Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firewall Administration Survey

From: jdgorin () computer org
Date: Mon, 10 Dec 2007 10:41:39 +0100

Lihua Yuan [lihua.yuan () gmail com] wrote:


Jean-Denis Gorin [jdgorin () computer org] wrote:


To connect this message to the rolling other threads:
consequences of rule configuration error in a packet
filter (stateful or not) can be more dreadful than
configuration error in a proxy.


I'm curious  on what kind of configurations errors for
stateful firewalls do you have in mind ?


Hi Lihua,

You can quite mess a lot of things in a stateful firewall configuration.
Mistyping errors are the more common. Other errors are misunderstanding of how
things works (than means how the FW rules engine deal with rules).

The problem is complexity: in a statefull firewall configuration, you get one
rules set for all services and hosts. In a proxy configuration, you get one
rules set for each services.
So, in a statefull FW configuration, the impact of an error is broader than the
error in a proxy configuration.

Some examples:
 1/ the rules parsing order are *very* important
Example: you want to open access to a range of hosts in your DMZ else some.
You have a first "closing" rule for the "else some" followed by an "opening"
rule to the hosts' range.
If you put thoses 2 rules in the other order, you open access to the "else some"
hosts.
Same for port numbers instead of host addresses.
NB: some statefull FW use "optimization" for their rules engine. You don't know
what rules will be runned prior to another one.

 2/ default implicit rules
Depend of the FW, some authorize default flow like DNS or ICMP.
I count these as errors in the "misunderstanding of how things works" category.

 3/ number of rules
Some statefull FW configuration are over 1000 rules. You can't manage that
number of rules without making errors (even if you use GUI, or automatic rule
management tools).


JDG
"Reality is that which, when you stop believing in it, doesn't go away."
Philipp K. Dick
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: