Re: [fw-wiz] Protecting a datacentre with a firewall
From: Mikael Olsson (mikael.olsson_at_clavister.com)
To: mag <firstname.lastname@example.org> Date: Mon, 05 May 2003 01:31:12 +0200
> 2003-05-04, v keltezéssel Mikael Olsson ezt írta:
> > mag wrote:
> > > Also, PIXen are not just too suboptimal to be called firewalls,
> > > but also for intranet firewalling you need a level of flexibility
> > > you cannot achieve with a blackbox-style product, and with the
> > > so-called market leader firewalls.
> > You're raising a big stink here. Especially when you continue
> > by touting a firewall that you contribute to yourself.
> I was telling the truth. We have found that no useable firewalls
> on the market, so we had to develop one.
You know... "Everything sucks, I'm gonna build something better!"
is an OK thing to say before you've actually started.
At this point, it just reeks of self interest.
> > Those "blackbox-style products" that you so rapidly dismiss as
> > useless will in many cases prove more valuable than any kind of
> > home-grown solution. When something is too costly to maintain -
> > in terms of money or time (often the latter) - to maintain, it
> > doesn't get done. It's that simple.
> If you do not know what you are doing, than do not do that, because
> you will do more harm than good. It's that simple.
Should I take that as "if you don't know the initimate details of
every protocol that business needs dictate that you pass through
your firewall, you shouldn't be a firewall admin"?
Sorry, that just does not compute. That would exclude something
like ... well.. ALL firewall admins except a select few. Not
everyone is a programmer, and I for one wouldn't want to see the
Internet that would result from such a crazy restriction.
(I'll readily admit that I may have misinterpreted your statements
here, though reading between the lines, it just seems to me that
this is what you are implying.)
> [more of "all firewalls suck except zorp"]
> For the better ones it means that they can control up to ten percent
> of the features of the protocol. Pathetic. I would consider shameful
> if we would deliver a proxy which cannot control all aspects of its
> protocol and its documentation would not start with a warning about
> that fact.
You know... I think I see where you're coming from here.
Looking at a network layout with a choke point and doing the risk
analysis dance easily leads to the conclusion "damn, but wouldn't it
be nice if we could control _everything_ here?".
Said and done - you take every protocol that you need to push through
and implement a server AND a client for it, and then put it in the
firewall. Now you can guarantee 100% protocol compliance.
What did this buy you?
- People can't SSH or send mail through port 80. That's nice. Sort of.
Unless they run it through httptunnel, of course.
- People can't exploit a web server by talking POP3 to it.
Oops, they couldn't do that to begin with.
- You can control what aspects of a protocol that people
can use, which might be nice for some protocols.
- You still don't know how the receiving application is going
to handle this 100% compliant protocol data. You seldom
exploit things by giving them a copy of /dev/urandom.
You usually need to keep (just) within the boundaries of the
- You have now exposed that which you were trying to protect - the
protocol handlers themselves; you end up with quite a hefty kloc
count *on the firewall itself*.
Granted, it's not the full application, but all the protocol
logic is (according to you) there.
By the original reasoning, you now need another firewall outside
the firewall ... no?
I would also be curious to know what kind of security model you're
advocating here? If one assumes that one has a finite amount of
time to spend, and elects to spend it on tinkering with the firewall,
it would suggest, to me, that one ends up with a classic "hard
shell, squishy interior" setup.
(I'm assuming "lots of tinkering with the firewall" simply based
on your claims that one _needs_ a firewall and OS that can be
tinkered with a lot -- to me, that implies that one actually
needs to _do_ a lot of tinkering... ?)
-- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list email@example.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards