Re: This just in: Firewalls are obsolete

[byte_jump <bytejump () gmail com>]

On 7/11/05, Florian Weimer <fw () deneb enyo de> wrote:
> But I tend agree that hardening the hosts themselves is the way to go.
> Another approach is segregation of the internal network at the network
> device layer (using bridging IP-layer filters, packet filters which
> route between different VLANs, and so on).  But this is apparently
> very hard to implement on larger networks, at least with current
> technology.
>
> I think there's some feeling that a firewall is just a router with an
> attitude.  I'm slightly biased by my experience, but it does make
> sense to run a stateless packet filter at the perimeter, and not some
> obscure gadget which dies horribly when someone starts a quick port
> scan across your address space (or launches a 50 kpps DoS attack).


I don't much see the use of so-called "application-aware" firewalls
these days. I believe a perimeter firewall is still useful, but it's
usefulness ends with two ideas: "stateful" and "hardened TCP/IP
stack". Anything beyond those two concepts is nothing but marketing
fluff. The whole HTTP smuggling issue where an attack can be launched
against an IIS server through a Check Point NG firewall is a good
example. Check Point's Malcode Protection discussed in another thread
is yet another example. "Application awareness" in firewalls and other
network-based devices is a waste of time - they are too easy to evade.

Encryption, morphing code, encoding, and other forms of obfuscation
always defeat network-based security devices, and always will. Why
bother with anything other than stateful ACL's at the perimeter and
layer 2 device ACL's within the perimeter? I'll tell you why: There is
no perimeter. Every host on your network is the perimeter. In the day
of client-based IPsec VPN's, SSL VPN's, intra-organization VPN's,
blah, blah - there isn't any sort of defineable perimeter. Every host
must be hardened against attack and switch-based ACL's make a lot of
sense in implementing some sort of network filter. Is there any reason
for Jane's computer to speak NetBIOS to Mark's computer? Why should
FTP be allowed between Bob's and Steve's computers, both of which are
on the same segment?

I'm a firm believer in host-based hardening and switch-based ACL's as
a way to make one's network very hostile to intruders. Network-based
security devices such as application aware firewalls, NIPS, etc.
aren't really going to get an organization where they should be.
Chasing these concepts is a waste of time and never really buys
effective security. Internal networks are no more secure than the
Internet (okay, marginally). What prevents some vendor from plugging
into a network drop? What about that salesman's laptop that just
returned from a conference where wireless Internet access was
available? You going to let that onto your LAN?

I think that the following is pretty dang effective (feel free to
correct me if I'm wrong):
General
-----------
- Stateful firewall on "perimeter" performing TCP/IP hardening
(reassembling fragments, etc.).
- Centralized logging such as syslog with near real-time monitoring of syslog.
- IDS-like device to detect some anomalies (e.g., this subnet should
not communicate with this subnet, unauthorized DNS servers, etc.).

Desktops
--------------
- Host-based security such as Cisco Security Agent.
- Anti-virus (for what that's worth).
- 802.1x authentication to switch.

Internal Network
------------------------
- Switch-based ACL's per VLAN that desktops/laptops are dropped into
after authenticating via 802.1x.

Servers
------------
- Host-based protectoin such as grsecurity, W^X, ProPolice, systrace, etc.
- Application-based security where possible (e.g. mod_security).


There are more possible items to be added, but I do not see the value
of internal firewalls, NIPS, or "application-aware" firewalls in this
scenario.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave