Re: Lucent Managed Firewall

[Chris Calabrese <chris_calabrese () yahoo com>]

While I haven't used the LMF in a production setting,
I did have one in the lab for a while and some pretty
extensive banging on it...

The LMF appears to be a reasonably good implementation
of a pure stateful inspection firewall.  I  was
particularly impressed with how easy it was to
configure and install.  Unlike most so-called
appliances, this one actually is quite toaster-like
and requires almost no touching of anything other than
the GUI, and I really appreciated the ability to farm
out different admin tasks to different users by
role/user/zone tuples.  Also, they have a NIST Common
Criteria evaluation, which will be important for US
Government implementations (and possibly others).

However, the LMF in its current form is certainly is
not without its problems.  For one thing, Lucent has
based the LMF on rather slow hardware by modern
standards.  For the most part, this works pretty well
because the software is very efficient.  But it causes
problems in places where there are inherently
compute-intensive or memory-intensive things going on,
like packet fragment reassembly (they've got a crypto
add-in card, so I won't count that).  For this reason,
it's probably not the best choice if you need very
high speed.  This is where the appliance approach
breaks down.  With non-appliance systems, I can always
throw more hardware at the problem.

Another weakness is the minimalist approach taken to
application handling.  In particular, there is no
built-in support for HTTP and FTP application-level
protections against things like long URL's and
directory names (something the proxy firewalls all
have and at least some of the other stateful
inspection firewalls have recently added).  Also,
according to the Lucent folks I talked to, the
RealAudio inspection rules open the entire RealAudio
UDP range, rather than statefully opening only the
ports actually in use.

Similarly, there are no built-in capabilities for
detecting or defending against network-level attacks
like x-mas tree packets or protecting machines with
weak TCP initial sequence number generation.  Again,
this is an area where the proxy firewalls are way
ahead, but where at least some of the other stateful
inspection firewalls have made at least some headway. 
There is integrated support for RealSecure, so it is
possible to get some of this protection back by
implementing that product.

Finally, the fact that the system operates as a bridge
rather than a router is both a blessing and a curse. 
A blessing because you can easily insert and remove
these things from the network without renumbering
everything.  A curse because you need to renumber
everything if you are replacing an existing firewall
that does operate as a router (virtually everything
else on the market).  This was a pain in our testing
where we needed to use one network numbering for the
LMF and another for everything else.  We cleverly
numbered everything to require only netmask changes,
but even that was painful when we wanted to run the
same test over several different firewalls and we
needed to go change all the netmasks on all the
machines in the test setup when we got to the LMF (and
then change everything back afterwards).

__________________________________________________
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards