Firewall Wizards mailing list archives
Re: A fun smackdown...
From: Chuck Swiger <chuck () codefab com>
Date: Thu, 19 May 2005 18:32:11 -0400
On May 19, 2005, at 5:45 PM, Paul D. Robertson wrote:
Paul, why *don't* people run their firewalls with a single "deny all" rule?Actually, thinking about it, because it's cheaper to just not connectsystems that don't need the risk, and you lose the risk of implementation errors in the firewall, configuration errors, and it then takes physical presence to bridge the gap, reducing the rate of attack (which is probablyextremely low anyway.)
Right, that's better: there's no need to use a firewall at all for a truely standalone system, those can be set up and updated via CD, without being networked at all.
You only need a firewall when you need to permit some kinds of network traffic.
Now I've got one for you; Why do some people run firewalls with a single"allow all" rule, and what can you do to make that less risky than the "deny all" example?
A firewall with allow-all is simply a router.I've disabled the firewall on my Linksys BEFS81 broadband router I use at home because the FreeBSD box set up as my DMZ host is set up as a honeytrap. A BSD network stack seems to time out TCP connections after about 10 minutes, if no traffic goes by, but you can get a Windows worm stuck for days if you reply using a 0 window size.
I suspect that using greylisting, honeytraps, teergrubes, and similiar techniques can do a lot to help slow down the spread rates of malware and spam. That's one way of making an "allow all" rule less risky than the "deny all" rule might be. Of course, you have to make sure your honeytrap software is up to the task, which is not as easy as it might seem.
Has anyone else tried setting up several honeytraps across their address space? Have you noticed a difference in connection rates between IP addresses at the far ends of your IP range, compared with honeytrap IP's in the middle?
-- -Chuck _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: A fun smackdown..., (continued)
- Re: A fun smackdown... Chuck Swiger (May 21)
- Re: A fun smackdown... Marcus J. Ranum (May 21)
- Re: A fun smackdown... Chuck Swiger (May 21)
- Re: A fun smackdown... Adam Shostack (May 21)
- Re: A fun smackdown... Ryan McBride (May 21)
- Re: A fun smackdown... Marcus J. Ranum (May 21)
- Re: A fun smackdown... Steven M. Bellovin (May 21)
- Re: A fun smackdown... Marcus J. Ranum (May 21)
- Re: A fun smackdown... Don Kendrick (May 24)
- Re: A fun smackdown... Paul D. Robertson (May 19)
- Re: A fun smackdown... Chuck Swiger (May 19)
- Re: A fun smackdown... Paul D. Robertson (May 19)
- Re: A fun smackdown... Chuck Swiger (May 19)
- Re: A fun smackdown... Paul D. Robertson (May 19)
- Re: A fun smackdown... Marcus J. Ranum (May 20)
- Re: A fun smackdown... Chuck Swiger (May 21)
- Re: A fun smackdown... Marcus J. Ranum (May 21)
- Re: A fun smackdown... Chuck Swiger (May 21)
- Re: A fun smackdown... Marcus J. Ranum (May 21)
- RE: A fun smackdown... Bill Royds (May 24)
- Re: A fun smackdown... Joseph S D Yao (May 20)