Re: I don't need no stinking firewall!

[harbor235 <harbor235 () gmail com>]

> > Other security features in an Enterprise Class firewall;
> >    -Inside source based NAT, reinforces secure traffic flow by allowing
> outside to inside flows based on
> > configured translations and allowed security policies
>
> Terrible from an availability perspective, troubleshooting perspective,
> too.  Just dumb, dumb, dumb - NATed servers fall over at the drop of a hat
> due to the NAT device choking.

> > > How is that possible with inside source NATing? You must mean a
misconfigured
> > > outside source NATing

> >    -TCP sequence number randomization (to prevent TCP seq number
> guessing)


> Server IP stack does this itself just fine.

> > > What server randomizes TCP sequence numbers? servers randomize
initial       >>> sequence numbers!, regardless, the FW will accept and
randomize again making
> > > sure the endpoints get the correct TCP seq numbers, again more secure


> >    -Intrusion Detection and Prevention (subset of most common signatures)
> >        recognize scanning attempts and mitigate
> >        recognize common attacks and mitigate
>
> Snake-oil.

> > > Preventing attacks on internal networks or servers, snake oil, LOL
> > > FWs typically offer a subset of potential IDS signatures, dedicated
appliances
> > > or systems offer a higher level of prevention

> >    -Deep packet inspection (application aware inspection for common
> network services)
>
> Terrible from an availability perspective, snake-oil.

> > > Inspecting application header and data, it will identify/prevent some
application >>>attacks? how does that reduce availability?

> >    - Policy based tools for custom traffic classification and filtering
>
> Can be done statelessly, no firewall required.

> > > True, never said this was done statefully, what device are you using to
perform >>>this function?
> > > no firewall required, but part of distributed defense in depth strategy and
can be >>>done by a firewall , again a secure architecture is the goal not
just a firewall

> >    -Layer 3 segmentation (creates inspection and enforcement points)
>
> Doesn't require a firewall.

> > > No, but segmentation and multiple security enforcements points are
essential for >>> a secure architecture,

> >    -Full/Partial Proxy services with authentication
>
> If needed, can be better handled by transparent reverse-proxy farms; auth
> handled on the servers themselves.

> > > The servers are doing everything in your model, must be quite some
servers, are >>>we talking firewalls in general of are we talking
datacenter, all companies do not >>>have access to reverse-proxy farms

> >    - Alarm/Logging capabilities providing info on potential attacks
> >    -etc ......
>
> NetFlow from the network infrastructure, the OS/apps/services on the server
> itself do this, etc.

> > > not the same thing , you will need to analyze the data, Netflow does not
perform >>> data analysis, you will need to develop/buy something else for
that

> > Statefull inspection further enhances the security capabilities of a
> firewall.
>
> No, it doesn't, not in front of servers where there's no state to inspect,
> in the first place, given that every incoming packet is unsolicited.

> > >  every packet is not unsolicited, webserver to database request ? DB
synch >>>between datacenters, administration, remote services,  etc ,,,
there is no state for >>>the services you are serving, true, but what about
the rest of the  network services >>>potentially available and their
exploits?

> > You may choose not to use a firewall or implement a sound security
> posture utilizing the "Defense in Depth" philosophy, however you chances of
> being compromised are dramatically increased.
>
> Choosing not to make the mistake of putting a useless, counterproductive
> firewall in front of a server doesn't mean one isn't employing a sound,
> multi-faceted opsec strategy.

> > > didn't say it did, I stated several times that a secure architecture
should be the >>>goal not just adding a FW, did you fail to read or respond
to that part?

> I know that all the firewall propaganda denoted above is repeated
> endlessly, ad nauseam, in the Confused Information Systems Security
> Professional self-study comic books, but I've found that a bit of real-world
> operational experience serves as a wonderful antidote, heh.

> > > Again, a firewall has it's place just like any other device in the
network, defense in >>> depth is a prudent philosophy to reduce the chances
of compromise, it does not >>>eliminate it nor does any architecture you can
think of, period

> mike
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>
>
>    Injustice is relatively easy to bear; what stings is justice.
>
>                        -- H.L. Mencken