Firewall Wizards mailing list archives

Re: Firewalls Compared

From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Tue, 22 Jun 2004 23:47:09 +0530

On 22/06/04 12:28 -0400, Paul D. Robertson wrote:
<snip>

While the incidence of worms and DDoS attacks are high, the event costs
often pale in comparison to an insider abuse or critical intrusion.

The costs of worms and DDoS are spread across a very large number of
people, including those of us who actually follow best practices.

Frequency of attack with a lower cost will surpass infrequent attacks with
a higher cost in many cases.  Still, longer-term, and strategically,
intrusions and infrastructure compromise are much more worrisome than
local desktop disruption.  DDoS can be taken care of with end-to-end QoS,

The destkop disruption is potentially damaging because of the sheer
number of desktops.

an evil we may eventually have to bite the bullet on, just like voice

Except that a few thousand zombies spewing out a few kbit of traffic
will not really be QoSable.
64 kbps of traffic * 4000 zombies [1] = 256 Mbps of traffic.

Are you going to enforce QoS at that level? It need not be ICMP traffic
either. 64 kbit/sec of http traffic, or SMTP, or anything else.
It would be easy to write a program that generates a limited amount of
traffic against a site from a single host and distribute it to a large
number of hosts.

QoS will *not* work against a DDoS for most sites. The large sites have
enough bandwidth to handle the traffic, but for those people whose
servers are not in large datacenters but on T1 or equivalent lines, this
could be a nightmare.

The damamge from Blaster/Welchia/Nachi could not really have been controlled
by QoS. One 92 byte ICMP packet going out is *NOT* QoSable. It did cause 
routers to fall over and die due to the sheer number of packets being
originated to different destinations.

networks had to bite the out-of-band signaling bullet.

I don't know where I would find statistics on how many home or corporate
broadband networks have hardware firewalls or personal firewalls. If I had to
guess for home users...I would say less than 10% have hardware firewalls
and less than 20% employ personal firewalls. Fewer would employ both
together   Most users I know just ride bareback against a cable modem or


Educate those users.  Change their behavior.  This is a time-local
problem, and with Comcast's recent moves and some prodding, we can make
the time period shrink significantly.

Or as MJR had once proposed, don't give them full Turing complete
systems. Give them embedded systems (or dumbed down PCs) which do very
few things.

DSL  which is relatively amazing considering that GIAC trained
professionals now are recommending that home users consider both hardware
and software firewalls simultaneously. (See something like
http://www.giac.org/practical/GSEC/Barbara_Kupiec_GSEC.pdf).  Considering
the number of intrusions that I see break throught my hardware firewall
and get stopped by my personal firewall...I would say this is excellent if
not underwhelming advice.


Hmm, I don't see anything "break through my hardware firewall," maybe the
issue is security policy? ;)

That depends on your definition of attack as well :). I get a crapload
of spam to my small, one user home system. I do call it an attack. Since
I run my own server, that port will be open to the Internet.

Here's the rub- in corporations, way less than half of firewalls are
configured to block the attacks that corporate firewalls are perfectly
capable of blocking.  Now, let's say that means that ~75% of the people on

Most people still go by the policy of block only the bad traffic.
The whitelist only policy that should be applied to network traffic
isn't usually applied.
The cost of a mistake is too high for some people. They would rather
risk having their infrastructure attacked and broken into, because in
their estimation, the risk of being broken into is lower than the cost
of fixing it.

<snip>

A handful of providers can solve the bulk of the home user attack
"problem" with relative ease, or we can make the users do it machine by
machine- but long-term they're not as much of an issue as corporate
networks are, IMO.

If they would actually take steps to solve the issue, then yes.
So far, they haven't done too much. 

Devdas Bhagat

[1] The 4000 zombie number is what I remember from some statistics on the
number of hosts involved in a single spam run
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Firewalls Compared kashif (Jun 21)
- Re: Firewalls Compared Paul D. Robertson (Jun 21)
  - Re: Firewalls Compared Gwendolynn ferch Elydyr (Jun 21)
  - Re: Firewalls Compared Dave Piscitello (Jun 21)
    - Re: Firewalls Compared Ryan M. Ferris (Jun 22)
    - Re: Firewalls Compared Paul D. Robertson (Jun 22)
    - Re: Firewalls Compared Devdas Bhagat (Jun 22)
    - Re: Firewalls Compared Paul D. Robertson (Jun 22)
    - Re: Firewalls Compared Devdas Bhagat (Jun 22)
    - Re: Firewalls Compared Paul D. Robertson (Jun 23)
    - RE: Firewalls Compared Laura Taylor (Jun 26)
    - Re: Firewalls Compared ArkanoiD (Jun 28)
    - RE: Firewalls Compared Laura Taylor (Jun 28)
    - Re: Firewalls Compared Marcus J. Ranum (Jun 28)
    - RE: Firewalls Compared Eugene Kuznetsov (Jun 29)
    - RE: Firewalls Compared Ben Nagy (Jun 30)
    - Re: Firewalls Compared Devdas Bhagat (Jun 30)

(Thread continues...)