Re: [fw-wiz] A fun smackdown...

From: Chuck Swiger (chuck_at_codefab.com)
Date: 05/20/05

  • Next message: Paul D. Robertson: "Re: [fw-wiz] A fun smackdown..."
    To: "Paul D. Robertson" <paul@compuwar.net>
    Date: Thu, 19 May 2005 18:32:11 -0400
    
    

    On May 19, 2005, at 5:45 PM, Paul D. Robertson wrote:
    >> Paul, why *don't* people run their firewalls with a single "deny all"
    >> rule?
    >
    > Actually, thinking about it, because it's cheaper to just not connect
    > systems that don't need the risk, and you lose the risk of
    > implementation
    > errors in the firewall, configuration errors, and it then takes
    > physical
    > presence to bridge the gap, reducing the rate of attack (which is
    > probably
    > extremely low anyway.)

    Right, that's better: there's no need to use a firewall at all for a
    truely standalone system, those can be set up and updated via CD,
    without being networked at all.

    You only need a firewall when you need to permit some kinds of network
    traffic.

    > Now I've got one for you; Why do some people run firewalls with a
    > single
    > "allow all" rule, and what can you do to make that less risky than the
    > "deny all" example?

    A firewall with allow-all is simply a router.

    I've disabled the firewall on my Linksys BEFS81 broadband router I use
    at home because the FreeBSD box set up as my DMZ host is set up as a
    honeytrap. A BSD network stack seems to time out TCP connections after
    about 10 minutes, if no traffic goes by, but you can get a Windows worm
    stuck for days if you reply using a 0 window size.

    I suspect that using greylisting, honeytraps, teergrubes, and similiar
    techniques can do a lot to help slow down the spread rates of malware
    and spam. That's one way of making an "allow all" rule less risky than
    the "deny all" rule might be. Of course, you have to make sure your
    honeytrap software is up to the task, which is not as easy as it might
    seem.

    Has anyone else tried setting up several honeytraps across their
    address space? Have you noticed a difference in connection rates
    between IP addresses at the far ends of your IP range, compared with
    honeytrap IP's in the middle?

    -- 
    -Chuck
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Paul D. Robertson: "Re: [fw-wiz] A fun smackdown..."

    Relevant Pages

    • Re: [fw-wiz] A fun smackdown...
      ... > A firewall with allow-all is simply a router. ... > honeytrap software is up to the task, which is not as easy as it might ... tend to grab the first bit of traffic, talking enough of whatever protocol ... Paul D. Robertson "My statements in this message are personal opinions ...
      (Firewall-Wizards)
    • RE: can ping but not browse
      ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
      (Fedora)
    • Re: Turn off all sharing and network discovery
      ... which is basically Windows XP running as a virtual ... It does need its own AV and firewall. ... unnecessary network resource sharing and resource discovery. ...
      (microsoft.public.windowsxp.general)
    • Re: Turn off all sharing and network discovery
      ... which is basically Windows XP running as a virtual ... It does need its own AV and firewall. ... unnecessary network resource sharing and resource discovery. ...
      (microsoft.public.windowsxp.general)
    • Re: Why not use NETBEUI on Windows XP ??
      ... Trusted zones means that firewall rules will be bypassed for any or certain ... not count on netbeui being a defense for such as long as smb connectivity ... while the connection is open. ... > Microsoft Networking components on my network. ...
      (microsoft.public.windowsxp.network_web)