Re: [fw-wiz] Protecting a datacentre with a firewall

From: Mikael Olsson (
Date: 05/05/03

  • Next message: Cat Okita: "Re: [Fwd: Re: [fw-wiz] Protecting a datacentre with a firewall] (fwd)"
    To: mag <>
    Date: Mon, 05 May 2003 01:31:12 +0200

    mag wrote:
    > 2003-05-04, v keltezéssel Mikael Olsson ezt írta:
    > > mag wrote:
    > > > Also, PIXen are not just too suboptimal to be called firewalls,
    > > > but also for intranet firewalling you need a level of flexibility
    > > > you cannot achieve with a blackbox-style product, and with the
    > > > so-called market leader firewalls.
    > >
    > > You're raising a big stink here. Especially when you continue
    > > by touting a firewall that you contribute to yourself.
    > I was telling the truth. We have found that no useable firewalls
    > on the market, so we had to develop one.

    You know... "Everything sucks, I'm gonna build something better!"
    is an OK thing to say before you've actually started.
    At this point, it just reeks of self interest.

    > > Those "blackbox-style products" that you so rapidly dismiss as
    > > useless will in many cases prove more valuable than any kind of
    > > home-grown solution. When something is too costly to maintain -
    > > in terms of money or time (often the latter) - to maintain, it
    > > doesn't get done. It's that simple.
    > If you do not know what you are doing, than do not do that, because
    > you will do more harm than good. It's that simple.

    Should I take that as "if you don't know the initimate details of
    every protocol that business needs dictate that you pass through
    your firewall, you shouldn't be a firewall admin"?

    Sorry, that just does not compute. That would exclude something
    like ... well.. ALL firewall admins except a select few. Not
    everyone is a programmer, and I for one wouldn't want to see the
    Internet that would result from such a crazy restriction.

    (I'll readily admit that I may have misinterpreted your statements
     here, though reading between the lines, it just seems to me that
     this is what you are implying.)

    > [more of "all firewalls suck except zorp"]
    > For the better ones it means that they can control up to ten percent
    > of the features of the protocol. Pathetic. I would consider shameful
    > if we would deliver a proxy which cannot control all aspects of its
    > protocol and its documentation would not start with a warning about
    > that fact.

    You know... I think I see where you're coming from here.
    Looking at a network layout with a choke point and doing the risk
    analysis dance easily leads to the conclusion "damn, but wouldn't it
    be nice if we could control _everything_ here?".

    Said and done - you take every protocol that you need to push through
    and implement a server AND a client for it, and then put it in the
    firewall. Now you can guarantee 100% protocol compliance.

    What did this buy you?

    - People can't SSH or send mail through port 80. That's nice. Sort of.
      Unless they run it through httptunnel, of course.

    - People can't exploit a web server by talking POP3 to it.
      Oops, they couldn't do that to begin with.

    - You can control what aspects of a protocol that people
      can use, which might be nice for some protocols.


    - You still don't know how the receiving application is going
      to handle this 100% compliant protocol data. You seldom
      exploit things by giving them a copy of /dev/urandom.
      You usually need to keep (just) within the boundaries of the

    - You have now exposed that which you were trying to protect - the
      protocol handlers themselves; you end up with quite a hefty kloc
      count *on the firewall itself*.
      Granted, it's not the full application, but all the protocol
      logic is (according to you) there.

      By the original reasoning, you now need another firewall outside
      the firewall ... no?

    I would also be curious to know what kind of security model you're
    advocating here? If one assumes that one has a finite amount of
    time to spend, and elects to spend it on tinkering with the firewall,
    it would suggest, to me, that one ends up with a classic "hard
    shell, squishy interior" setup.

    (I'm assuming "lots of tinkering with the firewall" simply based
     on your claims that one _needs_ a firewall and OS that can be
     tinkered with a lot -- to me, that implies that one actually
     needs to _do_ a lot of tinkering... ?)

    Mikael Olsson, Clavister AB
    Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
    Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
    Fax: +46 (0)660 122 50       WWW:
    firewall-wizards mailing list

  • Next message: Cat Okita: "Re: [Fwd: Re: [fw-wiz] Protecting a datacentre with a firewall] (fwd)"

    Relevant Pages

    • [fw-wiz] UNSUBSCRIBE
      ... (Paul D. Robertson) ... > fixup protocol icmp error ... >> isn't about the security properties of the control, ... errors in the firewall, configuration errors, and it then takes physical ...
    • Re: [fw-wiz] Secure Computing Sidewinder?
      ... We are moving off Sidewinder G2 solely because of the price. ... There are many different approaches to designing a firewall, ... thorough than most other "application proxy" firewalls, ... packet, tear it apart, inspects it, and then depending on the protocol it ...
    • Re: Natted IP
      ... > useful if one trys to tunnel an exploit of one protocol inside a second ... but the router "firewall" will block all unsolicited packets unles they are ... If you send some kind of tunneled packet wrapped inside, ... > run only with JS enabled with Java applets disabled. ...
    • Firewall that blocks NetBEUI etc.
      ... Personal firewall functionality is mostly oriented toward TCP/IP protocol. ... I have NT4WKS and we have advanced Microsoft network - they have some tool ... I have tried to audit them with netstat or TCPview to see all network ...
    • Re: Ports getting hammered?
      ... >>> If your Watchguard can't stop outbound traffic... ... >>> Would not the Windows XP firewall do exactly the same work? ... >> protocol analysis to see if protocols are being broken only a IDS ... > permitted ports and protocols. ...