nanog mailing list archives
Re: Firewall opinions wanted please
From: "Alexei Roudnev" <alex () relcom net>
Date: Thu, 18 Mar 2004 12:26:27 -0800
Firewall protects other services from outside access.A good firewall *should* be doing a whole lot more than that. It should
Do not overestimate. Firewall can make a little more than just restrict access and inspect few (very limited) protocols. It can not protect you from slow scans; it can not protect you from SSL / SSH / (any other encrypted protocol) volnurabilities, it can not protect your users from viruses in e-mail, etc etc. Proxy firewall (device which terminates _ALL_ protocols) can help in some cases (management access to your network by ssh) but can not with others (SSL site hosting , for excample).
also be giving you a good level of detail about what crosses your
Very good level of details - 200 Mb of daily logs (IP, IP protocol = https). Any network statistics system can do it. Unfortunately, all this logs are 99% useless until you need forensics.
perimeter. It should also be doing some level of content checking to
In reality, I can count all useful things firewall can do. I can not count (it is infinite) numbers of things it can not do. In real life, protocol inspection is useful for SMTP and DNS. Sometimes, for http (but not https), SIP, few other _open_ protocols. That's all. Sometimes, it can recognize unusual behaviour of _your_ server and notify you (esp. if you maintain _default deny_ for some protocols). You are right about _checking outbound connections_ - firewall can help, if properly configured. Unfortunately, you can spend days, configuring your home firewall for outbound connections, even if you maintain a proxy. I do not think, that you will do it for grandma... You are right about possibility of weaknesses in some PNAT devices. This is a very big potencial for a problem / holes here. I'd like to see such tests you are talking about (security tests for PNAT devices).
Current thread:
- Re: Firewall opinions wanted please, (continued)
- Re: Firewall opinions wanted please Erik Haagsman (Mar 17)
- Re: Firewall opinions wanted please Bruce Pinsky (Mar 17)
- Re: Firewall opinions wanted please Erik Haagsman (Mar 17)
- Re: Firewall opinions wanted please Alexei Roudnev (Mar 17)
- Re: Firewall opinions wanted please Steven M. Bellovin (Mar 17)
- Re: Firewall opinions wanted please bill (Mar 17)
- Re: Firewall opinions wanted please Rachael Treu (Mar 17)
- Re: Firewall opinions wanted please Steven M. Bellovin (Mar 17)
- Re: Firewall opinions wanted please Alexei Roudnev (Mar 17)
- Re: Firewall opinions wanted please Chris Brenton (Mar 18)
- Re: Firewall opinions wanted please Alexei Roudnev (Mar 18)
- Re: Firewall opinions wanted please Chris Brenton (Mar 18)
- Re: Firewall opinions wanted please Rachael Treu (Mar 17)