Re: [fw-wiz] Firewalls that generate new packets..

Isn't that kind of amazing? People look at these "stateful firewalls" as
if they're somehow doing something IMPORTANT but they're basically
a router with "established" and a kind of "synthetic established" for UDP.
People, that's barely a security device at all - 99% of what you're
getting is the "firewall" sticker on the front.

In practice, most people have stateful firewall because they have to - if
they did not their vulnerability assessments/pentesting/other reports
would come with a "High" in one column, and "replace with a stateful
firewall" in the other. Not to bash state checking (OpenBSD pf, defense in
depth), but that seems to be the reason. Same with anti-spoofing,
filtering bogons, and using IP stacks with cryptographicaly secure IP
IDs/TCP sequence numbers.

Security is such a disaster because we're fighting and losing
a battle with software complexity and extravagantly stupid
software specifications. Firewalls, rather than acting as bastions
against the complexity, have "adapted" by succumbing to
that complexity themselves.

Like using "session" and "user" authentication in place of actual access
controls, allowing use of crypto tokens with not pins (or pins written on
the devices) for the managers, inability to differentiate corporate laptop
from a vendor laptop (except for noting that a Dell is not HP).

When security went mainstream, and IT Sec folks were invited into the
board meeting, but they showed up without a business case (not enough
power point, wrong language, _something_ went wrong).

Now there is another chance to fix it, this time by using lessons
learned. Well, there can be no lessons without textbook materials, but
good universally known security cases and security metrics are... few.

The good news is that Web 2.0 mashups will take care of it all.

Marcin Antkiewicz
firewall-wizards mailing list

Relevant Pages

  • [REVS] Bypassing Client Application Protection Techniques
    ... Get your security news from a reliable source. ... protection programs. ... * Kerio Personal Firewall 4.0 ... And we got actually nothing in the field of client application ...
  • Re: Recycler security issues on IIS server
    ... > latest upates to the server. ... > like to see the server put behind our firewall, ... other software, install all patches, IISlockdown, URLscan, use the correct ... the procedures you follow may vary depending on your security needs. ...
  • Re:RE : suggestions on a good firewall
    ... Subject: RE: suggestions on a good firewall ... CheckPoint does! ... with a url-filtering server. ... IT Technical Security Officer ...
  • Why hasnt Symantec addressed nastier Messenger spoofs
    ... Norton / Symantec has been silent on whether Norton Internet Security ... DSL firewall will stop these kinds of pop-ups. ... major ISPs and broadband systems. ...
  • Re: Service pack 2 (XP)
    ... I have a 'theory' that SP2 has a LOT to do with firewall and new browser ... besides those security features. ... The operative word is SPYWARE. ...