RE: Firewalls v. Router ACLs

["R. DuFresne" <dufresne () sysinfo com>]

This is a very inciteful and informative thread, tons of information for
people to take in consideration in network design and layout.  Which keeps
pushing me to one of the fundemental tenants of network security,
layering, the ole 'onion skin' approach.  And many of the old discusions
here and the old firewalls list often emphasized an approach that avoided
<what is now the *in vogue* term> monoculcural 'single point of failure
pathway' into the heart of the protected environment.  ACL's in the
routers in conjuction with a more traditional firewall layer below would
be the proper approach.  Perhaps the choice of Nokia's can be considered
for a replacement, but one has to consider all the aspects of single
vendor issues if perhaps popping pixen in there instead <a beancounters
dream?>.  The logging alert features alone turn this layer into a IDS as
well as another layer of control and packet level refinement.  Of course,
as I hinted in the beginning, I'm a fundamentalist in this perspective...


What I'm saying is, if a change is required here based upon costs, rather
then eliminate a layer of defense, consider a vendor change at that layer
that better fits the economic resources avaliable.  If the internal
knowledge base is open source cluefull then you can always go that route
to solve this problem, or shift some costs for the short term into
training to gain this, better yet, support a growing economy and hire in
the expertise and better balance the understaffing most IT deptarments
face.


Thanks,

Ron DuFresne


On Fri, 12 Dec 2003, Ben Nagy wrote:

> My rambling inline. 
>
> > -----Original Message-----
> > From: firewall-wizards-admin () honor icsalabs com 
> > [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
> > Of WhiteHat () btclick com
> [...]
> > I currently work for a department in a large company. Our 
> > department has always used firewalls (CheckPoint on Nokia) to 
> > protect our part of the network from network worms and other 
> > 'nasty stuff' on the rest of the network. [...]
> >
> > We are now being pressurised to remove the firewalls by the 
> > rest of the company. 
> [...]
> > In particular, I am concerned about:
> > - performance - will the routers be able to manage this as 
> > they are designed to route traffic, not stop it?
>
> An appropriately sized router will not have any performance problems. If I
> were a betting man, I would probably back a router against a firewall to
> discard traffic based on simple, stateless criteria (eg drop all
> 135,137,138,139 entering or leaving the network).
>
> > - logging - what would be the best way to consolidate the 
> > router logs for analysis etc.?
>
> Tricky. Firewalls have a big advantage here, although it's all possible in
> the end. Personally, however, I question the true value of those router
> logs.
>
> There are lots of guys on the list that know an awful lot about secure and
> reliable log consolidation and analysis for both routers and firewalls, so
> I'm not going to expound here.
>
> > - incident management - if a router is being hammered by a 
> > network worm (e.g. 
> > MSBlaster/LovSan), how easy will it be to manage to make any 
> > emergency changes necessary? Won't it be so busy dropping 
> > packets it becomes impossible to make the change?
>
> Not unless it's badly configured or under-specified. I've never seen simple
> packet discarding or routes to null0 cause a 'decent' router any problems -
> keeping state excepted. YMMV if you're routing lots of gigabits of traffic.
> At worst, the console will probably stay alive. I've seen nice solutions
> using dedicated management VLANs and multi-port serial routers to manage
> core equipment via the console for security and reliability.
>
> > - future capability - I see the AI-type technologies evolving 
> > in firewalls as providing a useful IPS-type functionality in 
> > the future.
>
> I don't. IMO the protection will move host-based - it really has to. My
> cracked crystal ball says that firewalls get dumber, not smarter, in the
> future. They're already too damn smart for their own good, IMHO.
>
> There are some REALLY interesting ideas that are lurking around here...
>
> > This will allow more open rule sets but automated 
> > protection if things go wrong. Has anyone successfully 
> > implemented this yet? Can this be enough justification to 
> > keep the firewalls?
>
> Well all the firewall companies can see the recent spate of worms, and I'm
> sure that they understand that the model isn't working. Hell, we've been
> whining about it for as long as I can remember. There is still a lot of
> stuff that firewalls are good for, and being a real point of control between
> networks with different security levels is one of those things.
>
> However, if you're talking about adding a level of defence in depth by
> killing certain kinds of known-bad traffic in a 'coarse filter' approach at
> the network layer then my personal opinion is that the router is a good
> place to do that. The switch is better still. The NIC....well that gets
> trickier. Maybe we could embed some sort of ASIC in the CAT-6 RJ-45
> connector.... :)
>
> Anyway, there's lots of depth here, and I look forward to seeing what people
> think.
>
> Cheers,
>
> ben
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards