RE: [fw-wiz] Firewalls v. Router ACLs

From: Ben Nagy (ben_at_iagu.net)
Date: 12/12/03

  • Next message: Charles Swiger: "Re: [fw-wiz] Open Source Personal Firewall?" 
    To: <WhiteHat@btclick.com>, <firewall-wizards@nfr.net>
Date: Fri, 12 Dec 2003 18:12:46 +0100

    My rambling inline.

    > -----Original Message-----
    > From: firewall-wizards-admin@honor.icsalabs.com
    > [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
    > Of WhiteHat@btclick.com
    [...]
    > I currently work for a department in a large company. Our
    > department has always used firewalls (CheckPoint on Nokia) to
    > protect our part of the network from network worms and other
    > 'nasty stuff' on the rest of the network. [...]
    >
    > We are now being pressurised to remove the firewalls by the
    > rest of the company.
    [...]
    > In particular, I am concerned about:
    > - performance - will the routers be able to manage this as
    > they are designed to route traffic, not stop it?

    An appropriately sized router will not have any performance problems. If I
    were a betting man, I would probably back a router against a firewall to
    discard traffic based on simple, stateless criteria (eg drop all
    135,137,138,139 entering or leaving the network).

    > - logging - what would be the best way to consolidate the
    > router logs for analysis etc.?

    Tricky. Firewalls have a big advantage here, although it's all possible in
    the end. Personally, however, I question the true value of those router
    logs.

    There are lots of guys on the list that know an awful lot about secure and
    reliable log consolidation and analysis for both routers and firewalls, so
    I'm not going to expound here.

    > - incident management - if a router is being hammered by a
    > network worm (e.g.
    > MSBlaster/LovSan), how easy will it be to manage to make any
    > emergency changes necessary? Won't it be so busy dropping
    > packets it becomes impossible to make the change?

    Not unless it's badly configured or under-specified. I've never seen simple
    packet discarding or routes to null0 cause a 'decent' router any problems -
    keeping state excepted. YMMV if you're routing lots of gigabits of traffic.
    At worst, the console will probably stay alive. I've seen nice solutions
    using dedicated management VLANs and multi-port serial routers to manage
    core equipment via the console for security and reliability.

    > - future capability - I see the AI-type technologies evolving
    > in firewalls as providing a useful IPS-type functionality in
    > the future.

    I don't. IMO the protection will move host-based - it really has to. My
    cracked crystal ball says that firewalls get dumber, not smarter, in the
    future. They're already too damn smart for their own good, IMHO.

    There are some REALLY interesting ideas that are lurking around here...

    > This will allow more open rule sets but automated
    > protection if things go wrong. Has anyone successfully
    > implemented this yet? Can this be enough justification to
    > keep the firewalls?

    Well all the firewall companies can see the recent spate of worms, and I'm
    sure that they understand that the model isn't working. Hell, we've been
    whining about it for as long as I can remember. There is still a lot of
    stuff that firewalls are good for, and being a real point of control between
    networks with different security levels is one of those things.

    However, if you're talking about adding a level of defence in depth by
    killing certain kinds of known-bad traffic in a 'coarse filter' approach at
    the network layer then my personal opinion is that the router is a good
    place to do that. The switch is better still. The NIC....well that gets
    trickier. Maybe we could embed some sort of ASIC in the CAT-6 RJ-45
    connector.... :)

    Anyway, there's lots of depth here, and I look forward to seeing what people
    think.

    Cheers,

    ben

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Charles Swiger: "Re: [fw-wiz] Open Source Personal Firewall?"

    Relevant Pages

    • RE: HSRP with load balancing on a Cisco IOS based firewall
      ... Can I implement MHSRP across IOS based firewalls on Ciso routers? ... Split the network behind the Firewall into subnets say Network A and network ... Network A has router X as its primery and router Y as its secondary. ... My prelimnary research on HSRP gives me the understanding that in an HSRP ...
      (Security-Basics)
    • Re: local networking and firewalls
      ... you will need to open the appropriate ports in the firewalls on ... As for whether your router is an adequate firewall is hard to say. ... All computers, the printer, and the DSL modem connect ... > The network only functions if I turn off all Firewalls on the individual ...
      (microsoft.public.windowsxp.network_web)
    • RE: Cant enter 2 XP machines into a Workgroup
      ... Firewalls like NIS modify Windows own security files. ... If a comsumer level router like those of Linksys and Netgear ...
      (microsoft.public.windowsxp.network_web)
    • RE: Cant enter 2 XP machines into a Workgroup
      ... I had my XP Home machine hard ... Firewalls like NIS modify Windows own security files. ... If a comsumer level router like those of Linksys and Netgear ...
      (microsoft.public.windowsxp.network_web)
    • RE: [fw-wiz] Firewalls v. Router ACLs
      ... people to take in consideration in network design and layout. ... here and the old firewalls list often emphasized an approach that avoided ... The logging alert features alone turn this layer into a IDS as ... > An appropriately sized router will not have any performance problems. ...
      (Firewall-Wizards)