RE: [fw-wiz] Firewalls v. Router ACLs

From: Ben Nagy (ben_at_iagu.net)
Date: 12/12/03

  • Next message: Charles Swiger: "Re: [fw-wiz] Open Source Personal Firewall?" 
    To: <WhiteHat@btclick.com>, <firewall-wizards@nfr.net>
Date: Fri, 12 Dec 2003 18:12:46 +0100

    My rambling inline.

    > -----Original Message-----
    > From: firewall-wizards-admin@honor.icsalabs.com
    > [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
    > Of WhiteHat@btclick.com
    [...]
    > I currently work for a department in a large company. Our
    > department has always used firewalls (CheckPoint on Nokia) to
    > protect our part of the network from network worms and other
    > 'nasty stuff' on the rest of the network. [...]
    >
    > We are now being pressurised to remove the firewalls by the
    > rest of the company.
    [...]
    > In particular, I am concerned about:
    > - performance - will the routers be able to manage this as
    > they are designed to route traffic, not stop it?

    An appropriately sized router will not have any performance problems. If I
    were a betting man, I would probably back a router against a firewall to
    discard traffic based on simple, stateless criteria (eg drop all
    135,137,138,139 entering or leaving the network).

    > - logging - what would be the best way to consolidate the
    > router logs for analysis etc.?

    Tricky. Firewalls have a big advantage here, although it's all possible in
    the end. Personally, however, I question the true value of those router
    logs.

    There are lots of guys on the list that know an awful lot about secure and
    reliable log consolidation and analysis for both routers and firewalls, so
    I'm not going to expound here.

    > - incident management - if a router is being hammered by a
    > network worm (e.g.
    > MSBlaster/LovSan), how easy will it be to manage to make any
    > emergency changes necessary? Won't it be so busy dropping
    > packets it becomes impossible to make the change?

    Not unless it's badly configured or under-specified. I've never seen simple
    packet discarding or routes to null0 cause a 'decent' router any problems -
    keeping state excepted. YMMV if you're routing lots of gigabits of traffic.
    At worst, the console will probably stay alive. I've seen nice solutions
    using dedicated management VLANs and multi-port serial routers to manage
    core equipment via the console for security and reliability.

    > - future capability - I see the AI-type technologies evolving
    > in firewalls as providing a useful IPS-type functionality in
    > the future.

    I don't. IMO the protection will move host-based - it really has to. My
    cracked crystal ball says that firewalls get dumber, not smarter, in the
    future. They're already too damn smart for their own good, IMHO.

    There are some REALLY interesting ideas that are lurking around here...

    > This will allow more open rule sets but automated
    > protection if things go wrong. Has anyone successfully
    > implemented this yet? Can this be enough justification to
    > keep the firewalls?

    Well all the firewall companies can see the recent spate of worms, and I'm
    sure that they understand that the model isn't working. Hell, we've been
    whining about it for as long as I can remember. There is still a lot of
    stuff that firewalls are good for, and being a real point of control between
    networks with different security levels is one of those things.

    However, if you're talking about adding a level of defence in depth by
    killing certain kinds of known-bad traffic in a 'coarse filter' approach at
    the network layer then my personal opinion is that the router is a good
    place to do that. The switch is better still. The NIC....well that gets
    trickier. Maybe we could embed some sort of ASIC in the CAT-6 RJ-45
    connector.... :)

    Anyway, there's lots of depth here, and I look forward to seeing what people
    think.

    Cheers,

    ben

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Charles Swiger: "Re: [fw-wiz] Open Source Personal Firewall?"

    Relevant Pages

    • [fw-wiz] Firewalls v. Router ACLs
      ... used firewalls to protect our part of the network from network ... 100% successful and we have not been impacted by the numerous network-borne ... We are now being pressurised to remove the firewalls by the rest of the company. ... A secondary argument is cost - the router is seen as a one-off purchase ...
      (Firewall-Wizards)
    • RE: HSRP with load balancing on a Cisco IOS based firewall
      ... Can I implement MHSRP across IOS based firewalls on Ciso routers? ... Split the network behind the Firewall into subnets say Network A and network ... Network A has router X as its primery and router Y as its secondary. ... My prelimnary research on HSRP gives me the understanding that in an HSRP ...
      (Security-Basics)
    • RE: Cant enter 2 XP machines into a Workgroup
      ... Firewalls like NIS modify Windows own security files. ... If a comsumer level router like those of Linksys and Netgear ...
      (microsoft.public.windowsxp.network_web)
    • RE: Cant enter 2 XP machines into a Workgroup
      ... I had my XP Home machine hard ... Firewalls like NIS modify Windows own security files. ... If a comsumer level router like those of Linksys and Netgear ...
      (microsoft.public.windowsxp.network_web)
    • Re: Ask EU Technical Section: Networking questions
      ... I have just added a new lapdog to my household and so needed to set up a wireless network, so that it could share the broadband connection with the main PC. ... The router is a Belkin N Wireless Modem Router. ... You need to set the software firewalls on each PC to allow the local network to connect to them. ... If you can't Share the folder, you will need to enable File Sharing for the machine as a whole. ...
      (uk.media.radio.archers)
    • Quantcast