Firewalls: Re: sex, lies, and firewall code

Firewalls
(October 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: sex, lies, and firewall code
From:	Bill Stout <stoutb @ pios . com>
Date:	Mon, 20 Oct 1997 14:23:37 -0700
To:	firewalls @ GreatCircle . COM

Sex:
Marketing is a necessary evil, as is Lawyers.  I strongly suspect that a
survey of who chose what firewall, would reveal that a greater percentage of
technically knowledgeable people choose TIS (or other proxy firewall), and a
greater percentage of non-security people choose Checkpoint (or other
enhanced packet filters).  Unfortunately it's the same sort of thing that
made more people choose Windows 3.1 vs. MacOS.

Lies:
It is a misrepresentation to say that state-based filtering mechanisms
provide security anywhere near the superior security offered by proxy-based
firewalls.  My biggest beef with 'state-based firewalls' is that a
state-based filter cannot rewrite packets, it passes packets through,
leaving the internal network exposed to various packet attacks.  A
state-based filter also does not have the application code to intelligently
filter application commands.  A state-based filter is not necessarily faster
than a proxy firewall, and I worked with one customer who recently pulled
their Ultra2/200 running FW-1 because it became overwhelmed with traffic,
and tech support was not able to resolve the problem, where it locked up and
required a reboot a few times a day.  Caveat: Their 'service provider' box
behind the firewall was a multiprocessor DEC Alpha on 100Mb ethernet, and
tech support thinks there may have been a sizing or compatibility problem.

Fred Avolio is a well known and well written security expert, and does
certainly know his stuff.  I would certainly be wary of a person who claims
to be a security expert, though has not known (of) Fred a long time.  If you
must challenge his statements, it's wiser to do so privately than publicly.

Firewall code:
A question was asked about the trustability of binary code (executables)
where no one outside the company could review source code.  Answer: You
can't.  You must blindly trust the company to secure the code up to and
through compile.  If you're a government or 'national infrastructure'
entity, it's much deeper question on who you can trust.

The improved techniques a firewall uses can be peer reviewed, and if a
technique does not pass muster via peer review, it ain't an improvement.

Bill Stout

P.S. - Went on an interview at USWEB for 'security consultant' position
early this year, the interview was basically over (with the Technical
Director, ex-Novell guy) once I eventually admitted my favorite firewall at
the time was Gauntlet ("It depends on the customers' needs", didn't work).
It seems they didn't think I knew much about firewalls.  ;)  I'm curious to
know what firewall they recommend.

Follow-Ups:

Re: sex, lies, and firewall code
From: Bernd Eckenfels <lists @ lina . inka . de>

Indexed By Date	Previous:	Re: 'The best way' to authenticate on a Web Server From: Nick Simicich <njs @ scifi . squawk . com>
Indexed By Date	Next:	Re: your mail From: zaph0d <zaph0d @ phawd . com-stock . com>
Indexed By Thread	Previous:	RE: sex, lies, and firewall code From: Rick Murphy <rick @ paimail . com>
Indexed By Thread	Next:	Re: sex, lies, and firewall code From: Bernd Eckenfels <lists @ lina . inka . de>