Firewalls: RE: PIX and Firewall-1 (Thesis Length)

Firewalls
(June 1997)

Indexed By Thread: [Previous] [Next]

Subject:	RE: PIX and Firewall-1 (Thesis Length)
From:	"Daniel J Blander - Sr. Systems Engineer for ACS" <Daniel . Blander @ ACSacs . Com>
Date:	Wed, 4 Jun 1997 09:13:09 -0700
To:	Pedro Salgueiro <psalgueiro @ speedy . europe . dg . com>
Cc:	"'Mike Jones'" <newman!jonesmd @ uunet . uu . net>, "'firewalls'" <firewalls @ greatcircle . com>
In-reply-to:	<01BC70CA . 41A88880 @ pcpedro>

I disagree and agree (in that order)....

On Wed, 4 Jun 1997, Pedro Salgueiro wrote:

> I've been "watching" the discussion regarding the differences between 
> packet-filtering and application level firewalls. I believe that there
> are some:
> 1 - Packet filtering firewalls are more difficult to manage 
>     (It is very simple to mis-configure => less secure).
>     It may be very complicated establishing rules.

Most firewalls are "difficult" to configure.  One is not necessarily more
difficult to configure than another.  Even application level firewalls ask
you to list valid hosts, networks, etc - so misconfiguration can be just
as difficult.  The focus should be on the tools used to configure the
rules.  If they are lacking and poor, like anything else, it will be hard
to configure.

> 2 - Packet filter systems are always routing packets 
>     (so "fail-open" may occur). A well known contructor firewall crashed
>     with a ping attack and routed all the packets from the insecure
>     network to the secure one.

Unfortunately the conclusion that you draw from this example is not quite
accurate.  Yes, packet filtering systems and stateful-inspection firewalls
do route packets (and *yes* virginia, they are two different types of
firewalls) but that does not necessarily mean that "fail-open" occurs.
I can list at least one vendor where the failure of the firewall causes
packets *not* to be routed (good old systems that allow ip-forwarding to
be turned off and then the firewall, while up, forwards the packets
itself - failure of the firewall means forwarding has also failed since
the underlying system will so - sorry, I won't do it).

> 3 - If you are using a packet filter system and you provide SMTP, 
>     HTTP, etc. you cannot control what the users do with those
>     protocols,i.e., you open or close a port. Application level
>     firewalls provide secure  daemons of those protocols.

Here is where I agree 100%.  You can not, with a packet filter or pure
stateful-inspection firewall, filter what people do over those ports.

The best firewalls out there are those that are not really out there yet.
They are hybrids of stateful-inspection and application level firewalls.
Stateful inspection allows me to filter and manage even UDP connections
(good old NTP for example which I have customers who *must* have it) but
I need applicaiton level firewalls to control the garbage being stuffed
over http these days, or to protect the smtp port....I like
stateful-inspection firewalls because they watch the high-ports for me and
close them when a FIN is sent for a specific communications and log any
probes on these ports.

There are benefits to both technologies: stateful-inspection and
application gateways.  I will admit pure, old style ACL packet
filtering is insecure and limited in its usefulness if used alone but
only because certain protocols have unusual requirements (FTP in Active
mode) and that someone figured out how to send RST packets to still open
high ports and other fun and games with the IP protocols.  The advance of
the exploits to a given technology require new tools to counter them.
Old style ACL packet filtering was good when it first hit because it was
all we thought we needed.  Then someone figured out how to spoof packets
and work around on high ports.  Now we have countered that with
application level firewalls which control even the content but are limited
in what types of protocols can go through (which is a good thing and a bad
thing).  Stateful Inspection firewalls came along and said, lets have it
somewhere in the middle (ok, closer to packet filtering firewalls but with
communications state built in).  There will be exploits found in both of
these technologies as well - between mis-configuration, TCP sequence
attacks, man-in-the-middle attacks, etc, there are enough hacks out there
that say the real issues are begining to reach beyond whether you are
using packet filtering, stateful inspection or application level
firewalls, and beg for a new style of firewall - a new technology....

(And, No I don't think that it is Abir-Net.....;-)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Daniel Blander 	                       =8^)	                    
 Sr. Systems Engineer	 Applied Computer Solutions 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Phone: (714) 842.7800		Fax: (714) 842.8299 
 Email: Daniel .
 Blander @
 acsacs .
 com                  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
	       http://www.acsacs.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

RE: PIX and Firewall-1
From: Pedro Salgueiro <psalgueiro @ speedy . europe . dg . com>

Indexed By Date	Previous:	getting passwd file via WWW From: Stan Wnuck <swnuck @ unixpros . com>
Indexed By Date	Next:	Re: Security Crazy From: Rabid Wombat <wombat @ mcfeely . bsfs . org>
Indexed By Thread	Previous:	RE: PIX and Firewall-1 From: Pedro Salgueiro <psalgueiro @ speedy . europe . dg . com>
Indexed By Thread	Next:	Re: PIX and Firewall-1 From: Mike Jones <mike . jones @ unifiedtech . com>