Firewall Wizards mailing list archives
Re: Firewall RISKS
From: "Stephen P. Berry" <spb () meshuga incyte com>
Date: Sun, 06 Jun 1999 12:04:02 -0700
-----BEGIN PGP SIGNED MESSAGE----- In message <Pine.GSO.4.02.9906041510010.24702-100000 () dimension net>, Lance Spit zner writes:
On Thu, 3 Jun 1999, Stephen P. Berry wrote:Firewalls are mechanisms for policy enforcement. Auditing information that comes out of them isn't necessarily useless, but there are many things which they will be intrinsically unable to tell you. I.e., what traffic your firewall is passing that it shouldn't be. An IDS machine configured such that it sets off an alarm whenever it sees a packet that should've been blocked by the firewall will almost invariably give you more interesting information about actual intrusions than your firewall logs will.
FW logs are just as valuable as IDS logs. As most FWs deny everything, except that which is expreselly allowed, the logs can show you what vulnerabilities people are scanning for, information your IDS will never see since the packets are blocked.
Well, the IDS sensor(s) -behind- the firewall(s) won't tell you about (unsuccessful) scans (originating outside your internal network(s)). That's what your external IDS sensor(s) are for.
This information can be critical in keeping current with latest exploits/tools. I am not say FW logs are more/less important then IDS logs, I am saying they share an equial value.
Firewall logs are best, in my opinion, for offering corroborative evidence alongside the logs generated by tools specifically designed to look for things like scans (which firewall logging mechanisms generally are not). Just as your policy enforcement should rely as little as possible on single points of failure, so should your policy auditing.
(for example) bind 8.2 . You turn off all other services on the machines, and you're using an OS you know how to harden. You configure your border router to drop all traffic directed at these two boxen that is not directed at either port 25 or port 53 (respectively). Explain where a firewall would be -essential- in such a setup.
Ahh, your router is the Firewall. Most Firewalls deny traffic, your router is now denying traffic. It does NOT matter what the platform/application is (ipchains on Linux, FW-1 on Solaris, ACL's on a router) you are now Firewalling.
While I think that in fact this does some violence to the general usage of the term `firewall' in practise (if a vendor tried to sell you, say, a Cisco 760 as a firewall, would you think that was reasonable, or would you feel like the vendor was doing something vaguely shady[1]?), for the sake of the arguement, I'll cheerfully stipulate the point[2]. Assume your router...er, your -firewall-...has no blocking rules whatsoever. Given that the machines are configured in the manner in which I described, demonstrate how a firewall (even using your definition[3]) would be -essential-. - -Steve - ----- 1 Mod getting that feeling in general from firewall (and other IT security product) vendors. 2 As a side point, since many folks set their border routers up to do things like block (obviously) spoofed traffic, block source routed traffic and suchlike even if they have a dedicated firewall machine (i.e., something running a product like Gauntlet or Firewall1), would you feel comfortable describing this as a two firewall architecture? 3 Mind you, I am not denying that many firewall products are essentially just ornery routers for which you can easily obtain a compiler. I just believe that `router with an ACL' isn't what is generally meant when the word `firewall' is used[4]. 4 And you may make the case that this is just another reason why the word `firewall' shouldn't be used without explicit definition when used in technical discussions. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBN1rGHSrw2ePTkM9BAQE+QwP9FmUdjruOXarNaamKEV8jBdmCIr5TAuq+ Z8B8qSl/jSeovsLoZoc78LkWzsL1GgKrBL8FvgIxDEo9YChXpadG1arvyoRGY5j9 z1teyQBezQn1wKWyH1/RLv7UCnpDJViHkNSOIw7QUAllLN2KEr8xeicV/TmQSJH/ qah32fcapmk= =d+Va -----END PGP SIGNATURE-----
Current thread:
- Re: Firewall RISKS, (continued)
- Re: Firewall RISKS Adam Shostack (Jun 03)
- Re: Firewall RISKS Andrew Gilbert (Jun 03)
- Re: Firewall RISKS MIKE SHAW (Jun 03)
- Re: Firewall RISKS Stephen P. Berry (Jun 04)
- Re: Firewall RISKS Lance Spitzner (Jun 04)
- Transfering off-system firewall audit trails Steven W. Engle (Jun 14)
- Re: Transfering off-system firewall audit trails Lance Spitzner (Jun 15)
- Re: Transfering off-system firewall audit trails Christoph Schneeberger (Jun 16)
- Re: Transfering off-system firewall audit trails Richard Rees (Jun 15)
- Re: Firewall RISKS Stephen P. Berry (Jun 04)
- eSafe Protect desktop experince Mark Lemmo (Jun 14)
- Re: Firewall RISKS Stephen P. Berry (Jun 14)
- Re: Firewall RISKS Stephen P. Berry (Jun 14)
- Re: Firewall RISKS Tim Kramer (Jun 16)