On Jan 10, 2010, at 5:51 AM, harbor235 wrote: > Other security features in an Enterprise Class firewall; > -Inside source based NAT, reinforces secure traffic flow by allowing > outside to inside flows based on > configured translations and allowed security policies
Terrible from an availability perspective, troubleshooting perspective, too. Just dumb, dumb, dumb - NATted servers fall over at the drop of a hat due to the NAT device choking. > -TCP sequence number randomization (to prevent TCP seq number guessing) Server IP stack does this itself just fine. > -Intrusion Detection and Prevention (subset of most common signatures) > recognize scanning attempts and mitigate > recognize common attacks and mitigate Snake-oil. > -Deep packet inspection (application aware inspection for common network > services) Terrible from an availability perspective, snake-oil. > - Policy based tools for custom traffic classification and filtering Can be done statelessly, no firewall required. > -Layer 3 segmentation (creates inspection and enforcement points) Doesn't require a firewall. > -Full/Partial Proxy services with authentication If needed, can be better handled by transparent reverse-proxy farms; auth handled on the servers themselves. > - Alarm/Logging capabilities providing info on potential attacks > -etc ...... NetFlow from the network infrastructure, the OS/apps/services on the server itself do this, etc. > > Statefull inspection further enhances the security capabilities of a firewall. No, it doesn't, not in front of servers where there's no state to inspect, in the first place, given that every incoming packet is unsolicited. > You may choose not to use a firewall or implement a sound security posture > utilizing the "Defense in Depth" philosophy, however you chances of being > compromised are dramatically increased. Choosing not to make the mistake of putting a useless, counterproductive firewall in front of a server doesn't mean one isn't employing a sound, multi-faceted opsec strategy. I know that all the firewall propaganda denoted above is repeated endlessly, ad nauseam, in the Confused Information Systems Security Professional self-study comic books, but I've found that a bit of real-world operational experience serves as a wonderful antidote, heh. ;> ----------------------------------------------------------------------- Roland Dobbins <[email protected]> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken
