RE: [fw-wiz] Firewalls Compared

From: Bill Royds (
Date: 07/01/04

  • Next message: Ben Nagy: "RE: [fw-wiz] Firewalls Compared"
    To: "'Devdas Bhagat'" <>, <>
    Date: Wed, 30 Jun 2004 23:12:08 -0400

    A number of years ago (1996) I was asked to set up the firewall for the
    government department where I worked.
    Having just read Brent Chapman's book, I determined that we needed a clearer
    security policy than "Don't let the bad guys into our network. Don't interfere
    with any clients access to the Internet", which was management's "policy".
       So I started looking at our network usage through the Internet routers (which
    then were allowing all traffic with just a few ACL's to block some know "bad"
    (IRC) protocols).
    Usage showed the 98% of traffic could be handled by a half dozen protocols
    (HTTP, FTP, Gopher, DNS, SMTP and Telnet), so we figured we could lock down the
    gateway with a default deny without blocking very much of the usage anyway. I
    wrote a policy that stated that only protocols with published specs (RFC's or
    draft RFC, since HTTP didn't have an RFC at that time). We worked with all the
    groups that wanted to run web servers to set up a DMZ and worked on getting
    access to that DMZ for web contents management.
    We decided to buy an Application Gateway Firewall (Raptor Eagle) and implemented
    the firewall.
    Most people hardly noticed the difference between before and after in usage,
    except for http sites using odd port numbers (often libraries it seemed). We
    handled that by setting the browsers of these users with an explicit http proxy
    to the firewall, which then did port translation.
    The other hitch was that one group did explicit SMB file sharing to their
    Solaris servers running Samba so we had to set up a SMB connection (defined by
    RFC 1000 and 1001). Luckily Raptor had a CIPS/SMB proxy so it was not just a
    hole through the firewall; it actually checked the SMB commands going though.
      Within 6 months Hustler magazine sponsored a contest to deface our web site
    (they were mad at one of the department's policies), but luckily it never
    happened despite the firewall logs showing lots off attempts.
      Now there is more than one firewall, with separate systems for internal to
    Internet and Internet to web servers, VPN's etc. We have found that, although
    there is a bit of latency with an ALG compared to stateful inspection,
    throughput is pretty much the same and the ability to protect against worms
    (Code Red was blocked at firewall by default rules, as was MSBlaster etc.) made
    us glad that we stayed with the ALG. We handle any real needs for non standard
    protocol servers (streaming media, Notes servers etc.) but having a hardened
    bastion server outside the firewall with batch updates using SSH. Why would
    anyone allow their internal users to be protected by anything less is a wonder
    to me.
      The internal network was hit by MSblaster last summer by someone in a remote
    subnet taking his machine home for the night, then connection again after being
    infected, but the firewall logs quickly isolated the exact IP and it did not
    spread too far.

      With a good application gateway firewall and close monitoring of its logs,
    there seems little sense for an IPS connected to the Internet. There is a reason
    for monitoring internal subnets (subnets with SAP and executive info etc.) but
    those have a much better defined usage profile and anomaly detection with
    signatures is much more likely to succeed.
       I think much of the hype for a need for IPS is because many corporate
    networks only have a Stateful Inspection firewall facing the Internet, so need a
    second line of defence to catch all that these firewalls let through.

    -----Original Message-----
    [] On Behalf Of Devdas Bhagat
    Sent: Tuesday, June 29, 2004 2:04 PM
    Subject: Re: [fw-wiz] Firewalls Compared

    On 28/06/04 23:52 -0400, Stiennon,Richard wrote:
    > Am I the only one that sees a huge difference between an application
    > proxy (ala the good old days of server based firewalls) and filters that
    > are applied to payloads (ala Network Intrusion Prevention) by inline
    > network devices?
    I see a difference too. The first is a good thing. The second has
    considerably less value.

    (generalisations follow, they might not be applicable everywhere)
    As I understand it, proxies watch for known good traffic. They will
    filter out stuff which is not known to be good.

    IPS watches for known bad traffic. It only responds to that which is
    known to be bad. This is a lousy setup for a firewall.

    Firewalls MUST be in a default DENY mode.

    firewall-wizards mailing list

  • Next message: Ben Nagy: "RE: [fw-wiz] Firewalls Compared"

    Relevant Pages

    • RE: can ping but not browse
      ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
    • RE: Secure Network Design (DMZ, LAN, etc)
      ... you'll see that their both on the same subnet. ... It has a port for the trusted network and a port ... Our firewall handles NAT. ... > servers, wouldn't it require a public IP and therefore be somewhat ...
    • Re: Using a Linksys router, should I also use Zonealarm?
      ... public internet to access corporate network. ... In the "old days" when people used to use Dial-In instead of VPN you ware ... protected by corporate Firewall -- since there was no public Internet ...
    • RE: Hidden Ports
      ... this is done by the firewalls to prevent authenticated files from being replaced by trojans and connecting to the internet. ... kerio firewall ... or a program that already had network access attempted to ... > Depending on the Access setting for a component, ZoneAlarm Pro ...
    • RE: [fw-wiz] Security Audit and Priorities
      ... Learn your network. ... - Linux Security Cookbook ... Building Secure Servers with Linux ... It's one thing to be a firewall admin and write ...