RE: [fw-wiz] Firewalls v. Router ACLs

From: R. DuFresne (
Date: 12/14/03

  • Next message: R. DuFresne: "Re: [fw-wiz] Security dumming down - the king's clothes"
    To: Ben Nagy <>
    Date: Sat, 13 Dec 2003 22:00:20 -0500 (EST)

    This is a very inciteful and informative thread, tons of information for
    people to take in consideration in network design and layout. Which keeps
    pushing me to one of the fundemental tenants of network security,
    layering, the ole 'onion skin' approach. And many of the old discusions
    here and the old firewalls list often emphasized an approach that avoided
    <what is now the *in vogue* term> monoculcural 'single point of failure
    pathway' into the heart of the protected environment. ACL's in the
    routers in conjuction with a more traditional firewall layer below would
    be the proper approach. Perhaps the choice of Nokia's can be considered
    for a replacement, but one has to consider all the aspects of single
    vendor issues if perhaps popping pixen in there instead <a beancounters
    dream?>. The logging alert features alone turn this layer into a IDS as
    well as another layer of control and packet level refinement. Of course,
    as I hinted in the beginning, I'm a fundamentalist in this perspective...

    What I'm saying is, if a change is required here based upon costs, rather
    then eliminate a layer of defense, consider a vendor change at that layer
    that better fits the economic resources avaliable. If the internal
    knowledge base is open source cluefull then you can always go that route
    to solve this problem, or shift some costs for the short term into
    training to gain this, better yet, support a growing economy and hire in
    the expertise and better balance the understaffing most IT deptarments


    Ron DuFresne

    On Fri, 12 Dec 2003, Ben Nagy wrote:

    > My rambling inline.
    > > -----Original Message-----
    > > From:
    > > [] On Behalf
    > > Of
    > [...]
    > > I currently work for a department in a large company. Our
    > > department has always used firewalls (CheckPoint on Nokia) to
    > > protect our part of the network from network worms and other
    > > 'nasty stuff' on the rest of the network. [...]
    > >
    > > We are now being pressurised to remove the firewalls by the
    > > rest of the company.
    > [...]
    > > In particular, I am concerned about:
    > > - performance - will the routers be able to manage this as
    > > they are designed to route traffic, not stop it?
    > An appropriately sized router will not have any performance problems. If I
    > were a betting man, I would probably back a router against a firewall to
    > discard traffic based on simple, stateless criteria (eg drop all
    > 135,137,138,139 entering or leaving the network).
    > > - logging - what would be the best way to consolidate the
    > > router logs for analysis etc.?
    > Tricky. Firewalls have a big advantage here, although it's all possible in
    > the end. Personally, however, I question the true value of those router
    > logs.
    > There are lots of guys on the list that know an awful lot about secure and
    > reliable log consolidation and analysis for both routers and firewalls, so
    > I'm not going to expound here.
    > > - incident management - if a router is being hammered by a
    > > network worm (e.g.
    > > MSBlaster/LovSan), how easy will it be to manage to make any
    > > emergency changes necessary? Won't it be so busy dropping
    > > packets it becomes impossible to make the change?
    > Not unless it's badly configured or under-specified. I've never seen simple
    > packet discarding or routes to null0 cause a 'decent' router any problems -
    > keeping state excepted. YMMV if you're routing lots of gigabits of traffic.
    > At worst, the console will probably stay alive. I've seen nice solutions
    > using dedicated management VLANs and multi-port serial routers to manage
    > core equipment via the console for security and reliability.
    > > - future capability - I see the AI-type technologies evolving
    > > in firewalls as providing a useful IPS-type functionality in
    > > the future.
    > I don't. IMO the protection will move host-based - it really has to. My
    > cracked crystal ball says that firewalls get dumber, not smarter, in the
    > future. They're already too damn smart for their own good, IMHO.
    > There are some REALLY interesting ideas that are lurking around here...
    > > This will allow more open rule sets but automated
    > > protection if things go wrong. Has anyone successfully
    > > implemented this yet? Can this be enough justification to
    > > keep the firewalls?
    > Well all the firewall companies can see the recent spate of worms, and I'm
    > sure that they understand that the model isn't working. Hell, we've been
    > whining about it for as long as I can remember. There is still a lot of
    > stuff that firewalls are good for, and being a real point of control between
    > networks with different security levels is one of those things.
    > However, if you're talking about adding a level of defence in depth by
    > killing certain kinds of known-bad traffic in a 'coarse filter' approach at
    > the network layer then my personal opinion is that the router is a good
    > place to do that. The switch is better still. The NIC....well that gets
    > trickier. Maybe we could embed some sort of ASIC in the CAT-6 RJ-45
    > connector.... :)
    > Anyway, there's lots of depth here, and I look forward to seeing what people
    > think.
    > Cheers,
    > ben
    > _______________________________________________
    > firewall-wizards mailing list

            admin & senior security consultant:
    "Cutting the space budget really restores my faith in humanity.  It
    eliminates dreams, goals, and ideals and lets us get straight to the
    business of hate, debauchery, and self-annihilation."
                    -- Johnny Hart
    testing, only testing, and damn good at it too!
    firewall-wizards mailing list

  • Next message: R. DuFresne: "Re: [fw-wiz] Security dumming down - the king's clothes"

    Relevant Pages

    • Re: [fw-wiz] Firewall routing thought...
      ... networks that the firewalls are protecting, ... and let the router sort out what networks are ... >>Your network layout isn't really clear from your email, ... >>you make a change in broadcast domains, the router is going to be involved. ...
    • Re: Ask EU Technical Section: Networking questions
      ... I have just added a new lapdog to my household and so needed to set up a wireless network, so that it could share the broadband connection with the main PC. ... The router is a Belkin N Wireless Modem Router. ... You need to set the software firewalls on each PC to allow the local network to connect to them. ... If you can't Share the folder, you will need to enable File Sharing for the machine as a whole. ...
    • Re: Firewalls: whats the use?
      ... We are thinking obviously of different firewalls here. ... machine network and an untrusted network. ... they are a separate tool that can be used to control what people ... have access to based on a SEPARATE OSI Layer. ...
    • [fw-wiz] Firewalls v. Router ACLs
      ... used firewalls to protect our part of the network from network ... 100% successful and we have not been impacted by the numerous network-borne ... We are now being pressurised to remove the firewalls by the rest of the company. ... A secondary argument is cost - the router is seen as a one-off purchase ...
    • RE: HSRP with load balancing on a Cisco IOS based firewall
      ... Can I implement MHSRP across IOS based firewalls on Ciso routers? ... Split the network behind the Firewall into subnets say Network A and network ... Network A has router X as its primery and router Y as its secondary. ... My prelimnary research on HSRP gives me the understanding that in an HSRP ...