Re: Thoughts on the new Cisco ASA 5500 firewalls

["Marcus J. Ranum" <mjr () ranum com>]

Chris Byrd wrote:
> I respectfully disagree.  Your overall assertion, that proxy firewalls are inherently more secure than stateful 
> firewalls, is obviously correct.  However, I feel that you fail to consider the realities of "real life" 
> implementation.

I've done a hell of a lot of "real life" implementations and am intimately
familiar with the realities as I understand them. As I understand them,
the realities of real life implementation are widely believed to be
that everything is a compromise. That there is a compromise between
security and performance. That there is a compromise between security
and ease of use, etc, etc. Compromise, compromise, compromise.

The problem with that approach is that in order to make a wise decision
about trade-offs and compromises you need to understand what you
are measuring - and virtually nobody does that. They just jump to
"Well, we CAN'T compromise on performance so we'll put a
swiss-cheese 'stateful' firewall in because their powerpoints say
they're really FAST and their competitors are really slow and we
don't really even KNOW what loads our network really handles anyhow
so since we're so completely ignorant we'll buy the SHINY one."

> Most implementations of stateful firewalls are backed up by application proxies on the most popular protocols such as 
> HTTP and FTP.

Yeah, because they suck. :)

> The purpose of the DI firewall in this case is to remove the "low hanging fruit" of worms, network scans, etc., and 
> let the application proxy catch the rest.

No, you're wrong.

What's going on is that network managers are going to put these
"deep inspection" devices in place, feel safe, and never make any
effort to understand if they are effective or not.

You fell for it too. Observe your comment above:
"worms, network scans, etc."
*WHICH* worms? Hey, some of these "deep inspection" devices
know how to block 12 different worms! WOW!  *WHICH* scans?
Guess what? NONE of them block scans. Go find me a "deep
inspection" firewall that "knows" how to block scans. They don't
block scans because a lot of scans look like Chuck's 'legitimate'
traffic and cannot be blocked. They don't block denial-of-service
attacks - except for a few that aren't being used anymore like
ping-of-death that are easy to detect.

So you're already talking like this device does something useful
and haven't made any assessment as to what it actually does
and whether that'd be useful to you in the first place. Hey, if
your internet-facing systems are vulnerable to SQL Slammer,
they've already gone down. Want to protect against Slammer?
Your incoming router's default deny rule should already be
catching all SQL incoming anyhow.

> Further, proxy firewalls have their downsides.  Application proxies are implemented in general purpose processors, 
> limiting their overall performance.

They are? *ALL* of them? Really? Why?

Performance? Is that a problem? Have you measured your network
utilization? Have you measured the bandwidth limitations of the
proxy system? Have you measured what happens to a "deep inspection"
firewall when you turn on URL screening and it's no longer going through
the fast path in the switch and is being vectored instead to the
general purpose processor running Web Trends? 'Cuz that's what
happens.

Sounds to me like you read a bunch of powerpoints and marketing
fluff and believed it.

>  An application proxy must be written for every possible protocol.

So does a "deep inspection" module, if it's "deep" in any sense
of the word. Look at something like NetScreen's documentation
on their current firewall - it has "deep inspection" for 6 whole
Internet application protocols! WOW!  What does it do with
protocols it doesn't have "deep inspection" for? Well, it lets
the traffic scream right through, doesn't it? WOW! That sounds
to me like 'default permit' which is idiot quality security.

> Encrypted traffic often defies proxying.

Encrypted traffic always defies "deep inspection"

>  And, despite best intentions, sometimes applications don't always follow protocol rules.

Yes, and when they don't, they should be blocked and
investigated.

> I'd take a stateful firewall combined with specific application proxies and host based intrusion prevention over a 
> proxy firewall any day.

I can tell you would.

I'll take security over a feel-good truckload of shiny powerpoint-based
garbage any day.

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards