Re: Botnets, IRC servers and firewalls?

["Marcus J. Ranum" <mjr () ranum com>]

Abe Singer wrote:
> Where are the numbers that show the impact of egress filtering on a router?

There are none.

I've seen spec-sheets (and watched tests) for devices that do gigabit
stateful firewalling (seq checking, some layer 7, etc) - at what amounts
to wire speed for all intents and purposes.

> I have heard this same argument many times.  Several networking people have
> directly told me this, and said that there are number to back it up, but have
> repeatedly failed to provide those numbers.  I'm starting to wonder if this
> isn't just an urban legend.

It's not an urban legend - it's wishful thinking. What happens is that
when you crush one objection they come up with another and another
and another. What they really are trying to say is "no I don't want to
do that." You can either fight the objections in detail - in which case
you are left with pitting your creativity in debate against theirs. Back
when I used to run into this stuff (when I was doing network security
design consulting) my approach was usually to let them raise one
objection (and performance was the first) and crush it, then another, and
then I'd say, "well, obviously you're just going to come up with one
reason after another for not doing it. Let's just get your boss and your
boss' boss in a conference room and cut to the chase and stop
chasing our tails over these red herrings."   Oddly, this never won
me popularity contests. ;)

> If anyone has them, I'd love to see them.  Forgive me if this has been
> discussed on fw-wiz in the past, and if so just point me at the articles
> and I'll read 'em myself.

There are none. Someone back about 5 years ago did some work
on Cisco router latency measurements, and Andrew Molitor and I
did some firewall benchmarking in 1993 (there was a paper by Molitor
and Kostick back when they were at Network Systems) and concluded
that: a) proxy firewalls are plenty fast but b) they are slower than a router
with firmware support for filtering. Duh. Nowadays, you look at something
like a Toplayer IPS switch, and the thing has tons of silicon devoted
to rules-processing - speed is NOT the problem.

Another fun area is bandwidth. I had a Network Guy once try to block
an organization's doing anything with logging because "it would hog
bandwidth" - you should have seen his face when I unrolled MRTG
stats I'd gotten from Another Network Guy at the same organization
that showed less than 2% utilization. OOps. After the first couple of
times you loudly pop their objections in their faces, they learn that it's
going to hurt, and they start playing office politics behind your back
or adopt the "we'll just wait until your contract is up and you leave"
strategy. I can't count the number of times that I convinced a CIO or
CTO to implement logging and egress filtering, only to find out a
year later that the whole thing had been shelved because of passive
resistance from the Network Guys who trotted the usual bullsh*t out
as soon as the dust settled.

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards