Firewall Wizards mailing list archives
Re: Firewall Primitives
From: Devdas Bhagat <dvb () users sourceforge net>
Date: Thu, 7 Nov 2002 11:55:05 +0530
On 06/11/02 16:31 -0500, Marcus J. Ranum wrote:
Devdas Bhagat wrote:IMHO, most organizations should not care about packet filtering firewalls dropping packets on the edge in accordance with policy.That's certainly not your policy decision to make for any network but your own. You're also implicitly assuming that the firewall is a boundary-only device - which is not (or shouldn't be) the case
A firewall is present at any boundary between networks with different security levels. /me prefers to have host based firewalls too.
with all firewalls. Additionally, the organization may wish to keep data about number and type of disallowed connections. It has always struck me as strange that many organizations deny traffic and don't log the denies - but spend lots of money on IDS.
Ummm, the above comment was in specific response to your statement about presenting a login prompt/starting an application layer proxy by the packet filtering firewall. It was not a comment on totally ignoring what the firewall does.
The only place where you want to collect information is a honeypot, which is a different kettle of fish.
I want to collect information _everywhere_ - don't assume where I do or don't want to collect information! :) Besides, the presence
Again, I don't care about nimda trying to hit my mailserver when it is not running a webserver. The SPF can just drop those packets and make a note of it. The honeypot note, again, was wrt your statement about collecting application layer data for disallowed traffic at the packet filter. I guess my statements were not clear enough on that.
of a firewall may make it IMPOSSIBLE to collect some of the info I want. That's the whole problem. The segregation between IDS/Firewalls/Honepots/VPN/AV is all a figment of your imagination!
IMHO, a honeypot is part of an IDS. A firewall is that part of a security architecture that tries to enforce security policy (SPF/ALG/AV/...). An IDS is that part of a security architecture that watches for violations of said security policy(Admins/NIDS/HIDS/Log analysis/...). Does that make sense? <snip>
<repeat rant> Older systems were not fast enough to check all network traffic for malicious behaviour. Modern systems are fast enough to do protocol validation for most speeds </repeat rant>Older systems _were_ perfectly capable of doing checks for malicious behavior. A few of them did, even the first proxy firewalls. The
The general excuse was that theyw were too slow to process all those requests. Modern CPUs are fast enough to rebuild all the packets for *most* organizations.
reason firewalls don't do exhaustive checks has more to do with market dynamics and time-to-market than it does with performance issues in doing fast checks. Simply put: most customers would rather buy something that says "gigabit" on the marketing glossies than something that says "freakin' intensely secure"
Hmmmm, and that can only be fixed by educating them. Devdas Bhagat _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewall Primitives, (continued)
- Message not available
- Re: Firewall Primitives Marcus J. Ranum (Nov 04)
- Re: Firewall Primitives George Capehart (Nov 04)
- Re: Firewall Primitives Victoria of Borg (Nov 05)
- Re: Firewall Primitives Magosányi Árpád (Nov 05)
- Re: Firewall Primitives Crispin Cowan (Nov 05)
- Re: Firewall Primitives George Capehart (Nov 05)
- Re: Firewall Primitives Crispin Cowan (Nov 06)
- Re: Firewall Primitives Marcus J. Ranum (Nov 06)
- Re: Firewall Primitives Devdas Bhagat (Nov 06)
- Re: Firewall Primitives Marcus J. Ranum (Nov 06)
- Re: Firewall Primitives Devdas Bhagat (Nov 07)
- Re: Firewall Primitives Adam Shostack (Nov 09)
- BS claims (was Re: Firewall Primitives) Marcus J. Ranum (Nov 09)
- Message not available
- Re: Firewall Primitives Mikael Olsson (Nov 09)
- Re: Firewall Primitives Marcus J. Ranum (Nov 09)
- Re: Firewall Primitives Christopher Hicks (Nov 10)
- Re: Firewall Primitives Predrag Zivic (Nov 10)
- Re: Firewall Primitives Stephen P. Berry (Nov 11)
- Re: Firewall Primitives Cat Okita (Nov 11)