Firewall Wizards mailing list archives

Re: Facts, not Fiction

From: Bennett Todd <bet () rahul net>
Date: Fri, 14 Nov 1997 03:46:46 -0800

1997-11-13-06:12:01 Chris Brenton wrote:

Andreas Siegert wrote:

Unless the customer is on an extreme low budget, I alway use a
multistage design. Anything else would be irresponsible in my
opinion.

I guess I have a bit of a problem with blanket statements like this
one. It insinuates that there is a "one size fits all" solution to
protecting a network which is clearly not the case. A risk analysis
should be performed in order to determine what level of security is
actually required.


I hadn't really thought about it in as many words before, but now that
you rub my nose in it, I guess I have come to endorse a bit of a ``one
size fits all'' approach to firewalls. Really, it's more like a few
sizes fit all, though. My decision tree looks like:

- If it's a tiny shop with a trivial security policy and a near-zero
  budget, set 'em up with a trivial little firewall based on my OS of
  choice (Red Hat Linux), stripped of all standard daemons, running
  ipfw+fwtk. Give them the standard off-the-shelf security stance,
  something along the lines of ``inbound&outbound proxied email, and
  access to proxied WWW _only_, proxied through a cascade of squid (for
  performance feeding from http-gw (for applet stripping)''. Then
  discuss the limitations of this stance with them, and why those limits
  are often good, and see what needs changing.

- If there's enough more money around to be able to afford it, toss a
  Cisco 2500-series router just outside the above fw configured as a
  screening router.

- If we're still awash in money explain alternative commercial
  offerings, with their tradeoffs of support -vs- cost.

- As the site gets bigger and its demands grow, increase performance if
  necessary by adding additional proxy hosts; accomodate more complex
  requests for frobbing the security policy by implementing more complex
  configurations of the proxying software, possibly assisted with
  additional hosts.

My feeling is that a risk analysis is valuable, but that you only really
get the benefit of it when you have a nearly-infinite budget; when funds
are tight the cost of the detailed analysis comes out of the
implementation budget, and you're better off giving them a known-good
firewall setup, initially set for a quite conservative stance, that can
be easily tweaked for minor changes from that stance.

-Bennett

Current thread:

Facts, not Fiction Hartmut . Fehling (Nov 07)
- Re: Facts, not Fiction Marcus J. Ranum (Nov 07)
  - Re: Facts, not Fiction Darren Reed (Nov 08)
- Re: Facts, not Fiction Bennett Todd (Nov 10)
- <Possible follow-ups>
- Facts, not Fiction Andreas Siegert (Nov 12)
  - Re: Facts, not Fiction Chris Brenton (Nov 13)
    - Re: Facts, not Fiction Bennett Todd (Nov 14)
    - Re: Facts, not Fiction Chris Brenton (Nov 14)
    - Re: Facts, not Fiction chuck yerkes (Nov 14)
    - Re: Facts, not Fiction Chris Brenton (Nov 15)
    - Re: Facts, not Fiction Andreas Siegert (Nov 24)