Re: Botnets, IRC servers and firewalls?

[Paul Robertson <proberts () patriot net>]

On Tue, 3 Feb 2004, Abe Singer wrote:

> [ And Abe arises from the mire where he has been silently lurking to say: ]

[Darned mired lurkers with too many cool toys at work...]

> Where are the numbers that show the impact of egress filtering on a router?
> I have heard this same argument many times.  Several networking people have
> directly told me this, and said that there are number to back it up, but have
> repeatedly failed to provide those numbers.  I'm starting to wonder if this
> isn't just an urban legend.

It is- especially if you do permits for the "approved" and volumnous
traffic first in the list.  We got the same arguments for ingress
filtering, but it seems most folks are over that hurdle now (you should
have seen when we made it a requirement for our risk management customers
initially!)  The legend must die- IOS is much better than it ever was, and
as Daniel Hartmeir pointed out here last year sometime, stateful firewalls
are blazingly fast doing state lookups- there's no good reason that some
portion of the routing/firewalling infrastructure shouldn't be handling
egress traffic policy.

Personally, I always preferred to have application gateways who were the
only boxes *allowed* to speak outside the network- made my filtering rules
so much easier.  If you're not talking HTTP to the HTTP proxy, or your
proprietary gateway isn't talking SMTP to the SMTP proxy, it's not going
out unless it's my internal nameserver talking to my external
nameserver...

> If anyone has them, I'd love to see them.  Forgive me if this has been
> discussed on fw-wiz in the past, and if so just point me at the articles
> and I'll read 'em myself.
>
> [ And Abe sinks back down into the mire to ponder more trivial things ]

Router and firewall performance stats are a blackhole- it's easy to skew
the numbers.  IOS has come a long way in fast switching in the last few
years though- and I think that was lost on a lot of people.

If you start with permits for traffic to the default Web port and SSL
port, and your internal nameservers, you're 90% of the way there, and the
router's going to do just fine.  Spread the load back to earlier routers,
or between the router and the firewall, and you'll do even better...

</soapbox>

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards