Firewall Wizards mailing list archives
Re: Protecting a datacentre with a firewall
From: Chuck Swiger <chuck () codefab com>
Date: Sun, 04 May 2003 11:44:21 -0400
mag wrote: [ ... ]
I was telling the truth. We have found that no useable firewalls on the market, so we had to develop one.
If you've created something that suits your needs well, congratulations. Perhaps you do indeed have the most useable product for your situation.
However, I suspect that your definition of "useable" doesn't resemble that of the majority of people who believe they've already got a useable firewall. Furthermore, generalizing from "best for your specific situation" to "best for all situations" is quite a stretch.
Just check what you can do with Zorp -even with the GPL version-, and other firewalls. I'm sorry for being ahead of state of the art.
I thought we were talking about firewalls, not people? By any chance, does Zorp resemble the "Pick Database and Operating System"? :-)
[ ... ]
You are succesful when you are able to withstand attacks, not when you are able to get the traffic through. Thank you, I know how the average firewall admin responds to problems which cannot be solved with his firewall. Opens everything. I have seen lots of setups in this kind.
I've got two "perfect" firewall products for sale: #1, a firewall which blocks all attacks, but also drops some (or all) legitimate traffic; and #2, a firewall which permits all legitimate traffic, but may also fail to block some (or all) attacks.
Which product would you prefer, and why? It is at all reasonable for other people to have other requirements and choose differently?
Yes, suggesting to a firewall manufacturer that their expensive product is less suitable for some situations than a pair of wirecutters (or a cat-5 cable or n-port switch, respectively) is sort of like counting slowly to your computer. On the other hand, people who talk about magic air-gap firewalls _deserve_ to have their products compared with what a client would obtain by simply cutting network cables.
And yes, I'm aware that my "perfect" firewall products have as little to do with network safety and "best firewall security practices" as replacing a fuse with a quarter-- or pulling the fuse and disconnecting the power-- does with proper electrical safety. Pity that there are more than a few firewall and security products that resemble a quarter more than they resemble a fuse.
--
And let's raise the bar a little, and see how many firewall vendors
handle bogus netblocks properly? There's a nice resource here:
http://www.cymru.com/Bogons/index.html, which says:
| How much does it help to filter the bogons? In one study conducted by | Rob Thomas of a frequently attacked site, fully 60% of the naughty | packets were obvious bogons (e.g. 127.1.2.3, 0.5.4.3, etc.). Does Zorp know about and filter these properly? Does Cisco's PIX?I've been blocking many of them already, but here's my updated set of IPFW2 rules, with RFC-1918, autoconf, and multicast addresses commented out. I'm doing NAT or divert sockets in some cases and have per-interface directional rules, but season to taste:
#### # Stop other bogus networks (often used by DDoS attacks) add deny log all from 0.0.0.0/7 to any add deny log all from 2.0.0.0/8 to any add deny log all from 5.0.0.0/8 to any add deny log all from 7.0.0.0/8 to any #add deny log all from 10.0.0.0/8 to any add deny log all from 23.0.0.0/8 to any add deny log all from 27.0.0.0/8 to any add deny log all from 31.0.0.0/8 to any add deny log all from 36.0.0.0/7 to any add deny log all from 39.0.0.0/8 to any add deny log all from 41.0.0.0/8 to any add deny log all from 42.0.0.0/8 to any add deny log all from 49.0.0.0/8 to any add deny log all from 50.0.0.0/8 to any add deny log all from 58.0.0.0/7 to any add deny log all from 70.0.0.0/7 to any add deny log all from 72.0.0.0/5 to any add deny log all from 83.0.0.0/8 to any add deny log all from 84.0.0.0/6 to any add deny log all from 88.0.0.0/5 to any add deny log all from 96.0.0.0/3 to any #add deny log all from 169.254.0.0/16 to any #add deny log all from 172.16.0.0/12 to any add deny log all from 173.0.0.0/8 to any add deny log all from 174.0.0.0/7 to any add deny log all from 176.0.0.0/5 to any add deny log all from 184.0.0.0/6 to any add deny log all from 189.0.0.0/8 to any add deny log all from 190.0.0.0/8 to any add deny log all from 192.0.2.0/24 to any #add deny log all from 192.168.0.0/16 to any add deny log all from 197.0.0.0/8 to any add deny log all from 198.18.0.0/15 to any add deny log all from 223.0.0.0/8 to any #add deny log all from 224.0.0.0/3 to any -- -Chuck _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Protecting a datacentre with a firewall Lazló Carreidas (May 02)
- Re: Protecting a datacentre with a firewall mag (May 03)
- Re: Protecting a datacentre with a firewall Mikael Olsson (May 03)
- Re: Protecting a datacentre with a firewall mag (May 04)
- Re: Protecting a datacentre with a firewall Chuck Swiger (May 04)
- Re: Protecting a datacentre with a firewall Mikael Olsson (May 04)
- Re: Protecting a datacentre with a firewall Mikael Olsson (May 03)
- Re: Protecting a datacentre with a firewall mag (May 03)
- <Possible follow-ups>
- Re: Protecting a datacentre with a firewall Jeffery . Gieser (May 03)
- Re: Protecting a datacentre with a firewall Bill Royds (May 03)