Re: [fw-wiz] Evolution of Firewalls

• Previous message: Scott C. Kennedy: "Re: [fw-wiz] Problems logging deny's on Cisco Routers?"
• In reply to: Frederick M Avolio: "Re: [fw-wiz] Evolution of Firewalls"
• Next in thread: Chunduru Rama Krishna Prasad: "Re: [fw-wiz] Evolution of Firewalls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Frederick M Avolio <fred@avolio.com>, <skpoo@pacific.net.sg>, <firewall-wizards@honor.icsalabs.com>
Date: Mon, 08 Mar 2004 18:48:22 -0800

At 08:48 PM 3/7/2004 -0500, Frederick M Avolio wrote:
>At 11:56 PM 3/4/2004 +0800, skpoo@pacific.net.sg wrote:
>>... Our team is currently debating if Stateful Deep Inspection firewall
>>is going be the new technology to replace the Application Proxies
>>firewall which deem to be most secure currently. ...
>
>At the risk of being obvious -- or worse, being called a dinosaur :-), It
>depends. Do you care more about usability or security? When push comes to
>shove is it more important to never stop a connection at the risk of the
>possibility of something bad slipping through? It really is as simple as
>that. I tell people in one of my classes, you hear about it if you
>misconfigure your firewall to reject a required action, but will rarely
>hear about if if you allow too much through. (I stated it as "You always
>hear about conservative errors but rarely about liberal ones," but that
>could be taken wrong now-a-days.)

You just can't go there without bringing up the whole soup-to-nuts
usability debate, really (or maybe that's just me... ;-).

Sure, it is in fact the balance between usability and security. Some
situations are so sensitive that Draconian security measures are the only
reasonable course. But Draconian by definition is what people will put up
with only under the clearest and most pressing threat and won't put up with
in normal daily life. Firewalls that stop too many connections incorrectly
are Bad Firewalls ("lay down! Bad Firewall!") outside the Draconian
dictionary. Form must follow Function, and any potential Form whose pointy
bits don't fit inside the silhouette of needs thrown by the Function of the
user community will rightly have those bits lopped off.

In a perfect world there are today firewalls that sit on wires like the
ultimate polyglots and fluently speak all the languages of the net - from
the chittering of the lowliest schoolkid's applet to the oceanic baritone
moans of the Great Legacy Apps lurking in the murky canyons of New York and
Hong Kong - and reassemble the variant conversations in all their mosaic
splendor, in realtime, while keeping perfect notes. In this world there
are also fully integrated policy implementation and management tools, and
most surprising of all there are humans who thoughtfully create, maintain
and use those policies.

Here on Earth we struggle to attain those heights. A firewall should be
developed to be as aware of the world around it as possible given the
technical restraints of the hardware and software (read, "developer-hours")
it's built out of and that are available to install and use it, but at the
end of the day there are almost always more things being said than there is
hardware and software to decode it all in full context as it passes a
single point on a network.

You can look at network security as a purely defensive military
problem. In this model, Firewalls are essentially your Border
Stations. To really follow the analogy, road crossings inside your borders
(routers, switches) are also similar points (latent firewalls?), where you
choose to enforce a level of security or not, based on the process of your
community.

Were you to be in charge of designing a Border Station, you should take
your job so (*&^ing seriously that the mere idea of anything being able to
penetrate that process and cause damage to the members of your community is
offensive to you on a personal level. Border Station designers will have a
natural tendency towards suggesting that an ideal Border Station should
cover 500 acres and consume all material and manpower in a thousand-mile
radius to build and support. For people who build firewalls, that is a
healthy attitude to take to work every day.

Networks, however, are communities. In a community, if the method of
defense does not fit the behavior patterns of the community, the community
will either not have effective defense or the community will change (not
often for the good, imo) to fit the defense structure. The choice the
entire network-using community makes every day is that we will not dedicate
the resources necessary to have absolutely perfect Border Stations (if, in
fact, the task was truly achievable at any cost). Border security simply
has to excel at its task given the circumstances and work with the rest of
the security process and infrastructure to keep the community safe and
whole. Kinda maps onto the choices we make in physical defense as well,
oddly enough (anyone want to pay the taxes to support opening every
container that enters your national boundaries?).

Survey says, so far, that while you can and should apply all of the
Application Awareness possible at the Edge, your resources will run out
before you finish. I recall hacking a doc with the R.H. Mr. Avolio at TIS
Before the Fall, explaining why Proxies were so much better than Stateful
Packet Filters, and even as we typed TIS was adding "Adaptive Proxies" (was
that the name?) to Gauntlet - Stateful gates for apps TIS couldn't write
proxies fast enough to support. I don't see how it's gotten any easier
since to track all possible apps, versions and implementations and write
custom proxies for each one, whether those proxies Deeply reassemble
messages or not.

To achieve relative Security Nirvana (from the perspective of where we
stand now), we need each defense component to excel at it's task in the
context of its real operating environment; aggregate solutions to end-point
weakness need to reduce the size of the endpoint problem; and the old rant
of policy and coordination needs to be made executable.

So, Kang...

For my opinion, Deep Inspection sounds neat, but at least read the label
and Use As Recommended. I'm sure there are bright folks developing code
for those products and they are trying to address a real concern, so maybe
there is benefit for your situation. While firewalls are and will continue
to evolve, I doubt we'll ever have fully application aware firewalls for
everything - and firewalls are only so much of the solution, anyway - so
I'd suggest you spend at least as much time and effort securing your hosts
and coordinating your network devices to support your policy regardless of
what you do at the edge.

Enough mixed metaphors for one night.

-woof

-chris

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Scott C. Kennedy: "Re: [fw-wiz] Problems logging deny's on Cisco Routers?"
• In reply to: Frederick M Avolio: "Re: [fw-wiz] Evolution of Firewalls"
• Next in thread: Chunduru Rama Krishna Prasad: "Re: [fw-wiz] Evolution of Firewalls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]