Dailydave mailing list archives
Re: This just in: Firewalls are obsolete
From: byte_jump <bytejump () gmail com>
Date: Tue, 12 Jul 2005 10:34:23 -0600
On 7/11/05, Florian Weimer <fw () deneb enyo de> wrote:
But I tend agree that hardening the hosts themselves is the way to go. Another approach is segregation of the internal network at the network device layer (using bridging IP-layer filters, packet filters which route between different VLANs, and so on). But this is apparently very hard to implement on larger networks, at least with current technology. I think there's some feeling that a firewall is just a router with an attitude. I'm slightly biased by my experience, but it does make sense to run a stateless packet filter at the perimeter, and not some obscure gadget which dies horribly when someone starts a quick port scan across your address space (or launches a 50 kpps DoS attack).
I don't much see the use of so-called "application-aware" firewalls these days. I believe a perimeter firewall is still useful, but it's usefulness ends with two ideas: "stateful" and "hardened TCP/IP stack". Anything beyond those two concepts is nothing but marketing fluff. The whole HTTP smuggling issue where an attack can be launched against an IIS server through a Check Point NG firewall is a good example. Check Point's Malcode Protection discussed in another thread is yet another example. "Application awareness" in firewalls and other network-based devices is a waste of time - they are too easy to evade. Encryption, morphing code, encoding, and other forms of obfuscation always defeat network-based security devices, and always will. Why bother with anything other than stateful ACL's at the perimeter and layer 2 device ACL's within the perimeter? I'll tell you why: There is no perimeter. Every host on your network is the perimeter. In the day of client-based IPsec VPN's, SSL VPN's, intra-organization VPN's, blah, blah - there isn't any sort of defineable perimeter. Every host must be hardened against attack and switch-based ACL's make a lot of sense in implementing some sort of network filter. Is there any reason for Jane's computer to speak NetBIOS to Mark's computer? Why should FTP be allowed between Bob's and Steve's computers, both of which are on the same segment? I'm a firm believer in host-based hardening and switch-based ACL's as a way to make one's network very hostile to intruders. Network-based security devices such as application aware firewalls, NIPS, etc. aren't really going to get an organization where they should be. Chasing these concepts is a waste of time and never really buys effective security. Internal networks are no more secure than the Internet (okay, marginally). What prevents some vendor from plugging into a network drop? What about that salesman's laptop that just returned from a conference where wireless Internet access was available? You going to let that onto your LAN? I think that the following is pretty dang effective (feel free to correct me if I'm wrong): General ----------- - Stateful firewall on "perimeter" performing TCP/IP hardening (reassembling fragments, etc.). - Centralized logging such as syslog with near real-time monitoring of syslog. - IDS-like device to detect some anomalies (e.g., this subnet should not communicate with this subnet, unauthorized DNS servers, etc.). Desktops -------------- - Host-based security such as Cisco Security Agent. - Anti-virus (for what that's worth). - 802.1x authentication to switch. Internal Network ------------------------ - Switch-based ACL's per VLAN that desktops/laptops are dropped into after authenticating via 802.1x. Servers ------------ - Host-based protectoin such as grsecurity, W^X, ProPolice, systrace, etc. - Application-based security where possible (e.g. mod_security). There are more possible items to be added, but I do not see the value of internal firewalls, NIPS, or "application-aware" firewalls in this scenario. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: This just in: Firewalls are obsolete, (continued)
- Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete Blue Boar (Jul 11)
- Re: This just in: Firewalls are obsolete Blue Boar (Jul 11)
- Re: This just in: Firewalls are obsolete I)ruid (Jul 12)
- Re: This just in: Firewalls are obsolete rdump (Jul 12)
- Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete byte_jump (Jul 12)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete Derek Vadala (Jul 11)
- Re: This just in: Firewalls are obsolete Daniele Muscetta (Jul 12)
- Re: This just in: Firewalls are obsolete dan (Jul 12)
- Re: Re: This just in: Firewalls are obsolete Gadi Evron (Jul 13)
- Re: Re: This just in: Firewalls are obsolete plonky (Jul 13)
- Re: Re: This just in: Firewalls are obsolete Dave Aitel (Jul 13)