Re: Botnets, IRC servers and firewalls?

["Marcus J. Ranum" <mjr () ranum com>]

Paul Robertson wrote:
> [Darned mired lurkers with too many cool toys at work...]

I've seen (and played with) Abe's toys. It's scary... I was out there
and asked for some temp space for a process I was running and
Abe says, "uh. ok. here. I just allocated you a terabyte area that
you can have for the week." Daaaaaaamn.

> as Daniel Hartmeir pointed out here last year sometime, stateful firewalls
> are blazingly fast doing state lookups- there's no good reason that some
> portion of the routing/firewalling infrastructure shouldn't be handling
> egress traffic policy.

Yeah. Let's see here:
        get a packet, do a hash to locate the flow it's related to, and
        compare the sequence number to see if it's in window. check
        the packet and see if it's a FIN or RST. spank its bottom and
        send it along.

Speaking of which - my money says that proxy firewalls are gonna
        make a big comeback as soon as we "the industry" realize
        that simplistic "stateful filtering" isn't going to cut it for much
        longer. There will be hardware assists and whatnot and the
        "proxies" will be in-kernel modules and on-card modules but
        they'll be doing TCP termination and stuff like that. (e.g.:
        real proxying)

> Personally, I always preferred to have application gateways who were the
> only boxes *allowed* to speak outside the network- made my filtering rules
> so much easier.

        It's not just easier, it's a whole lot more secure. You can
have a network where you have no default routes to the Internet.
That does a heck of a lot to confuse bots and makes them very
easy to detect.

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards