RE: Firewalls Compared

["Marcus J. Ranum" <mjr () ranum com>]

Stiennon,Richard wrote:
> Am I the only one that sees a huge difference between an application proxy (ala the good old days of server based 
> firewalls) and filters that are applied to payloads (ala Network Intrusion Prevention) by inline network devices? 

You're probably not the only one, but that doesn't make your view
any closer to accurate. ;)

In both cases, you're intercepting traffic (by being in the routing path,
or on the wire) and doing layer 7 analysis to apply a policy or detect
and attempt to prevent abusive activity. Whether you call it a filter or
a signature or a proxy, it's all just a chunk of code that "knows"
something about the protocol and mediates/permits/denies based on
the content and protocol state.

There are differences, as you say - mostly, however, they're historical and
evolutionary differences, or implementation differences. The old server
centric proxy firewalls took advantage of the system's existing IP stack
to do reassembly; the IDS evolutionary stream evolved it from nothing,
and the "stateful multilevel packet inspection" evolutionary stream evolved
up the stack from a very minimal implementation. The firewall stream started
out being policy focused and is becoming vulnerability focused, where the
IDS stream started out being vulnerability focused and is becoming policy
focused. But, historical implementation details aside, the differences between
these technologies is largely in the heads of marketing weenies and the
industry analysts they own.

> Let's keep in mind that stateful inspection firewalls are GREAT security devices. They protect over 80% of enterprise 
> networks today.

Market share doesn't say anything about quality. If market share were
a metric of quality then Windows would be the greatest operating system
that has ever been.

Stateful inspection firewalls are an adequate security device for many
purposes. They are just good enough to let most companies feel that
they have security, while still giving them good performance and not
impacting the user experience enough to get the firewall torn out as a
result of layer 8 contention. UNfortunately, as botnets, trojans, and
spyware are showing us (and it's going to get worse) unfettered
transparent access is not compatible with high security. And, we've
seen that the advanced packet screens (which is all a "stateful inspection"
firewall is) do a very poor job of protecting systems behind them against
incoming traffic. That has spawned a whole secondary market for
kludges like web-specific application gateways -- if these "stateful
inspection firewalls" were so great, they'd actually, uh, statefully
inspect, or something like that.

> However, worms can come in through infected laptops or third party connections. When they connect directly to the 
> corporate LAN you are toast. It turns out IPS is great at blocking worms and it is easier to deploy IPS internally 
> because policy setting is simple:  MS Blaster yes/no? 

Now you're back to touting IPS. We were talking about the questionable
utility of screening-only "firewalls" in a world where attacks are increasingly
Layer 7-oriented. The IPS products are doing more Layer 7 processing
than a lot of the "stateful inspection" firewalls ever will. I think that it's
great that they do that, and, behind the relentless hype, I think that IPS
makes a lot of sense - adding signatures to firewalls is a great idea. As
long as the firewall is sound, and the signature engine is reliable.

> Worms generally target Microsoft vulnerabilities. Are you going to write application proxies for Exchange? ASN 1?

No, you can only write useful proxies for services that are well-documented,
minimizable, and tolerably designed. From a security standpoint there is
probably nothing useful that can be done to Exchange other than holding
it down and putting a stake in its heart.

ASN1 is an encoding standard, not an application protocol. You can't
application proxy an encoding standard! Or are we playing  buzzword
bingo?

> Does anyone other than MSFT even know how these applications communicate? Not.

Precisely; which is why only a complete wanna-be victim would allow
such a broken piece of software across an enterprise perimeter.

>  But, you know what the vulnerability looks like and could look at traffic and identify malicious activity even 
> without signatures. The future of network security is all about inspecting traffic. It is not about application 
> proxies. 

You're probably right but not for the reasons you think you are.

You're right because most organizations want low-carb low calorie
light and refreshing security. The kind that tastes great, but is less
filling. The kind that comes with a zingy hypeful perky sounding
name and the promise of "prevention" without the pain of "policy"

Of course, they'll continue to get hacked to bits.

Let's be realistic about something: we're in an industry where
expenditures on security keep going up and up and so do the
number of machines getting hacked. What does that tell me?
It tells me that low-carb security doesn't work. The problem with
IPS is that it's based on vulnerability, not policy. It's going to be
able to shoot down all the bad guys it knows about. And ONLY
the bad guys it knows about. That's very nice, but that does
not FIX anything.

You're completely right that the future of security is not application
proxies and "old school" security technologies. There's still too
much money to be made selling products that almost work, and
then selling add-ons and kludge-ons that offer the hope that
"next time we'll get it right."  Hey, why run a mailer that doesn't
suck, when you can run Exchange and buy a $60,000 box to
put next to it that TRIES REAL HARD to make it not suck.

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards