Firewall Wizards mailing list archives
Re: Firewalls that generate new packets..
From: "Paul Melson" <pmelson () gmail com>
Date: Tue, 27 Nov 2007 09:52:19 -0500
But you can achieve that with nothing more than a "firewall router." My
good ol' Livingston
IRX-211 can do that. Even my (relatively) inexpensive Netopia DSL routers
can do that. That
was Marcus' point.
I took Marcus' point to be that a state table is a relatively simple mechanism and not worth much more than router access lists (which are not typically stateful). To be clear, I'm not talking about hardware at all here. A stateful firewall is anything that tracks TCP sessions in conjunction with layer-3 ACLs. So if you can do it with a router or a Linux box instead of an expensive appliance, it's still a stateful firewall for the purpose of this conversation.
What you're telling me is that, if I don't want to go to the effort,
intellectually, time-wise
and financially, to obtain and install a proxying firewall, I need not
bother with a firewall
at all. What you're telling me is just skip the firewall entirely, and
put together a
comprehensive set of "firewall router" packet filtering rules. Right?
Not at all. My point is that the convenience of state tracking firewalls translates directly into savings for the companies that use them. Because without it, you must document and enforce policy for traffic on your network in both directions. State tables allow your firewall to have a deny-all default inbound policy and an allow-all default outbound policy. They allow you to assume that the Internet cannot be trusted and that your internal network can be. Of course these are flawed assumptions. Of course this still leaves the network exposed in some ways and allows things like bot C&C channels to be whatever the malware authors want because it will be allowed by most firewalls. But, the typical stateful firewall can quickly and easily reduce network attack surface to the Internet with relatively little design or planning. And that is, in my opinion, more than "a placebo." PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewalls that generate new packets.., (continued)
- Re: Firewalls that generate new packets.. Bill McGee (bam) (Nov 25)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 25)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 25)
- Re: Firewalls that generate new packets.. Marcin Antkiewicz (Nov 26)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 26)
- Re: Firewalls that generate new packets.. Jim Seymour (Nov 26)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 26)
- Re: Firewalls that generate new packets.. Jim Seymour (Nov 26)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 25)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 27)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 27)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 27)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 28)
- Re: Firewalls that generate new packets.. Jerry B. Altzman (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- ***SPAM*** Re: Firewalls that generate new packets.. Dave Piscitello (Nov 28)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 29)
- Re: Firewalls that generate new packets.. Bill McGee (bam) (Nov 25)