Re: Firewall Primitives

[Devdas Bhagat <dvb () users sourceforge net>]

On 06/11/02 16:31 -0500, Marcus J. Ranum wrote:
> Devdas Bhagat wrote:
> > IMHO, most organizations should not care about packet filtering
> > firewalls dropping packets on the edge in accordance with policy.
>
> That's certainly not your policy decision to make for any network
> but your own. You're also implicitly assuming that the firewall is
> a boundary-only device - which is not (or shouldn't be) the case
A firewall is present at any boundary between networks with different
security levels. /me prefers to have host based firewalls too.

> with all firewalls. Additionally, the organization may wish to
> keep data about number and type of disallowed connections. It has
> always struck me as strange that many organizations deny traffic and
> don't log the denies - but spend lots of money on IDS.
Ummm, the above comment was in specific response to your statement about
presenting a login prompt/starting an application layer proxy by the
packet filtering firewall. It was not a comment on totally ignoring what
the firewall does.

> > The only place where you want to collect information is a honeypot,
> > which is a different kettle of fish.
 
> I want to collect information _everywhere_ - don't assume where
> I do or don't want to collect information! :) Besides, the presence
Again, I don't care about nimda trying to hit my mailserver when it is
not running a webserver. The SPF can just drop those packets and make a
note of it. The honeypot note, again, was wrt your statement about
collecting application layer data for disallowed traffic at the packet
filter.
I guess my statements were not clear enough on that.

> of a firewall may make it IMPOSSIBLE to collect some of the info
> I want. That's the whole problem. The segregation between
> IDS/Firewalls/Honepots/VPN/AV is all a figment of your imagination!
IMHO, a honeypot is part of an IDS.
A firewall is that part of a security architecture that tries to enforce
security policy (SPF/ALG/AV/...).
An IDS is that part of a security architecture that watches for
violations of said security policy(Admins/NIDS/HIDS/Log analysis/...).
Does that make sense?
<snip>
> > <repeat rant>
> > Older systems were not fast enough to check all network traffic for
> > malicious behaviour. Modern systems are fast enough to do protocol
> > validation for most speeds
> > </repeat rant>
>
> Older systems _were_ perfectly capable of doing checks for malicious
> behavior. A few of them did, even the first proxy firewalls. The
The general excuse was that theyw were too slow to process all those
requests. Modern CPUs are fast enough to rebuild all the packets for
*most* organizations.

> reason firewalls don't do exhaustive checks has more to do with
> market dynamics and time-to-market than it does with performance
> issues in doing fast checks. Simply put: most customers would rather
> buy something that says "gigabit" on the marketing glossies than
> something that says "freakin' intensely secure"
Hmmmm, and that can only be fixed by educating them.

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards