Re: Firewall opinions wanted please

[Rachael Treu <rara () navigo com>]

On Wed, Mar 17, 2004 at 09:48:30AM -0800, Kevin Oberman said something to the effect of:
..snip snip..
> I dislike firewalls for many applications, although I have a Sonic Wall
> on my cable modem. On the whole, they lead to false belief that
> firewalls really make you safe. They also block many interesting
> applications. Things like H.323 conferencing are made vastly more
> complex by firewalls with no easy or canned work-arounds.

H.323 is its own complex, unweildy mutant (though a lovely one at that),
and it is unfair to throw the baby out with the bathwater in that case.
Something like saying that it's rough configure MPLS on your cable modem
at home so we should do away with those.

Configured properly, firewalls handle H.323 just fine.

As for false beliefs...

Seat belts aren't guaranteed to save your life if you wrap your car around
a tree, but they improve the chances that you won't pierce the windshield
with your face.

That lid on your coffee cup has a hole in it so you can drink out of it, 
but that can spill, too..  Still...which way would you rather have 
that cup--lidded or lidless-- when it goes flying out of your cupholder
and into your lap?  

A stoplight doesn't actually physically stop traffic.  Having a green
light in your direction doesn't actually guarantee that the intersecting 
traffic won't plow into you.

Sometimes parachutes don't open properly parachute not open properly, 
but can you imagine if people gave up skydiving altogether, or skydived 
without them, refusing to be lulled into a false sense of safety?  

Hrm.

This now becomes an issue of adequate education and precaution.  It's not 
the fault of the technology if its users are ill-informed...
> One large research site I work closely with has directly opted for IDS
> with a bad attitude (love that description) which has successfully
> blocked many intrusion and DOS attempts with no major failures. Slammer
> did overwhelm it, but it did the same for most everything.

IDS that reacts is, by classical definition, firewalling.  The IDS component
merely detects the anomaly.  To react is a firewall function.

Does IDS not smack of that false sense of security you mentioned?  If 
admins refuse to acknowledge attack conditions because the IDS didn't 
squawk, does that guarantee that the network is totally peaceful?
> The end-to-end nature of the net is really, really important, but is
> being blocked more and more by those who thing the net is web browsing
> and e-mail clients and that everything else is simply an annoyance. This
> attitude is hamstringing network development already and may end up
> turning the commercial Internet into a permanently limited tool with
> fewer real capabilities that the ARPANET had before TCP/IP replaced NCP.

This is a very valid concern.  Unfortunately, aside from those in pure
academia, this is the bread and butter for most of us.  The HTML-for-the-masses
and email-happy vox populi are the ones subscribing to providers and 
buying bandwidth that we are trying to enable.
> Grandma may need a firewall. (My sister DEFINITELY needs one.)  But not
> all network connections need or will benefit from a firewall. And many
> system will exist with significant security flaws because the owners
> believe that the firewall takes care of everything.

As do may owners that believe their Microsoft boxes do everything.  
Or nothing.  Or that nothing needs to be done to their MS boxes...

*,
--ra
-- 
k. rachael treu, CISSP       rara () navigo com
..quis costodiet ipsos custodes?..

> -- 
> R. Kevin Oberman, Network Engineer
> Energy Sciences Network (ESnet)
> Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
> E-mail: oberman () es net                     Phone: +1 510 486-8634