Firewall Wizards mailing list archives

Re: Firewalls that generate new packets..

From: "Paul Melson" <pmelson () gmail com>
Date: Tue, 27 Nov 2007 09:52:19 -0500

But you can achieve that with nothing more than a "firewall router." My

good ol' Livingston

IRX-211 can do that.  Even my (relatively) inexpensive Netopia DSL routers

can do that.  That

was Marcus' point.


I took Marcus' point to be that a state table is a relatively simple
mechanism and not worth much more than router access lists (which are not
typically stateful).  To be clear, I'm not talking about hardware at all
here.  A stateful firewall is anything that tracks TCP sessions in
conjunction with layer-3 ACLs.  So if you can do it with a router or a Linux
box instead of an expensive appliance, it's still a stateful firewall for
the purpose of this conversation.

What you're telling me is that, if I don't want to go to the effort,

intellectually, time-wise

and financially, to obtain and install a proxying firewall, I need not

bother with a firewall

at all.  What you're telling me is just skip the firewall entirely, and

put together a

comprehensive set of "firewall router" packet filtering rules.

Right?


Not at all.  My point is that the convenience of state tracking firewalls
translates directly into savings for the companies that use them.  Because
without it, you must document and enforce policy for traffic on your network
in both directions.  State tables allow your firewall to have a deny-all
default inbound policy and an allow-all default outbound policy.  They allow
you to assume that the Internet cannot be trusted and that your internal
network can be.  

Of course these are flawed assumptions.  Of course this still leaves the
network exposed in some ways and allows things like bot C&C channels to be
whatever the malware authors want because it will be allowed by most
firewalls.  But, the typical stateful firewall can quickly and easily reduce
network attack surface to the Internet with relatively little design or
planning.  And that is, in my opinion, more than "a placebo."


PaulM

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Firewalls that generate new packets.., (continued)
- Re: Firewalls that generate new packets.. Bill McGee (bam) (Nov 25)
  - Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 25)
    - Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 25)
    - Re: Firewalls that generate new packets.. Marcin Antkiewicz (Nov 26)
    - Re: Firewalls that generate new packets.. Paul Melson (Nov 26)
    - Re: Firewalls that generate new packets.. Jim Seymour (Nov 26)
    - Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 26)
    - Re: Firewalls that generate new packets.. Jim Seymour (Nov 26)
    - Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
    - Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
    - Re: Firewalls that generate new packets.. Paul Melson (Nov 27)
    - Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)
    - Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 27)
    - Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)
    - Re: Firewalls that generate new packets.. Darren Reed (Nov 27)
    - Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 28)
    - Re: Firewalls that generate new packets.. Jerry B. Altzman (Nov 28)
    - Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
    - Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
    - ***SPAM*** Re: Firewalls that generate new packets.. Dave Piscitello (Nov 28)
    - Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 29)

(Thread continues...)