I don't need no stinking firewall!

Sean Donelan sean at donelan.com
Tue Jan 5 22:36:01 UTC 2010

On Tue, 5 Jan 2010, Fred Baker wrote:
> The primary value of a firewall is two-fold:
> - It enables a network administrator to define his "edge", the interior of 
> which he is responsible for.
> - It enables a network administrator to isolate his network from 
> externally-originated traffic per his whims and viewpoints.

Actually, a firewall is so the "security administrator" can intervene 
between the network administrator and the system administrator to impose 
controls on both because they didn't prevent something themselves.  It 
sounds like of beginning of a joke, a network administrator, system 
administrator and security administrator walk into a 
bar ...

A statefull firewall is most useful for *outbound* traffic, inbound 
traffic controls usually break things that depend on maintaining state. 
Of course, if you want outbound traffic from your web server, its no 
longer just a web server.  Its some mongrel type of client/server. 
Likewise a IDS/IPS/AV/Anti-X box is no longer just a stateful firewall, 
its some kind of mongrel security device.

Simple ACLs can keep stuff out, or keep stuff in.  Stateful things are 
only needed when you want to keep track of things you sent outbound, so 
you can let (hopefull) the same thing back inbound.

> IMHO, it is not a security solution per se; it is comparable perhaps to human 
> skin - keeping certain stuff out to limit the need to use other tools that 
> one uses internally. That said, the tools one uses to create true security 
> are a combination of network-based detection/analysis equipment like 
> honeypots, router configurations, and sensors, and host-based security 
> technologies. In the final analysis, the hosted application is responsible 
> for its own security (if some attacker threads the needle, it had better be 
> able to handle the attack), and uses host and network facilities as 
> defense-in-depth (the less it has to worry about that the more effective 
> overall security is).

Your "simple", "verifiable", "etc" security devices then become something 
even more complex than the systems they are supposedly are protecting. 
With that additional complexity comes additional risks that the security
device itself has flaws.  Adding NAT/PAT/state/DNS proxy creates its own 
problems and many protocol hacks, often requiring even more complexity to
"fix" what you broke.

I blame Bellovin & Cheswick for firewalls :-)  There are some subtle 
points in their early papers I'm still learning.

Yes, statefull firewalls can be usefull.  But too often security 
professionals suffer from the I have a hammer syndrome.  They break 
everything with a single tool, even stuff that may be better without it. 
Security should worry about all the letters in C-I-A.

More information about the NANOG mailing list