John K. rote:
>It seems to me that having firewalls as they are now means introducing
>more complexities into system. I see today's firewalls as 'active' firewalls.
>That is -- the are visible on the net, you must pay attention to it (as a user,
>system manager must always pay attention on it).
I disagree and pose the following definitions:
ACTIVE FIREWALL: one which is dynamically reconfigurable (hopefully in a
trusted/verifiable manner). I view this as an essential
piece of single-sign-on.
STATIC FIREWALL: one which executes according to a fixed set of rules and
which requires manual intervention to reconfigure.
>>What will be if we have 'pasive' firewall? One that will not be visible, one
>>that will aciting like signal processor. Idea is to have one black box which
>>will monitor every packet and perform appropriate action if some
>>predefined condition is met. Nothing new? New is that nor use nor ever
>>other machine is aware od firewall. That means that you don't have to
>>advertise firewall to outside world.
We do not have to advertise a firewall now, this is just the default/easy way
out. There is no reason for a firewall to respond to a PING, FINGER, or
even be listed in the DNS - this is just accepted practise. A firewall
(really a filter but you get the idea) needs to be nothing more than a
dedicated machine with two NICs that decides which packets to pass, which
to refuse, and which to log/alarum. (I have something like this controlling
the TCP/IP network in my den right now).
The reason firewalls are visible is because this is the default (they started
out as bridges/routers anyway - the security aspect is a bag on the side for
most) and it makes it easy for an administrator to check on it/make changes
remotely not because it is necessary, a terminal physically connected to a
port would work as well (and why SUNs allow the concept of "secure" terminals).
>However, there is one potential disadvantage in that the invisible firewall
>cannot mask the protected network. All hosts are completely visible to
Why ? Only hosts that need to be visible to the outside must be and then only
in those aspects required. All systems that I know of allow filtering by
type of access (SMTP, TELNET, Novell), local host, and remote host. It is
just a matter of programming.
Further nothing says that the firewall cannot feed a proxy host and then the
proxy is all that needs to be visible.
Finally, I think that sometimes we get caught up in the old mainframe concept
of "one box does everything". This is no longer either true or necessary. I
prefer something like this:
<--"The World"----| FIREWALL |--------------| PROXY HOST |----"INSIDE"-->
------------ | --------------
| LOGGER PC |
This distributes the loading for minimal performance impact. With switches
at the front and tail, can also maintain mirrors for redundancy. Neither
the firewall nor the logger need to be visible to the world or the inside.
This is also the simplest condition. In a more complex instalation, the Logger
might be able to add/modify the rules on the Firewall or Proxy based on
changing conditions e.g. three attempts by a "world" host to access systems
improperly would cayse the FIREWALL to refuse all future connections from
I suspect that the elements above may come to be considered the "mininimun"
for a protected connection and may need a term. Am sure that there is an
electrical term that would fit (not a Pi filter but similar) - my Electrical
Engineering handbook is at home and it has been a while.