Firewall Wizards mailing list archives
RE: Firewalls v. Router ACLs
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Sat, 13 Dec 2003 22:00:20 -0500 (EST)
This is a very inciteful and informative thread, tons of information for people to take in consideration in network design and layout. Which keeps pushing me to one of the fundemental tenants of network security, layering, the ole 'onion skin' approach. And many of the old discusions here and the old firewalls list often emphasized an approach that avoided <what is now the *in vogue* term> monoculcural 'single point of failure pathway' into the heart of the protected environment. ACL's in the routers in conjuction with a more traditional firewall layer below would be the proper approach. Perhaps the choice of Nokia's can be considered for a replacement, but one has to consider all the aspects of single vendor issues if perhaps popping pixen in there instead <a beancounters dream?>. The logging alert features alone turn this layer into a IDS as well as another layer of control and packet level refinement. Of course, as I hinted in the beginning, I'm a fundamentalist in this perspective... What I'm saying is, if a change is required here based upon costs, rather then eliminate a layer of defense, consider a vendor change at that layer that better fits the economic resources avaliable. If the internal knowledge base is open source cluefull then you can always go that route to solve this problem, or shift some costs for the short term into training to gain this, better yet, support a growing economy and hire in the expertise and better balance the understaffing most IT deptarments face. Thanks, Ron DuFresne On Fri, 12 Dec 2003, Ben Nagy wrote:
My rambling inline.-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of WhiteHat () btclick com[...]I currently work for a department in a large company. Our department has always used firewalls (CheckPoint on Nokia) to protect our part of the network from network worms and other 'nasty stuff' on the rest of the network. [...] We are now being pressurised to remove the firewalls by the rest of the company.[...]In particular, I am concerned about: - performance - will the routers be able to manage this as they are designed to route traffic, not stop it?An appropriately sized router will not have any performance problems. If I were a betting man, I would probably back a router against a firewall to discard traffic based on simple, stateless criteria (eg drop all 135,137,138,139 entering or leaving the network).- logging - what would be the best way to consolidate the router logs for analysis etc.?Tricky. Firewalls have a big advantage here, although it's all possible in the end. Personally, however, I question the true value of those router logs. There are lots of guys on the list that know an awful lot about secure and reliable log consolidation and analysis for both routers and firewalls, so I'm not going to expound here.- incident management - if a router is being hammered by a network worm (e.g. MSBlaster/LovSan), how easy will it be to manage to make any emergency changes necessary? Won't it be so busy dropping packets it becomes impossible to make the change?Not unless it's badly configured or under-specified. I've never seen simple packet discarding or routes to null0 cause a 'decent' router any problems - keeping state excepted. YMMV if you're routing lots of gigabits of traffic. At worst, the console will probably stay alive. I've seen nice solutions using dedicated management VLANs and multi-port serial routers to manage core equipment via the console for security and reliability.- future capability - I see the AI-type technologies evolving in firewalls as providing a useful IPS-type functionality in the future.I don't. IMO the protection will move host-based - it really has to. My cracked crystal ball says that firewalls get dumber, not smarter, in the future. They're already too damn smart for their own good, IMHO. There are some REALLY interesting ideas that are lurking around here...This will allow more open rule sets but automated protection if things go wrong. Has anyone successfully implemented this yet? Can this be enough justification to keep the firewalls?Well all the firewall companies can see the recent spate of worms, and I'm sure that they understand that the model isn't working. Hell, we've been whining about it for as long as I can remember. There is still a lot of stuff that firewalls are good for, and being a real point of control between networks with different security levels is one of those things. However, if you're talking about adding a level of defence in depth by killing certain kinds of known-bad traffic in a 'coarse filter' approach at the network layer then my personal opinion is that the router is a good place to do that. The switch is better still. The NIC....well that gets trickier. Maybe we could embed some sort of ASIC in the CAT-6 RJ-45 connector.... :) Anyway, there's lots of depth here, and I look forward to seeing what people think. Cheers, ben _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewalls v. Router ACLs WhiteHat (Dec 11)
- Re: Firewalls v. Router ACLs Victor B. Williams (Dec 12)
- RE: Firewalls v. Router ACLs Ben Nagy (Dec 12)
- RE: Firewalls v. Router ACLs R. DuFresne (Dec 13)
- RE: Firewalls v. Router ACLs Carric Dooley (Dec 17)
- RE: Firewalls v. Router ACLs R. DuFresne (Dec 13)
- Re: Firewalls v. Router ACLs pedski (Dec 12)
- <Possible follow-ups>
- RE: Firewalls v. Router ACLs MHawkins (Dec 13)
- Re: Firewalls v. Router ACLs WhiteHat (Dec 16)