Re: Evolution of Firewalls

[Chris Blask <blask () protegonetworks com>]

At 08:48 PM 3/7/2004 -0500, Frederick M Avolio wrote:
> At 11:56 PM 3/4/2004 +0800, skpoo () pacific net sg wrote:
> > ... Our team is currently debating if Stateful Deep Inspection firewall 
> > is going be the new technology to replace the Application Proxies 
> > firewall which deem to be most secure currently. ...
>
> At the risk of being obvious -- or worse, being called a dinosaur :-), It 
> depends. Do you care more about usability or security? When push comes to 
> shove is it more important to never stop a connection at the risk of the 
> possibility of something bad slipping through?  It really is as simple as 
> that. I tell people in one of my classes, you hear about it if you 
> misconfigure your firewall to reject a required action, but will rarely 
> hear about if if you allow too much through. (I stated it as "You always 
> hear about conservative errors but rarely about liberal ones," but that 
> could be taken wrong now-a-days.)

You just can't go there without bringing up the whole soup-to-nuts 
usability debate, really (or maybe that's just me... ;-).

Sure, it is in fact the balance between usability and security.  Some 
situations are so sensitive that Draconian security measures are the only 
reasonable course.  But Draconian by definition is what people will put up 
with only under the clearest and most pressing threat and won't put up with 
in normal daily life.  Firewalls that stop too many connections incorrectly 
are Bad Firewalls ("lay down!  Bad Firewall!") outside the Draconian 
dictionary.  Form must follow Function, and any potential Form whose pointy 
bits don't fit inside the silhouette of needs thrown by the Function of the 
user community will rightly have those bits lopped off.

In a perfect world there are today firewalls that sit on wires like the 
ultimate polyglots and fluently speak all the languages of the net - from 
the chittering of the lowliest schoolkid's applet to the oceanic baritone 
moans of the Great Legacy Apps lurking in the murky canyons of New York and 
Hong Kong - and reassemble the variant conversations in all their mosaic 
splendor, in realtime, while keeping perfect notes.  In this world there 
are also fully integrated policy implementation and management tools, and 
most surprising of all there are humans who thoughtfully create, maintain 
and use those policies.

Here on Earth we struggle to attain those heights.  A firewall should be 
developed to be as aware of the world around it as possible given the 
technical restraints of the hardware and software (read, "developer-hours") 
it's built out of and that are available to install and use it, but at the 
end of the day there are almost always more things being said than there is 
hardware and software to decode it all in full context as it passes a 
single point on a network.

You can look at network security as a purely defensive military 
problem.  In this model, Firewalls are essentially your Border 
Stations.  To really follow the analogy, road crossings inside your borders 
(routers, switches) are also similar points (latent firewalls?), where you 
choose to enforce a level of security or not, based on the process of your 
community.

Were you to be in charge of designing a Border Station, you should take 
your job so (*&^ing seriously that the mere idea of anything being able to 
penetrate that process and cause damage to the members of your community is 
offensive to you on a personal level.  Border Station designers will have a 
natural tendency towards suggesting that an ideal Border Station should 
cover 500 acres and consume all material and manpower in a thousand-mile 
radius to build and support.  For people who build firewalls, that is a 
healthy attitude to take to work every day.

Networks, however, are communities.  In a community, if the method of 
defense does not fit the behavior patterns of the community, the community 
will either not have effective defense or the community will change (not 
often for the good, imo) to fit the defense structure.  The choice the 
entire network-using community makes every day is that we will not dedicate 
the resources necessary to have absolutely perfect Border Stations (if, in 
fact, the task was truly achievable at any cost).  Border security simply 
has to excel at its task given the circumstances and work with the rest of 
the security process and infrastructure to keep the community safe and 
whole.  Kinda maps onto the choices we make in physical defense as well, 
oddly enough (anyone want to pay the taxes to support opening every 
container that enters your national boundaries?).

Survey says, so far, that while you can and should apply all of the 
Application Awareness possible at the Edge, your resources will run out 
before you finish.  I recall hacking a doc with the R.H. Mr. Avolio at TIS 
Before the Fall, explaining why Proxies were so much better than Stateful 
Packet Filters, and even as we typed TIS was adding "Adaptive Proxies" (was 
that the name?) to Gauntlet - Stateful gates for apps TIS couldn't write 
proxies fast enough to support.  I don't see how it's gotten any easier 
since to track all possible apps, versions and implementations and write 
custom proxies for each one, whether those proxies Deeply reassemble 
messages or not.

To achieve relative Security Nirvana (from the perspective of where we 
stand now), we need each defense component to excel at it's task in the 
context of its real operating environment; aggregate solutions to end-point 
weakness need to reduce the size of the endpoint problem; and the old rant 
of policy and coordination needs to be made executable.

So, Kang...

For my opinion, Deep Inspection sounds neat, but at least read the label 
and Use As Recommended.  I'm sure there are bright folks developing code 
for those products and they are trying to address a real concern, so maybe 
there is benefit for your situation.  While firewalls are and will continue 
to evolve, I doubt we'll ever have fully application aware firewalls for 
everything - and firewalls are only so much of the solution, anyway - so 
I'd suggest you spend at least as much time and effort securing your hosts 
and coordinating your network devices to support your policy regardless of 
what you do at the edge.

Enough mixed metaphors for one night.

-woof

-chris


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards