RE: [fw-wiz] Firewalls Compared
From: Bill Royds (broyds_at_rogers.com)
To: "'Devdas Bhagat'" <email@example.com>, <firstname.lastname@example.org> Date: Wed, 30 Jun 2004 23:12:08 -0400
A number of years ago (1996) I was asked to set up the firewall for the
government department where I worked.
Having just read Brent Chapman's book, I determined that we needed a clearer
security policy than "Don't let the bad guys into our network. Don't interfere
with any clients access to the Internet", which was management's "policy".
So I started looking at our network usage through the Internet routers (which
then were allowing all traffic with just a few ACL's to block some know "bad"
Usage showed the 98% of traffic could be handled by a half dozen protocols
(HTTP, FTP, Gopher, DNS, SMTP and Telnet), so we figured we could lock down the
gateway with a default deny without blocking very much of the usage anyway. I
wrote a policy that stated that only protocols with published specs (RFC's or
draft RFC, since HTTP didn't have an RFC at that time). We worked with all the
groups that wanted to run web servers to set up a DMZ and worked on getting
access to that DMZ for web contents management.
We decided to buy an Application Gateway Firewall (Raptor Eagle) and implemented
Most people hardly noticed the difference between before and after in usage,
except for http sites using odd port numbers (often libraries it seemed). We
handled that by setting the browsers of these users with an explicit http proxy
to the firewall, which then did port translation.
The other hitch was that one group did explicit SMB file sharing to their
Solaris servers running Samba so we had to set up a SMB connection (defined by
RFC 1000 and 1001). Luckily Raptor had a CIPS/SMB proxy so it was not just a
hole through the firewall; it actually checked the SMB commands going though.
Within 6 months Hustler magazine sponsored a contest to deface our web site
(they were mad at one of the department's policies), but luckily it never
happened despite the firewall logs showing lots off attempts.
Now there is more than one firewall, with separate systems for internal to
Internet and Internet to web servers, VPN's etc. We have found that, although
there is a bit of latency with an ALG compared to stateful inspection,
throughput is pretty much the same and the ability to protect against worms
(Code Red was blocked at firewall by default rules, as was MSBlaster etc.) made
us glad that we stayed with the ALG. We handle any real needs for non standard
protocol servers (streaming media, Notes servers etc.) but having a hardened
bastion server outside the firewall with batch updates using SSH. Why would
anyone allow their internal users to be protected by anything less is a wonder
The internal network was hit by MSblaster last summer by someone in a remote
subnet taking his machine home for the night, then connection again after being
infected, but the firewall logs quickly isolated the exact IP and it did not
spread too far.
With a good application gateway firewall and close monitoring of its logs,
there seems little sense for an IPS connected to the Internet. There is a reason
for monitoring internal subnets (subnets with SAP and executive info etc.) but
those have a much better defined usage profile and anomaly detection with
signatures is much more likely to succeed.
I think much of the hype for a need for IPS is because many corporate
networks only have a Stateful Inspection firewall facing the Internet, so need a
second line of defence to catch all that these firewalls let through.
[mailto:email@example.com] On Behalf Of Devdas Bhagat
Sent: Tuesday, June 29, 2004 2:04 PM
Subject: Re: [fw-wiz] Firewalls Compared
On 28/06/04 23:52 -0400, Stiennon,Richard wrote:
> Am I the only one that sees a huge difference between an application
> proxy (ala the good old days of server based firewalls) and filters that
> are applied to payloads (ala Network Intrusion Prevention) by inline
> network devices?
I see a difference too. The first is a good thing. The second has
considerably less value.
(generalisations follow, they might not be applicable everywhere)
As I understand it, proxies watch for known good traffic. They will
filter out stuff which is not known to be good.
IPS watches for known bad traffic. It only responds to that which is
known to be bad. This is a lousy setup for a firewall.
Firewalls MUST be in a default DENY mode.
firewall-wizards mailing list