On Mon, 20 Mar 2000, Michael H. Warfield wrote:
[snip]
> > Come on!
> > Stateful firewalling buys you *very* little extra security over
> > non-stateful filtering. Most of the attacks that a firewall will stop are
> > straightforward service exploits via the internet. A simple filter will do
> > this just fine.
>
> Exploits yes, but there are other things, like FIN scans, and
> Christmas scans, etc, that it stops cold. It also helps (I didn't say
> cures) with things like UDP and can stop UDP scanning.
Ohhh.. Scans. How deadly. :) I understand the benifits of stateful
firewalling, I just don't agree that they are worth it.
> > Most security violations happen from the inside, and unless you like
> > spending tons of money breaking all your internal communictaions,
> > firewalls can't help you there. Also, it's usually trivial for someone on
> > the outside to trick an insider into setting up a covert channel through
> > all but the most anal stateful devices.
>
> Agreeded. I don't claim they cure everything. I merely claimed
> that they have security advantages. Anyone who claims to have a magic
> bullet that cures all you're security woes should be checked over very
> carefully and escorted to the door.
I agree with that.
> > They simply don't get you much over non-stateful devices other then a
> > false sence of security, increased complexity, and lowered realibility.
>
> Not true since they do very distinct things which can be inumerated,
> not true as long as they are not sold as a single sole point of security,
> somewhat true since they do involve somewhat more complexity though largely
> not as complex as proxies which provide similar capabilties, largely not
> true since they will be just as reliable or more reliable than proxies.
> For equivalent functionality, stateful filters are not that much more
> complex if at all, and are not less reliable than other equivalent solutions.
> Because they do a distinct job which static filters can not, I do not
> consider static filters "equivalent".
But is the difference worth the loss? I see your argument as equivlent as
I might argue to my SO that I need a Saturn V rocket to get to work: "A
car isn't equal!". :)
> > The real solution to security is to secure the damn hosts, and stop trying
> > to gloss over the problem with cure-all quick fix firewalls.
>
> No...
>
> The real "solution" is to quit looking for single point solutions
> such as firewalls and hosts, saying this is all I need to solve my
> security problems.
Secure the systems & people seems as close as you can get. :) But you are
correct. There should be no single-point-of security.
> The solution is "security in depth". You need layers
> of security. Firewalls are a part, and not just perimeter firewalls,
> departmental firewalls
Ugg. Firewalling breaks network level transparency. It's not so bad on the
Internet connection, but throught a network. Eewww.
Have you looked at what companys are paying for firewalls and their
support?
> and even firewalls on single hosts with builtin
> firewall capability.
Now.. THAT is a good idea. If you impliment stateful firewalls on the
hosts, you have pushed the statefulness to the end nodes. That is a good
idea. Now combine that with IPsec and a distributed firewall management
system and you've got the 'Real Solution' (tm).
Unfortunatly, all the firewalls/nats that have been erected everywhere
have already distroyed global network level transparency and made the
widespread implimentation of IPsec impossible. :(
> Stateful filters are a part. Tools like Abacus sentry
> and snort (IDS) are a part. Tools like log monitors and alarms are a part.
> Tools like tcpwrappers is a part. Packages like PAM and cracklib are a
> part. Tools like ssl, ssh, and ipsec are a part. They're not competative
> and they're not going to eliminate each other. They are cooperative and
> synergistic. With layers of security, a breach in one layer doesn't
> immediately spell doom and compromise for your entire network. The
> intruder should have to walk minefield of security where he has to be
> perfect in finding a hole in each layer while avoiding any and all
> detectors, traps, and alarms.
This is correct. But it does not follow that a stateful network is a
requirement of layering.
> I'm tired of the situation where all an intruder has to do is to
> find one hole in your defenses and you're toast. Anytime anyone says, all
> we have to do is fix our security "here" and we're safe, I get worried.
> There are no cure-all quick fixes at the host or at the network. The
> solution has to be comprehensive and include the human factor. You have
> to take into account, stupid human tricks (viruses, covert channels,
> misconfigurations, accidents) into account as well. There are no final
> solutions either. There are just degrees of security and vigilance.
I agree.. But it still doesn't follow that you need a stateful firewall. A
simple stateless device + other layers should do the trick.
> > Any network small an simple enough not to be crippled by a stateful
> > network (i.e. one building with one internet connection, with no peering
> > to other networks, with 100% trusted insiders (who know not to run
> > dancing-baby2000.exe)) is simple enough to actually make secure.
>
> How does stateful filtering cripple a network???? I've got some
> networks that have multiple /21's through a /19 supporting multiple T1's
> to the main network (that still manage to saturate periodically) and
> intra-enterprise VPN's. That's not even counting our private address
> subnets and NAT devices. Several thousand hosts counts for a significant
> sized network. I haven't seen any crippling. Do you have some
> real world experience with this crippling or are you just making noise?
Yes. At work, I operate a network with well over three thousand devices on
it, covering 50 sites, and 7 seperate organizations all interconnected
with single-mode and frame-realy running only IP. We have a /21 + a
/23, and are in the process of applying to upgrade to a /20. Do a whois,
I'm GFM1-ARIN.
> Now I have seen proxy firewalls become a performance bottleneck
> and cause problems like you describe. Are you sure that you're not mixing
> apples and oranges?
They are a bottleneck because they don't easily scale without deep voodoo.
Stateless networking devices scale easily, in both realiability and
performance.
Please, tell me how to statefully filter the Gigabit ethernet links in my
network without losing performnce? Now consider that every big site on my
network has multiple seperate highspeed paths, as this is required for
sufficent backhoe-proofness to serve as a sufficent medium for telephone.
Finaly, add in the fact that there is a *HIGH* degree of network
interaction, such that the loss of transparency accepted for Internet
links would be intolerable on the MAN.
My opinions may be a bit colored because I deal with NAT as well as
firewalling. NAT is certantly worse of the two evils.
I agree that security much be layered to be survivable. However, I don't
agree that any part of the network needs to be stateful. I think that the
statefulness should be kept 100% in the hosts, while the network can be
left to do some non-stateful cleanup.
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
