Firewall Wizards mailing list archives

Re: Firewalls that generate new packets..

From: Marcin Antkiewicz <firewallwizards () kajtek org>
Date: Sun, 25 Nov 2007 22:38:29 -0600 (CST)

Isn't that kind of amazing? People look at these "stateful firewalls" as
if they're somehow doing something IMPORTANT but they're basically
a router with "established" and a kind of "synthetic established" for UDP.
People, that's barely a security device at all - 99% of what you're
getting is the "firewall" sticker on the front.


In practice, most people have stateful firewall because they have to - if 
they did not their vulnerability assessments/pentesting/other reports 
would come with a "High" in one column, and "replace with a stateful 
firewall" in the other. Not to bash state checking (OpenBSD pf, defense in 
depth), but that seems to be the reason. Same with anti-spoofing, 
filtering bogons, and using IP stacks with cryptographicaly secure IP 
IDs/TCP sequence numbers.

Security is such a disaster because we're fighting and losing
a battle with software complexity and extravagantly stupid
software specifications. Firewalls, rather than acting as bastions
against the complexity, have "adapted" by succumbing to
that complexity themselves.


Like using "session" and "user" authentication in place of actual access 
controls, allowing use of crypto tokens with not pins (or pins written on 
the devices) for the managers, inability to differentiate corporate laptop 
from a vendor laptop (except for noting that a Dell is not HP).

When security went mainstream, and IT Sec folks were invited into the
board meeting, but they showed up without a business case (not enough 
power point, wrong language, _something_ went wrong).

Now there is another chance to fix it, this time by using lessons 
learned. Well, there can be no lessons without textbook materials, but 
good universally known security cases and security metrics are... few.

The good news is that Web 2.0 mashups will take care of it all.

--
Marcin Antkiewicz
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Firewalls that generate new packets.., (continued)
- - - Re: Firewalls that generate new packets.. Paul Melson (Nov 25)
- Re: Firewalls that generate new packets.. pkc_mls (Nov 19)
- Re: Firewalls that generate new packets.. lordchariot (Nov 21)
  - Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 23)
- Re: Firewalls that generate new packets.. jdgorin (Nov 21)
  - Re: Firewalls that generate new packets.. Dave Piscitello (Nov 21)
- Re: Firewalls that generate new packets.. jdgorin (Nov 21)
- Re: Firewalls that generate new packets.. Bill McGee (bam) (Nov 25)
  - Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 25)
    - Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 25)
    - Re: Firewalls that generate new packets.. Marcin Antkiewicz (Nov 26)
    - Re: Firewalls that generate new packets.. Paul Melson (Nov 26)
    - Re: Firewalls that generate new packets.. Jim Seymour (Nov 26)
    - Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 26)
    - Re: Firewalls that generate new packets.. Jim Seymour (Nov 26)
    - Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
    - Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
    - Re: Firewalls that generate new packets.. Paul Melson (Nov 27)
    - Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)
    - Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 27)
    - Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)

(Thread continues...)