Firewall Wizards mailing list archives
Re: Firewall Administration Survey
From: jdgorin () computer org
Date: Mon, 10 Dec 2007 10:41:39 +0100
Lihua Yuan [lihua.yuan () gmail com] wrote:
Jean-Denis Gorin [jdgorin () computer org] wrote:To connect this message to the rolling other threads: consequences of rule configuration error in a packet filter (stateful or not) can be more dreadful than configuration error in a proxy.I'm curious on what kind of configurations errors for stateful firewalls do you have in mind ?
Hi Lihua, You can quite mess a lot of things in a stateful firewall configuration. Mistyping errors are the more common. Other errors are misunderstanding of how things works (than means how the FW rules engine deal with rules). The problem is complexity: in a statefull firewall configuration, you get one rules set for all services and hosts. In a proxy configuration, you get one rules set for each services. So, in a statefull FW configuration, the impact of an error is broader than the error in a proxy configuration. Some examples: 1/ the rules parsing order are *very* important Example: you want to open access to a range of hosts in your DMZ else some. You have a first "closing" rule for the "else some" followed by an "opening" rule to the hosts' range. If you put thoses 2 rules in the other order, you open access to the "else some" hosts. Same for port numbers instead of host addresses. NB: some statefull FW use "optimization" for their rules engine. You don't know what rules will be runned prior to another one. 2/ default implicit rules Depend of the FW, some authorize default flow like DNS or ICMP. I count these as errors in the "misunderstanding of how things works" category. 3/ number of rules Some statefull FW configuration are over 1000 rules. You can't manage that number of rules without making errors (even if you use GUI, or automatic rule management tools). JDG "Reality is that which, when you stop believing in it, doesn't go away." Philipp K. Dick _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewall Administration Survey jdgorin (Dec 05)
- <Possible follow-ups>
- Re: Firewall Administration Survey jdgorin (Dec 10)