundaries of the
  protocol.

- You have now exposed that which you were trying to protect - the
  protocol handlers themselves; you end up with quite a hefty kloc 
  count *on the firewall itself*. 
  Granted, it's not the full application, but all the protocol 
  logic is (according to you) there.

  By the original reasoning, you now need another firewall outside 
  the firewall ... no?


I would also be curious to know what kind of security model you're
advocating here?  If one assumes that one has a finite amount of
time to spend, and elects to spend it on tinkering with the firewall,
it would suggest, to me, that one ends up with a classic "hard 
shell, squishy interior" setup.

(I'm assuming "lots of tinkering with the firewall" simply based 
 on your claims that one _needs_ a firewall and OS that can be
 tinkered with a lot -- to me, that implies that one actually
 needs to _do_ a lot of tinkering... ?)


-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards