I don't need no stinking firewall!

harbor235 harbor235 at gmail.com
Sun Jan 10 00:22:29 CST 2010


> > Other security features in an Enterprise Class firewall;
> >    -Inside source based NAT, reinforces secure traffic flow by allowing
> outside to inside flows based on
> > configured translations and allowed security policies
>
> Terrible from an availability perspective, troubleshooting perspective,
> too.  Just dumb, dumb, dumb - NATed servers fall over at the drop of a hat
> due to the NAT device choking.
>

 >>>How is that possible with inside source NATing? You must mean a
misconfigured
>>> outside source NATing

>
> >    -TCP sequence number randomization (to prevent TCP seq number
> guessing)
>


> Server IP stack does this itself just fine.
>

 >>> What server randomizes TCP sequence numbers? servers randomize
initial       >>> sequence numbers!, regardless, the FW will accept and
randomize again making
>>> sure the endpoints get the correct TCP seq numbers, again more secure


> >    -Intrusion Detection and Prevention (subset of most common signatures)
> >        recognize scanning attempts and mitigate
> >        recognize common attacks and mitigate
>
> Snake-oil.
>

>>> Preventing attacks on internal networks or servers, snake oil, LOL
>>> FWs typically offer a subset of potential IDS signatures, dedicated
appliances
>>> or systems offer a higher level of prevention

>
> >    -Deep packet inspection (application aware inspection for common
> network services)
>
> Terrible from an availability perspective, snake-oil.
>

>>> Inspecting application header and data, it will identify/prevent some
application >>>attacks? how does that reduce availability?

>
> >    - Policy based tools for custom traffic classification and filtering
>
> Can be done statelessly, no firewall required.
>

>>> True, never said this was done statefully, what device are you using to
perform >>>this function?
>>>no firewall required, but part of distributed defense in depth strategy and
can be >>>done by a firewall , again a secure architecture is the goal not
just a firewall

>
> >    -Layer 3 segmentation (creates inspection and enforcement points)
>
> Doesn't require a firewall.
>

>>> No, but segmentation and multiple security enforcements points are
essential for >>> a secure architecture,

>
> >    -Full/Partial Proxy services with authentication
>
> If needed, can be better handled by transparent reverse-proxy farms; auth
> handled on the servers themselves.
>

>>>The servers are doing everything in your model, must be quite some
servers, are >>>we talking firewalls in general of are we talking
datacenter, all companies do not >>>have access to reverse-proxy farms

>
> >    - Alarm/Logging capabilities providing info on potential attacks
> >    -etc ......
>
> NetFlow from the network infrastructure, the OS/apps/services on the server
> itself do this, etc.
>

>>> not the same thing , you will need to analyze the data, Netflow does not
perform >>> data analysis, you will need to develop/buy something else for
that

>
> >
> > Statefull inspection further enhances the security capabilities of a
> firewall.
>
> No, it doesn't, not in front of servers where there's no state to inspect,
> in the first place, given that every incoming packet is unsolicited.
>

>>>  every packet is not unsolicited, webserver to database request ? DB
synch >>>between datacenters, administration, remote services,  etc ,,,
there is no state for >>>the services you are serving, true, but what about
the rest of the  network services >>>potentially available and their
exploits?

>
> > You may choose not to use a firewall or implement a sound security
> posture utilizing the "Defense in Depth" philosophy, however you chances of
> being compromised are dramatically increased.
>
> Choosing not to make the mistake of putting a useless, counterproductive
> firewall in front of a server doesn't mean one isn't employing a sound,
> multi-faceted opsec strategy.
>

>>> didn't say it did, I stated several times that a secure architecture
should be the >>>goal not just adding a FW, did you fail to read or respond
to that part?

>
> I know that all the firewall propaganda denoted above is repeated
> endlessly, ad nauseam, in the Confused Information Systems Security
> Professional self-study comic books, but I've found that a bit of real-world
> operational experience serves as a wonderful antidote, heh.
>

>>> Again, a firewall has it's place just like any other device in the
network, defense in >>> depth is a prudent philosophy to reduce the chances
of compromise, it does not >>>eliminate it nor does any architecture you can
think of, period

>
> mike
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>
>    Injustice is relatively easy to bear; what stings is justice.
>
>                        -- H.L. Mencken
>
>
>
>
>



More information about the NANOG mailing list