RE: Firewalls v. Router ACLs

["Ben Nagy" <ben () iagu net>]

My rambling inline. 

> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com 
> [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
> Of WhiteHat () btclick com
[...]
> I currently work for a department in a large company. Our 
> department has always used firewalls (CheckPoint on Nokia) to 
> protect our part of the network from network worms and other 
> 'nasty stuff' on the rest of the network. [...]
>
> We are now being pressurised to remove the firewalls by the 
> rest of the company. 
[...]
> In particular, I am concerned about:
> - performance - will the routers be able to manage this as 
> they are designed to route traffic, not stop it?

An appropriately sized router will not have any performance problems. If I
were a betting man, I would probably back a router against a firewall to
discard traffic based on simple, stateless criteria (eg drop all
135,137,138,139 entering or leaving the network).

> - logging - what would be the best way to consolidate the 
> router logs for analysis etc.?

Tricky. Firewalls have a big advantage here, although it's all possible in
the end. Personally, however, I question the true value of those router
logs.

There are lots of guys on the list that know an awful lot about secure and
reliable log consolidation and analysis for both routers and firewalls, so
I'm not going to expound here.

> - incident management - if a router is being hammered by a 
> network worm (e.g. 
> MSBlaster/LovSan), how easy will it be to manage to make any 
> emergency changes necessary? Won't it be so busy dropping 
> packets it becomes impossible to make the change?

Not unless it's badly configured or under-specified. I've never seen simple
packet discarding or routes to null0 cause a 'decent' router any problems -
keeping state excepted. YMMV if you're routing lots of gigabits of traffic.
At worst, the console will probably stay alive. I've seen nice solutions
using dedicated management VLANs and multi-port serial routers to manage
core equipment via the console for security and reliability.

> - future capability - I see the AI-type technologies evolving 
> in firewalls as providing a useful IPS-type functionality in 
> the future.

I don't. IMO the protection will move host-based - it really has to. My
cracked crystal ball says that firewalls get dumber, not smarter, in the
future. They're already too damn smart for their own good, IMHO.

There are some REALLY interesting ideas that are lurking around here...

> This will allow more open rule sets but automated 
> protection if things go wrong. Has anyone successfully 
> implemented this yet? Can this be enough justification to 
> keep the firewalls?

Well all the firewall companies can see the recent spate of worms, and I'm
sure that they understand that the model isn't working. Hell, we've been
whining about it for as long as I can remember. There is still a lot of
stuff that firewalls are good for, and being a real point of control between
networks with different security levels is one of those things.

However, if you're talking about adding a level of defence in depth by
killing certain kinds of known-bad traffic in a 'coarse filter' approach at
the network layer then my personal opinion is that the router is a good
place to do that. The switch is better still. The NIC....well that gets
trickier. Maybe we could embed some sort of ASIC in the CAT-6 RJ-45
connector.... :)

Anyway, there's lots of depth here, and I look forward to seeing what people
think.

Cheers,

ben

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards