Firewall Wizards mailing list archives
Re: Thoughts on the new Cisco ASA 5500 firewalls
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Sat, 21 May 2005 13:21:17 -0400
Chris Byrd wrote:
I respectfully disagree. Your overall assertion, that proxy firewalls are inherently more secure than stateful firewalls, is obviously correct. However, I feel that you fail to consider the realities of "real life" implementation.
I've done a hell of a lot of "real life" implementations and am intimately familiar with the realities as I understand them. As I understand them, the realities of real life implementation are widely believed to be that everything is a compromise. That there is a compromise between security and performance. That there is a compromise between security and ease of use, etc, etc. Compromise, compromise, compromise. The problem with that approach is that in order to make a wise decision about trade-offs and compromises you need to understand what you are measuring - and virtually nobody does that. They just jump to "Well, we CAN'T compromise on performance so we'll put a swiss-cheese 'stateful' firewall in because their powerpoints say they're really FAST and their competitors are really slow and we don't really even KNOW what loads our network really handles anyhow so since we're so completely ignorant we'll buy the SHINY one."
Most implementations of stateful firewalls are backed up by application proxies on the most popular protocols such as HTTP and FTP.
Yeah, because they suck. :)
The purpose of the DI firewall in this case is to remove the "low hanging fruit" of worms, network scans, etc., and let the application proxy catch the rest.
No, you're wrong. What's going on is that network managers are going to put these "deep inspection" devices in place, feel safe, and never make any effort to understand if they are effective or not. You fell for it too. Observe your comment above: "worms, network scans, etc." *WHICH* worms? Hey, some of these "deep inspection" devices know how to block 12 different worms! WOW! *WHICH* scans? Guess what? NONE of them block scans. Go find me a "deep inspection" firewall that "knows" how to block scans. They don't block scans because a lot of scans look like Chuck's 'legitimate' traffic and cannot be blocked. They don't block denial-of-service attacks - except for a few that aren't being used anymore like ping-of-death that are easy to detect. So you're already talking like this device does something useful and haven't made any assessment as to what it actually does and whether that'd be useful to you in the first place. Hey, if your internet-facing systems are vulnerable to SQL Slammer, they've already gone down. Want to protect against Slammer? Your incoming router's default deny rule should already be catching all SQL incoming anyhow.
Further, proxy firewalls have their downsides. Application proxies are implemented in general purpose processors, limiting their overall performance.
They are? *ALL* of them? Really? Why? Performance? Is that a problem? Have you measured your network utilization? Have you measured the bandwidth limitations of the proxy system? Have you measured what happens to a "deep inspection" firewall when you turn on URL screening and it's no longer going through the fast path in the switch and is being vectored instead to the general purpose processor running Web Trends? 'Cuz that's what happens. Sounds to me like you read a bunch of powerpoints and marketing fluff and believed it.
An application proxy must be written for every possible protocol.
So does a "deep inspection" module, if it's "deep" in any sense of the word. Look at something like NetScreen's documentation on their current firewall - it has "deep inspection" for 6 whole Internet application protocols! WOW! What does it do with protocols it doesn't have "deep inspection" for? Well, it lets the traffic scream right through, doesn't it? WOW! That sounds to me like 'default permit' which is idiot quality security.
Encrypted traffic often defies proxying.
Encrypted traffic always defies "deep inspection"
And, despite best intentions, sometimes applications don't always follow protocol rules.
Yes, and when they don't, they should be blocked and investigated.
I'd take a stateful firewall combined with specific application proxies and host based intrusion prevention over a proxy firewall any day.
I can tell you would. I'll take security over a feel-good truckload of shiny powerpoint-based garbage any day. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Thoughts on the new Cisco ASA 5500 firewalls Chris Byrd (May 18)
- Re: Thoughts on the new Cisco ASA 5500 firewalls Paul D. Robertson (May 19)
- RE: Thoughts on the new Cisco ASA 5500 firewalls Paul Melson (May 19)
- Re: Thoughts on the new Cisco ASA 5500 firewalls ArkanoiD (May 20)
- Message not available
- Re: Thoughts on the new Cisco ASA 5500 firewalls Chris Byrd (May 19)
- Re: Thoughts on the new Cisco ASA 5500 firewalls Tichomir Kotek (May 20)
- Re: Thoughts on the new Cisco ASA 5500 firewalls ArkanoiD (May 20)
- Re: Thoughts on the new Cisco ASA 5500 firewalls Marcus J. Ranum (May 20)
- Message not available
- Re: Thoughts on the new Cisco ASA 5500 firewalls Marcus J. Ranum (May 21)
- Re: Thoughts on the new Cisco ASA 5500 firewalls Chris Byrd (May 24)
- RE: Thoughts on the new Cisco ASA 5500 firewalls Paul Melson (May 19)
- Re: Thoughts on the new Cisco ASA 5500 firewalls Paul D. Robertson (May 19)