Firewall Wizards mailing list archives
Re: Firewalls that generate new packets..
From: "Tina Bird" <tbird () precision-guesswork com>
Date: Tue, 27 Nov 2007 19:10:48 -0800
That's really what I'm trying to get people to think about. What is a firewall? Is it just a router that has a tiny little bit of amplification to ACL+"established"? Or is it a device that does security at higher layers, including some layer-7 awareness? If it's doing layer-7 stuff, can it be excused from worrying about fragment re-assembly (how could it possibly?) or re-ordering? Is it possible that a "firewall" is largely "a router with a sticker on it that says 'firewall'?" Unless it's doing a lot of useful "deep" stuff at layer-7, I'd say that might be the situation. The question I want you all to start asking is: "What's 'deep' about that?" You didn't ask about the "stateful inspection" stuff and look what happened. Now that they know you're suckers they're gonna hit you with another load. mjr.
back in the day, when i picked sidewinder over checkpoint, cisco, or any of the other firewall vendors out there [due to the fact that sidewinder was built on a mandatory-access-control based operating system, right from the start, and that i could easily use OS tools, not firewall tools, to monitor the traffic the firewall was allowing through], my working definition of firewall was "device that *separates* the internal network from the internet," where "separates" meant there was a network connection from the internal machine to the firewall, and a separate connection from the firewall to wherever...and in between there was something that DIDN'T ROUTE TRAFFIC, that knew at least a little about the most dangerous protocols and let me make access control decisions based on what the traffic contained. so yes, in 1996 i could control who in the company got to use FTP "put" vs. FTP "get." not a huge thing, maybe. but enough to separate sidewinder from the competition at least at that point, especially when combined with the OS-level security that to this day, i don't think any of the competition can touch. through a really ugly-but-effective architecture, sidewinder was even able to isolate SMTP in distinct zones, years ahead of the competition. i firmly believe that the firewall an admin finds easiest will always be the first one she used, like most other apps and tools. i'm therefore grateful that i picked a system that did thing like provide daily reports *out of the box* on traffic levels, top ten dests, and that sort of thing. that let me easily verify that the traffic going through the firewall agreed with what i had configured in the policy. when i finally had to pick up other brands of firewalls, i discovered that a lot of things i'd taken for granted (like network address translation) on the sidewinder had to be manually configured on a lot of other systems, and that a lot of the tricks i'd developed to check my own work (or my co-administrator's work) didn't work any more. but worst of all, i discovered that checkpoint and the like **allowed network connections directly between the internal and the untrusted networks** after a few rules were applied. THEY MISSED THE WHOLE POINT! if i can't have marcus' airgap firewall, at least give me something that does not require routing to be enabled on the box, and gives me *some* kind of isolation between my network and the Evil Outside. i've never understood how *marketing* could obfuscate that *simple* fact -- direct connection vs. terminated connection -- which to me seems like *such* an easy way to protect things...thus my, uh, attitude towards marketing became set rather early in my career, alas... cheers -- tbird _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewalls that generate new packets.., (continued)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 29)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 30)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 30)
- Re: Firewalls that generate new packets.. Fetch, Brandon (Nov 30)
- ***SPAM*** Re: Firewalls that generate new packets.. Dave Piscitello (Nov 30)
- Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 28)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 28)
- Re: Firewalls that generate new packets.. Tina Bird (Nov 27)
- Re: Firewalls that generate new packets.. J. Oquendo (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 28)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 28)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 29)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 29)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 30)
- Re: Firewalls that generate new packets.. AMuse (Nov 28)