Firewall Wizards mailing list archives
Re: Protecting a datacentre with a firewall
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Mon, 05 May 2003 01:31:12 +0200
mag wrote:
2003-05-04, v keltezéssel Mikael Olsson ezt írta:mag wrote:Also, PIXen are not just too suboptimal to be called firewalls, but also for intranet firewalling you need a level of flexibility you cannot achieve with a blackbox-style product, and with the so-called market leader firewalls.You're raising a big stink here. Especially when you continue by touting a firewall that you contribute to yourself.I was telling the truth. We have found that no useable firewalls on the market, so we had to develop one.
You know... "Everything sucks, I'm gonna build something better!" is an OK thing to say before you've actually started. At this point, it just reeks of self interest.
Those "blackbox-style products" that you so rapidly dismiss as useless will in many cases prove more valuable than any kind of home-grown solution. When something is too costly to maintain - in terms of money or time (often the latter) - to maintain, it doesn't get done. It's that simple.If you do not know what you are doing, than do not do that, because you will do more harm than good. It's that simple.
Should I take that as "if you don't know the initimate details of every protocol that business needs dictate that you pass through your firewall, you shouldn't be a firewall admin"? Sorry, that just does not compute. That would exclude something like ... well.. ALL firewall admins except a select few. Not everyone is a programmer, and I for one wouldn't want to see the Internet that would result from such a crazy restriction. (I'll readily admit that I may have misinterpreted your statements here, though reading between the lines, it just seems to me that this is what you are implying.)
[more of "all firewalls suck except zorp"] For the better ones it means that they can control up to ten percent of the features of the protocol. Pathetic. I would consider shameful if we would deliver a proxy which cannot control all aspects of its protocol and its documentation would not start with a warning about that fact.
You know... I think I see where you're coming from here. Looking at a network layout with a choke point and doing the risk analysis dance easily leads to the conclusion "damn, but wouldn't it be nice if we could control _everything_ here?". Said and done - you take every protocol that you need to push through and implement a server AND a client for it, and then put it in the firewall. Now you can guarantee 100% protocol compliance. What did this buy you? - People can't SSH or send mail through port 80. That's nice. Sort of. Unless they run it through httptunnel, of course. - People can't exploit a web server by talking POP3 to it. Oops, they couldn't do that to begin with. - You can control what aspects of a protocol that people can use, which might be nice for some protocols. However: - You still don't know how the receiving application is going to handle this 100% compliant protocol data. You seldom exploit things by giving them a copy of /dev/urandom. You usually need to keep (just) within the boundaries of the protocol. - You have now exposed that which you were trying to protect - the protocol handlers themselves; you end up with quite a hefty kloc count *on the firewall itself*. Granted, it's not the full application, but all the protocol logic is (according to you) there. By the original reasoning, you now need another firewall outside the firewall ... no? I would also be curious to know what kind of security model you're advocating here? If one assumes that one has a finite amount of time to spend, and elects to spend it on tinkering with the firewall, it would suggest, to me, that one ends up with a classic "hard shell, squishy interior" setup. (I'm assuming "lots of tinkering with the firewall" simply based on your claims that one _needs_ a firewall and OS that can be tinkered with a lot -- to me, that implies that one actually needs to _do_ a lot of tinkering... ?) -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Protecting a datacentre with a firewall Lazló Carreidas (May 02)
- Re: Protecting a datacentre with a firewall mag (May 03)
- Re: Protecting a datacentre with a firewall Mikael Olsson (May 03)
- Re: Protecting a datacentre with a firewall mag (May 04)
- Re: Protecting a datacentre with a firewall Chuck Swiger (May 04)
- Re: Protecting a datacentre with a firewall Mikael Olsson (May 04)
- Re: Protecting a datacentre with a firewall Mikael Olsson (May 03)
- Re: Protecting a datacentre with a firewall mag (May 03)
- <Possible follow-ups>
- Re: Protecting a datacentre with a firewall Jeffery . Gieser (May 03)
- Re: Protecting a datacentre with a firewall Bill Royds (May 03)