Firewall Wizards mailing list archives
Re: Time for a new FWTK?
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Mon, 24 Nov 1997 21:09:15 -0500
chuck yerkes wrote:
Hey, Marcus, want to do the FWTK/DEC SEAL stuff AGAIN under GPL or the BSD license? Call it MRTK4FW (you figure it out) and get your net-immortality. I'll buy coffee....
I'm pretty much done with firewalls. :) The problem is that I don't know *HOW* to build the next generation of firewalls, and I don't want to build another of the previous generation. "been there, done that" repeatedly... Early firewalls were *EASY* to implement. You had a total of maybe 6 services to gateway, and only 1 of those 6 was seriously brain-damaged (FTP). Nowadays a firewall has to deal with maybe dozens of services, and only 5 of them are not brain-damaged. And the specs change constantly. The value of a firewall has always been *NOT* its access control but the expert analysis that the firewall's designers put (or should put!) into the services that they gateway back and forth. I remember, for me, the break-over moment was when we realized that we *HAD* to support http, even though it is a suck brain-damaged protocol and presented numerous security risks. That was the moment when security took back seat, and we've been fighting over the steering wheel ever since. The next generation firewall is going to have to be one of 2 things: -> one *powerful* mother analysis engine configured by wizards who understand the plethora of protocols that are being deployed every second -> it'll go away completely and be replaced by a mix of host software for fine-detailed control, and network level filtering (in a router, for example) for gross-level control Maybe there's a third option -- if it's a good one you can get rich by bringing it to market. Because the current generation of firewalls is at the end of its intellectual lifespan -- even their designers don't know where to take them next (except better U/Is and VPNs). The proxy firewalls are all adding filtering and the filtering firewalls are all adding proxies. One thing we discussed recently was putting a screend(8) interface into NFR's engine. Mostly just for kicks, but to do firewalling right these days you *NEED* serious traffic analysis. I believe (and the market will prove it if I am right) that the future will contain some kind of box that does firewalling-type access control, traffic analysis (what NFR does), and intrusion detection (rules applied atop traffic analysis). This all remains to be seen... I *believe* you could probably write all the capabilities of a proxy firewall using N-code filters, but I'd have to defer that question to The Guys, who know N-code better than I ever will... When you can track every TCP going through a box, read the RCPT To: from all SMTP sessions and store them in an array, and then apply a count to the array to decide whether or not to forward a packet, you have an interesting capability. ;) The expense, again, is the *KNOWLEDGE* of what protocols are good and what are bad, why, and how to fix them, and when.
Really, though, I think the TIS FWTK is a good starting point for proxies- esp for the tn-gw and ftp-gw.
FTP-gw should be removed; tell your users to use an FTP client that uses PASV, and then screen FTP. That's one problem solved. TN-gw should be removed; telnet is a monster of a protocol, and shouldn't be allowed into your network. Allowing it out is easy using router screening. For incoming traffic (which was TN-gw's real purpose!) use SSH instead; it is so much better.
http-gw is hard, because the protocol is so flexible and now carries SO much.
"Flexible" is a good word for it. "Kitchen Sink" describes it better. In a few years, if firewalls keep blocking things (i.e.: doing their jobs) everything will be tunnellable over http. Pointcast, Oilchange, etc, etc, etc, etc... They are the beginning. "Apres moi, la deluge." Use a caching web proxy server and just pray. Or put your faith in sandboxes and signed applets. They are here to stay.
Much of the security should be back on the client (like "only run Java or Live^H^H^H^HJavaScript coming from these networks," at a minimum)
Host security is on the ascendant, yes...
But it's a toolkit and it was put up free by a company trying to compete in a market full of charlatans with glossies and slick salesweasels that say that whatever the client wants can be done securely.
It was written in a time when firewalls were not a $400m/year industry. It was written in a time when people did research in security, not IPOs. The world has changed -- the Web did it -- nothing can inject that much money into an area of human endeavor and leave it unchanged. ALL the players have changed -- the companies, the researchers, the technology, the desktops, and the customers. FWTK was good while it lasted; time to move on. mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- Re: Hardening, (was Re: chroot useful?) Jim Raykowski (Nov 21)
- Re: Hardening, (was Re: chroot useful?) Marcus J. Ranum (Nov 23)
- Re: Hardening, (was Re: chroot useful?) Darren Reed (Nov 23)
- Re: Hardening, (was Re: chroot useful?) Marcus J. Ranum (Nov 23)
- Re: Hardening, (was Re: chroot useful?) Craig Brozefsky (Nov 23)
- Re: Hardening, (was Re: chroot useful?) Petri Virkkula (Nov 23)
- Re: Hardening, (was Re: chroot useful?) Craig Brozefsky (Nov 24)
- Test Systems - was Re: Hardening John Lines (Nov 24)
- Time for a new FWTK? chuck yerkes (Nov 24)
- Re: Time for a new FWTK? Marcus J. Ranum (Nov 24)
- Re: Time for a new FWTK? -= ArkanoiD =- (Nov 25)
- Re: Time for a new FWTK? Ge' Weijers (Nov 25)
- Re: Hardening, (was Re: chroot useful?) Darren Reed (Nov 23)
- Re: Time for a new FWTK? Ted Doty (Nov 25)
- Re: Hardening, (was Re: chroot useful?) Marcus J. Ranum (Nov 23)
- Re: Hardening, (was Re: chroot useful?) Darren Reed (Nov 24)