Re: [fw-wiz] Firewalls that generate new packets..

Isn't that kind of amazing? People look at these "stateful firewalls" as
if they're somehow doing something IMPORTANT but they're basically
a router with "established" and a kind of "synthetic established" for UDP.
People, that's barely a security device at all - 99% of what you're
getting is the "firewall" sticker on the front.

In practice, most people have stateful firewall because they have to - if
they did not their vulnerability assessments/pentesting/other reports
would come with a "High" in one column, and "replace with a stateful
firewall" in the other. Not to bash state checking (OpenBSD pf, defense in
depth), but that seems to be the reason. Same with anti-spoofing,
filtering bogons, and using IP stacks with cryptographicaly secure IP
IDs/TCP sequence numbers.

Security is such a disaster because we're fighting and losing
a battle with software complexity and extravagantly stupid
software specifications. Firewalls, rather than acting as bastions
against the complexity, have "adapted" by succumbing to
that complexity themselves.

Like using "session" and "user" authentication in place of actual access
controls, allowing use of crypto tokens with not pins (or pins written on
the devices) for the managers, inability to differentiate corporate laptop
from a vendor laptop (except for noting that a Dell is not HP).

When security went mainstream, and IT Sec folks were invited into the
board meeting, but they showed up without a business case (not enough
power point, wrong language, _something_ went wrong).

Now there is another chance to fix it, this time by using lessons
learned. Well, there can be no lessons without textbook materials, but
good universally known security cases and security metrics are... few.

The good news is that Web 2.0 mashups will take care of it all.

Marcin Antkiewicz
firewall-wizards mailing list