Firewall opinions wanted please

Chris Brenton cbrenton at chrisbrenton.org
Fri Mar 19 02:04:04 UTC 2004


On Thu, 2004-03-18 at 15:26, Alexei Roudnev wrote:
>
> > A good firewall *should* be doing a whole lot more than that. It should
> Do not overestimate. Firewall can make a little more than just restrict
> access and inspect few (very  limited) protocols.

If this concerns you, just use a proxy instead of stateful inspection.
Even better, use both to leverage the speed of the packet filtering and
the application control of the proxy. Defense in-depth and all of that.

> It can not protect you from slow scans;

If a firewall can't stop a scan because its slow, then the firewall is
broken. If you are talking about detecting a port scan, then its a
matter of how you parse the data. I can easily detect port scans as slow
as 1 port/4 hours with Netfilter. I can push this out to 1 port/week if
the source IP is on my "potentially hostile" list.

> it can not protect you from SSL /
> SSH / (any other encrypted protocol) volnurabilities,

All depends on what you need. For example if you want to inspect
payload, terminate the tunnel at the firewall or some external device
(like an SSL accelerator) and then run the payload through a reverse
proxy. If its outright blocking you want, just inspect for the initial
handshake and drop as required. You only need to check the first couple
of ACK's to do this correctly.

> it can not protect your users from viruses in e-mail, etc etc.

I don't remember saying it would. What I do remember saying is that the
firewall could be used to help detect outbound activity if the internal
host becomes a zombie due to e-mail based viruses. 

> Very good level of details - 200 Mb of daily logs (IP, IP protocol = https).
> Any network statistics system can do it. Unfortunately, all this logs are
> 99% useless until you need forensics.

I guess its a matter of what you do with them. I personally find my
firewall logs *very* useful and can ID a wide range of suspicious
activity, even a few that are payload based despite the fact that the
firewall does not log the payload. As for review time, 200 MB takes me
maybe 20 minutes with my parsing script unless I find something *really*
interesting that I want to drill in on. Then the time factor comes down
to when my obsessive compulsive personality will let it go. ;-)

But then again I'm one of *those* geeks that finds log review to be a
fun way to spend a week night. I expect if I found it to be more of a
chore I would also find them to be less than useful.

> > perimeter. It should also be doing some level of content checking to
> In reality, I can count all useful things firewall can do. I can not count
> (it is infinite) numbers of things it can not do.

So basically your argument is "its good at some things but not others so
why bother?". Given that line of thinking, why bother with IDS because
it can't detect Ethernet CRC errors? Why bother running a virus scanner
because it can't keep your system patched. Why bother patching your
systems because that does not help add the fabric softener during the
rise cycle.

A firewall is a tool, no more no less. The capability of that tool is
90% dependent on the person wielding the tool. If you can only find a
limited number of applications for a firewall, I'm not surprised that
you don't find it all that useful. That does not mean the same is true
for the rest of us.

HTH,
C





More information about the NANOG mailing list