Firewall opinions wanted please

Alexei Roudnev alex at relcom.net
Thu Mar 18 20:26:27 UTC 2004


>
> > Firewall protects other services from outside access.
>
> A good firewall *should* be doing a whole lot more than that. It should
Do not overestimate. Firewall can make a little more than just restrict
access and inspect few (very  limited) protocols.
It can not protect you from slow scans; it can not protect you from SSL /
SSH / (any other encrypted protocol) volnurabilities,
it can not protect your users from viruses in e-mail, etc etc. Proxy
firewall (device which terminates _ALL_ protocols) can
help in some cases (management access to your network by ssh) but can not
with others (SSL site hosting , for excample).

> also be giving you a good level of detail about what crosses your
Very good level of details - 200 Mb of daily logs (IP, IP protocol = https).
Any network statistics system can do it. Unfortunately, all this logs are
99% useless until you need forensics.

> perimeter. It should also be doing some level of content checking to
In reality, I can count all useful things firewall can do. I can not count
(it is infinite) numbers of things it can not do.

In real life, protocol inspection is useful for SMTP and DNS. Sometimes, for
http (but not https), SIP, few other _open_ protocols. That's all.
Sometimes, it can recognize unusual behaviour of _your_ server and notify
you (esp. if you maintain _default deny_ for some protocols).

You are right about _checking outbound connections_ - firewall can help, if
properly configured. Unfortunately, you  can spend days, configuring your
home firewall for outbound connections, even if you maintain a proxy. I do
not think, that you will do it for grandma...

You are right about possibility of weaknesses in some PNAT devices. This is
a very big potencial for a problem / holes here. I'd like to see such tests
you are talking about (security tests for PNAT devices).





More information about the NANOG mailing list