Firewall Wizards mailing list archives
RE: Firewalls Compared
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 29 Jun 2004 18:51:24 -0400
Stiennon,Richard wrote:
Am I the only one that sees a huge difference between an application proxy (ala the good old days of server based firewalls) and filters that are applied to payloads (ala Network Intrusion Prevention) by inline network devices?
You're probably not the only one, but that doesn't make your view any closer to accurate. ;) In both cases, you're intercepting traffic (by being in the routing path, or on the wire) and doing layer 7 analysis to apply a policy or detect and attempt to prevent abusive activity. Whether you call it a filter or a signature or a proxy, it's all just a chunk of code that "knows" something about the protocol and mediates/permits/denies based on the content and protocol state. There are differences, as you say - mostly, however, they're historical and evolutionary differences, or implementation differences. The old server centric proxy firewalls took advantage of the system's existing IP stack to do reassembly; the IDS evolutionary stream evolved it from nothing, and the "stateful multilevel packet inspection" evolutionary stream evolved up the stack from a very minimal implementation. The firewall stream started out being policy focused and is becoming vulnerability focused, where the IDS stream started out being vulnerability focused and is becoming policy focused. But, historical implementation details aside, the differences between these technologies is largely in the heads of marketing weenies and the industry analysts they own.
Let's keep in mind that stateful inspection firewalls are GREAT security devices. They protect over 80% of enterprise networks today.
Market share doesn't say anything about quality. If market share were a metric of quality then Windows would be the greatest operating system that has ever been. Stateful inspection firewalls are an adequate security device for many purposes. They are just good enough to let most companies feel that they have security, while still giving them good performance and not impacting the user experience enough to get the firewall torn out as a result of layer 8 contention. UNfortunately, as botnets, trojans, and spyware are showing us (and it's going to get worse) unfettered transparent access is not compatible with high security. And, we've seen that the advanced packet screens (which is all a "stateful inspection" firewall is) do a very poor job of protecting systems behind them against incoming traffic. That has spawned a whole secondary market for kludges like web-specific application gateways -- if these "stateful inspection firewalls" were so great, they'd actually, uh, statefully inspect, or something like that.
However, worms can come in through infected laptops or third party connections. When they connect directly to the corporate LAN you are toast. It turns out IPS is great at blocking worms and it is easier to deploy IPS internally because policy setting is simple: MS Blaster yes/no?
Now you're back to touting IPS. We were talking about the questionable utility of screening-only "firewalls" in a world where attacks are increasingly Layer 7-oriented. The IPS products are doing more Layer 7 processing than a lot of the "stateful inspection" firewalls ever will. I think that it's great that they do that, and, behind the relentless hype, I think that IPS makes a lot of sense - adding signatures to firewalls is a great idea. As long as the firewall is sound, and the signature engine is reliable.
Worms generally target Microsoft vulnerabilities. Are you going to write application proxies for Exchange? ASN 1?
No, you can only write useful proxies for services that are well-documented, minimizable, and tolerably designed. From a security standpoint there is probably nothing useful that can be done to Exchange other than holding it down and putting a stake in its heart. ASN1 is an encoding standard, not an application protocol. You can't application proxy an encoding standard! Or are we playing buzzword bingo?
Does anyone other than MSFT even know how these applications communicate? Not.
Precisely; which is why only a complete wanna-be victim would allow such a broken piece of software across an enterprise perimeter.
But, you know what the vulnerability looks like and could look at traffic and identify malicious activity even without signatures. The future of network security is all about inspecting traffic. It is not about application proxies.
You're probably right but not for the reasons you think you are. You're right because most organizations want low-carb low calorie light and refreshing security. The kind that tastes great, but is less filling. The kind that comes with a zingy hypeful perky sounding name and the promise of "prevention" without the pain of "policy" Of course, they'll continue to get hacked to bits. Let's be realistic about something: we're in an industry where expenditures on security keep going up and up and so do the number of machines getting hacked. What does that tell me? It tells me that low-carb security doesn't work. The problem with IPS is that it's based on vulnerability, not policy. It's going to be able to shoot down all the bad guys it knows about. And ONLY the bad guys it knows about. That's very nice, but that does not FIX anything. You're completely right that the future of security is not application proxies and "old school" security technologies. There's still too much money to be made selling products that almost work, and then selling add-ons and kludge-ons that offer the hope that "next time we'll get it right." Hey, why run a mailer that doesn't suck, when you can run Exchange and buy a $60,000 box to put next to it that TRIES REAL HARD to make it not suck. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Firewalls Compared, (continued)
- RE: Firewalls Compared Ben Nagy (Jun 30)
- Re: Firewalls Compared Devdas Bhagat (Jun 30)
- Re: Firewalls Compared Crispin Cowan (Jun 30)
- Message not available
- Re: Firewalls Compared ArkanoiD (Jun 29)
- Message not available
- Re: Firewalls Compared Dave Piscitello (Jun 24)
- RE: Re: Firewalls Compared Christopher Lee (Jun 21)
- RE: Firewalls Compared Ben Nagy (Jun 30)
- Re: Firewalls Compared Devdas Bhagat (Jun 30)
- Message not available
- RE: Firewalls Compared Marcus J. Ranum (Jun 30)