I don't need no stinking firewall!
harbor235 at gmail.com
Sun Jan 10 06:22:29 UTC 2010
> > Other security features in an Enterprise Class firewall;
> > -Inside source based NAT, reinforces secure traffic flow by allowing
> outside to inside flows based on
> > configured translations and allowed security policies
> Terrible from an availability perspective, troubleshooting perspective,
> too. Just dumb, dumb, dumb - NATed servers fall over at the drop of a hat
> due to the NAT device choking.
>>>How is that possible with inside source NATing? You must mean a
>>> outside source NATing
> > -TCP sequence number randomization (to prevent TCP seq number
> Server IP stack does this itself just fine.
>>> What server randomizes TCP sequence numbers? servers randomize
initial >>> sequence numbers!, regardless, the FW will accept and
randomize again making
>>> sure the endpoints get the correct TCP seq numbers, again more secure
> > -Intrusion Detection and Prevention (subset of most common signatures)
> > recognize scanning attempts and mitigate
> > recognize common attacks and mitigate
>>> Preventing attacks on internal networks or servers, snake oil, LOL
>>> FWs typically offer a subset of potential IDS signatures, dedicated
>>> or systems offer a higher level of prevention
> > -Deep packet inspection (application aware inspection for common
> network services)
> Terrible from an availability perspective, snake-oil.
>>> Inspecting application header and data, it will identify/prevent some
application >>>attacks? how does that reduce availability?
> > - Policy based tools for custom traffic classification and filtering
> Can be done statelessly, no firewall required.
>>> True, never said this was done statefully, what device are you using to
perform >>>this function?
>>>no firewall required, but part of distributed defense in depth strategy and
can be >>>done by a firewall , again a secure architecture is the goal not
just a firewall
> > -Layer 3 segmentation (creates inspection and enforcement points)
> Doesn't require a firewall.
>>> No, but segmentation and multiple security enforcements points are
essential for >>> a secure architecture,
> > -Full/Partial Proxy services with authentication
> If needed, can be better handled by transparent reverse-proxy farms; auth
> handled on the servers themselves.
>>>The servers are doing everything in your model, must be quite some
servers, are >>>we talking firewalls in general of are we talking
datacenter, all companies do not >>>have access to reverse-proxy farms
> > - Alarm/Logging capabilities providing info on potential attacks
> > -etc ......
> NetFlow from the network infrastructure, the OS/apps/services on the server
> itself do this, etc.
>>> not the same thing , you will need to analyze the data, Netflow does not
perform >>> data analysis, you will need to develop/buy something else for
> > Statefull inspection further enhances the security capabilities of a
> No, it doesn't, not in front of servers where there's no state to inspect,
> in the first place, given that every incoming packet is unsolicited.
>>> every packet is not unsolicited, webserver to database request ? DB
synch >>>between datacenters, administration, remote services, etc ,,,
there is no state for >>>the services you are serving, true, but what about
the rest of the network services >>>potentially available and their
> > You may choose not to use a firewall or implement a sound security
> posture utilizing the "Defense in Depth" philosophy, however you chances of
> being compromised are dramatically increased.
> Choosing not to make the mistake of putting a useless, counterproductive
> firewall in front of a server doesn't mean one isn't employing a sound,
> multi-faceted opsec strategy.
>>> didn't say it did, I stated several times that a secure architecture
should be the >>>goal not just adding a FW, did you fail to read or respond
to that part?
> I know that all the firewall propaganda denoted above is repeated
> endlessly, ad nauseam, in the Confused Information Systems Security
> Professional self-study comic books, but I've found that a bit of real-world
> operational experience serves as a wonderful antidote, heh.
>>> Again, a firewall has it's place just like any other device in the
network, defense in >>> depth is a prudent philosophy to reduce the chances
of compromise, it does not >>>eliminate it nor does any architecture you can
think of, period
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
> Injustice is relatively easy to bear; what stings is justice.
> -- H.L. Mencken
More information about the NANOG