Re: SANS Top Ten and Commercial Firewalls

[Gary Flynn <flynngn () jmu edu>]

manatworkyes moderator wrote:

> A firewall is only ONE tool in the chain of products that should be 
> used in order to mitigate vulnerabilities.

No doubt. The reason for my question was to try to get some current
information on the capabilities of firewalls....something all consultants,
executives, and government administrators seem to think is necessary
for security.

Well they no doubt provide security in the right environment, they provide
very little in others if the only service they provide is network access
controls based simply on services and ports. I'm not interested in their
VPN and authentication functionality at this point. Some folks put up 
networks
to communicate in a wide variety of ways with a wide variety of 
people...universities
for example...rather than in narrowly defined, closed communities. Their
security policy expressly says that functionality, flexibility, and 
communications
are a high priority. Since a firewall only enforces security policy, in that
environment, network access controls based on services and ports
don't add much to the mix over packet filters.

I understand the responses about a blended strategy being necessary but,
as I said, I was focusing solely on firewall capabilities. If my budget 
is tight, I want
to put my dollars where I get the most bang for the buck and address the 
greatest
number of vulnerabilities...not satisfy a checkoff sheet for a firewall that
will be configured to pass all ports and not be able to stop malicious 
traffic
traveling on those ports.

I'm very interested in the inline IDS products coming to market and am
watching closely. I made my present query partially because I'm giving
a presentation soon and was hoping to catch up on the firewall market and
get some leads to do further research for comparison purposes.

I'd seen that Checkpoint, Cisco, and some others had things in place to
block Code Red and Nimda. I was wondering if these were the
exception (both vendor wise and attack wise) or if more vendors'
"firewall" products had comprehensive capabilities to prevent network
access of attacks by recognizing higher layer content.

More comments inline:

> Personally, I am a Check Point fan. I admit and take full 
> responsibility :-)
> Their product line is far more then a firewall. Thus, mitigation of 
> the problems can be achieved using their different tools, all are 
> centrally managed.
>
> For example :
>
> W1,W2 are controlled with their Smart Defense.

I ran across Smart Defense last summer. It looked like they were building
inline IDS functionality into their core firewall products. True?
Do you use it? How extensive and accurate are their rulesets? Can they
keep up with traffic will a full set of stock rules?

>   U2 , including the Slapper worm, can also be mitigated if you only 
> allow SSLv3 based traffic to your servers. (requires some INSPECT work 
> over tcp/443) 

So it can't block the attack signature but it can block non-SSLv3 
requests? If Smart Defense
is what I think it is, I assume they'll update their signature list to 
block the attack itself.

> You skipped W4 which can be controlled using CIFS rules. In this way, 
> only authenticated users can access defined network shares (so here 
> goes W5 as well) 

Do you mean users authenticated to the firewall or to the share? In 
either case,
this wouldn't help protect anonymous shares. (Not that we allow netbios 
across
our border anyway but just for argument :)

> They have code to check the bind vul. as well etc. 

As part of Smart Defense or part of some type of "state and protocol 
aware" upper
level inspection?

> In my opinion, as a SECURITY device they are the best (Still, they can 
> do more.
>
> For the client side, it is possible to use the personal firewall and 
> SCV checks. This verifies pre-defined rules that if not matched, the 
> user will not be able to get into the VPN. A check can be to look for 
> specific registry settings, or  specific IE settings etc.
>
> So, to make this short (unlike you I'm lazy:-) In my opinion they 
> cover about everything. 


I appreciate your and everyone else's responses. The information you 
provided on Checkpoint's
capabilities was exactly the type of information I was looking for. Any 
additional input that
may arise due to my explaining the reasons for my question would also be 
greatly
appreciated.

Thanks again.



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards