Firewall Wizards mailing list archives

RE: PIX sux? (know Stateful vs Application)

From: "Dom De Vitto" <dom () devitto com>
Date: Tue, 28 Dec 1999 19:47:11 -0000

Interesting point Shaun, mybe this has something to do with the
first 'firewalls' being commercial products (any comments Marcus?).

I think alot of the problems the opensource crew have had have been
related to the fact that the goalposts are moving too fast (Linux for
one has different kernal firewalling in v2.0, v2.2 and v2.3 !)

I was suprised and downhearted when I found out that stateful inspection
wasn't available in (v2.2) ipchains.  SI is available in IPFilters,
but they only work with the v2.0 kernel.  The new firewalling in the
v2.3 kernel is a rewrite of the IPchains (with the main author admitting
that a lot of lessons have been learnt).

Though all these variants have backwards-compatible interface commands,
these are lacking and aren't 100%.

I *do* think that opensource firewalling will 'catch up', it really
only a matter of combining the bits we already have.  The only thing
that *is* missing is a wonder-GUI that gives you everying you need
(app proxy setup and log viewing inclusive) in one blob - without exposing
the user to the details of the commands required to setup FTP to a FTP server,
traceroute, etc.

Here's hoping...
Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto
Secure Technologies Ltd.                           Mob. 07971 589 201
mailto:dom () devitto com                             Tel. 01202 738 767
http://www.devitto.com                             Fax. 08700 548 750
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


-----Original Message-----
From: owner-firewall-wizards () lists nfr net
[mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Shaun Moran
Sent: Monday, December 27, 1999 4:30 AM
To: Owner-Firewall-Wizards; Predrag Zivic
Subject: RE: PIX sux? (know Stateful vs Application)


I agree that Stateful technologies (i.e.: Layer 3) will not stop against
application level attacks, but also there are serious risks with Proxy
(application Level) technologies if they do not protect the firewall itself
against Layer 3 attacks.

Application level firewalls could have the ability to stop against
application attacks (i.e.: MS RDAC) but how many of them actually do protect
against these attacks ??? Most application level Firewalls I know simply
relay the HTTP request to the Internal Servers.

Both types of Firewalls correctly designed and implemented will protect
against the majority of the attacks from the Internet BUT with the
technology available today you can't put all your eggs in one basket and
relay JUST on the Firewall. You have to  think of the whole network and
apply security to every part of it (access control, patches, design, etc)

As a footnote - both Stateful and application level firewalls are slowly
merging into the same thing. Checkpoint have their security servers which
are basically application proxies and products like Gauntlet can be
configured to only proxy the first couple of packets and then 'route' the
remainder using Stateful technologies.

I welcome the day when you can put your trust into a firewall to do it all
(and some products are getting there) but in my experience that day is still
pretty far away.

Shaun

Actually - I'm really surprised that the open source movement hasn't
produced any firewall products that even come close to commercial products.
In just about every other software area - the open source version is as good
if not better than some of the commercial products (eg: Squid)



-----Original Message-----
From: owner-firewall-wizards () lists nfr net
[mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Predrag Zivic
Sent: Friday, 24 December 1999 5:28 AM
To: Ryan Russell
Cc: firewall-wizards () nfr net
Subject: Re: PIX sux? (was Re: Start watching your logfiles folks!)


Well,
--- Ryan Russell <Ryan.Russell () sybase com> wrote:

Since PIX is a network level firewall, there are

quite

a few OSI levels that can be used to attack you...


...The PIX can't really touch layer 1, is that what
you meant?

Although your site is under attack PIX will not

report

any errors or stop the unauthorized activity.


My FW-1 firewall (which is the same basic technology
as the PIX) reports on and protects from quite
a few things.

All I am trying to say here is that both FW-1 & PIX
will not be able to catch application layer attacks. I
don't question the "firewalling" capabilities of FW-1
& PIX or would like to start a discussion on statefull
vs. proxy.
One would think about application level attacks and
bring a different type of technology to
support/compliment firewalls. Firewalls (PIX & FW-1)
will neither help in all situations nor are a total
solution for all Internet based attacks.

Pez

P.S. One would think about the mail viruses (maybe
even better, trojans) that travel over the Internet,
although we have firewalls...




_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Attachment: Domenico De Vitto.vcf
Description:

Current thread:

PIX sux? (was Re: Start watching your logfiles folks!) Ryan Russell (Dec 24)
- <Possible follow-ups>
- Re: PIX sux? (was Re: Start watching your logfiles folks!) Predrag Zivic (Dec 26)
  - RE: PIX sux? (know Stateful vs Application) Shaun Moran (Dec 27)
    - RE: PIX sux? (know Stateful vs Application) Frederick M Avolio (Dec 28)
    - RE: PIX sux? (know Stateful vs Application) David Lang (Dec 28)
    - RE: PIX sux? (know Stateful vs Application) Dom De Vitto (Dec 28)
    - Re: PIX sux? (know Stateful vs Application) Darren Reed (Dec 30)
- Re: PIX sux? (was Re: Start watching your logfiles folks!) Ryan Russell (Dec 27)