Firewall Wizards mailing list archives
Re: Firewalls that generate new packets..
From: Marcin Antkiewicz <firewallwizards () kajtek org>
Date: Sun, 25 Nov 2007 22:38:29 -0600 (CST)
Isn't that kind of amazing? People look at these "stateful firewalls" as if they're somehow doing something IMPORTANT but they're basically a router with "established" and a kind of "synthetic established" for UDP. People, that's barely a security device at all - 99% of what you're getting is the "firewall" sticker on the front.
In practice, most people have stateful firewall because they have to - if they did not their vulnerability assessments/pentesting/other reports would come with a "High" in one column, and "replace with a stateful firewall" in the other. Not to bash state checking (OpenBSD pf, defense in depth), but that seems to be the reason. Same with anti-spoofing, filtering bogons, and using IP stacks with cryptographicaly secure IP IDs/TCP sequence numbers.
Security is such a disaster because we're fighting and losing a battle with software complexity and extravagantly stupid software specifications. Firewalls, rather than acting as bastions against the complexity, have "adapted" by succumbing to that complexity themselves.
Like using "session" and "user" authentication in place of actual access controls, allowing use of crypto tokens with not pins (or pins written on the devices) for the managers, inability to differentiate corporate laptop from a vendor laptop (except for noting that a Dell is not HP). When security went mainstream, and IT Sec folks were invited into the board meeting, but they showed up without a business case (not enough power point, wrong language, _something_ went wrong). Now there is another chance to fix it, this time by using lessons learned. Well, there can be no lessons without textbook materials, but good universally known security cases and security metrics are... few. The good news is that Web 2.0 mashups will take care of it all. -- Marcin Antkiewicz _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewalls that generate new packets.., (continued)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 25)
- Re: Firewalls that generate new packets.. pkc_mls (Nov 19)
- Re: Firewalls that generate new packets.. lordchariot (Nov 21)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 23)
- Re: Firewalls that generate new packets.. jdgorin (Nov 21)
- Re: Firewalls that generate new packets.. Dave Piscitello (Nov 21)
- Re: Firewalls that generate new packets.. jdgorin (Nov 21)
- Re: Firewalls that generate new packets.. Bill McGee (bam) (Nov 25)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 25)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 25)
- Re: Firewalls that generate new packets.. Marcin Antkiewicz (Nov 26)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 26)
- Re: Firewalls that generate new packets.. Jim Seymour (Nov 26)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 26)
- Re: Firewalls that generate new packets.. Jim Seymour (Nov 26)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 25)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 27)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 27)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)