2000-02-29-09:29:18 Mike Scudamore:
> Frederick M Avolio:
> > This is, by the way, one of the kinds of problems cited by
> > those of us who believe that stateful inspection firewalls are
> > generally insufficient for serious security.
>
> Excuse the "newbie to the list" question, but if these types of
> firewalls are "generally insufficient", what type of firewall do
> you consider to be "sufficient"?
What a fraught question:-).
I'm not Fred, and I'm sure he's quite capable of answering this one
for himself, but I wanna take a stab at it anyway.
Don't concentrate so hard on Fred's "generally insufficient". Look
closer at "for serious security".
The answer to your question "what type of firewall is sufficient"
depends entirely and solely on what assumptions you're working with.
I believe Fred's working with a pair of assumptions that are
ubiquitous to the point of universal in some industries, although
there are places where they don't apply.
(1) You have users of all skill levels, and at least some of them
are running desktops with OSes and applications that cannot be
secured, and they must be given internet access.
(2) You must make burglaries involving complete compromise of
these desktops from the outside effectively impossible.
Now those two assumptions set up a tension that's almost impossible
to resolve, and the firewall architectures that are used in the
attempt are the most elaborate and sophisticated firewalls in
current use. Your typical firewall for this setting is a couple of
rack-fulls of boxes or more, with exterior screening routers,
interior screening routers, one or more bastion hosts, and
special-purpose servers operating on semi-secured nets between the
screening routers.
In this sort of setting, the bastion typically does not allow _any_
packets directly in or out. It has non-transparent proxies for some
protocols, typically SMTP and HTTP; they are doing some content
screening, and there are elaborate logfile analysis tools running.
You don't allow any DNS in or out at all; you run your own roots
in-house, and inside clients just pass the actual hostnames to the
non-transparent proxies where they are resolved.
Your users can't use streaming internet multimedia apps, they
can't use chat programs like ICQ or even IRC, they can't view
java/javascript/active-x from the internet, etc.
There are circles where this is the implicitly-understood flavour of
"serious security".
There are other ways to approach serious security, of course. Limit
services in use and you can do away with the firewall. So servers
like e.g. http servers don't get protected behind separate
firewalls, they are just hardened to where they are most secure than
most firewalls all by themselves. People who care about security can
harden their clients even better than the best hardened server, and
don't need any firewall protection at all.
But understanding Fred's remark requires understanding the security
environment it's based in. In that environment, a packet filter
(even a "stateful" one) doesn't have a sufficiently sophisticated
and high-level view of the traffic to do a good job. Specifically,
blocking attacks based on weirdo packet types requires
special-coding blocks for each one, which means they're always
playing catch-up as people keep inventing new bad weirdness to
commit with the low levels of IP. And a real, accurate view of the
traffic stream (for things like content editing --- or adjusting
your filtering to properly honor ftp "PORT" commands) requires
re-implementing all the arcana and subtleties of a full IP stack to
accurately reconstruct the data stream. People don't bother, they
come up with simple trivial approximations, and once they work
correctly for correct applications they think they are done. Then
someone comes up with a weirdo misuse of strangly-constructed IP
packets that violates some assumption that the filter author didn't
even realize he was making, and voila, there's another security
problem with the packet filtering firewalls that has to be fixed.
Packet filters like FW1 can be fine, superb components in security
design, although if all I want is a packet filter, I'll go for a
no-moving-parts box, or even lose the separate box altogether and
just use the packet filtering that comes with my OS. But there are
places where packet filtering is woefully inadequate to enforcing
some of the trickier parts of a complex security policy, and those
places are a daily part of life in some settings.
-Bennett
PGP signature
