Re: Why you have hardware firewalls

From: Darko Gavrilovic (darkog_at_REMOVETHIShushmail.com)
Date: 04/13/05


Date: Wed, 13 Apr 2005 17:16:05 GMT

Leythos wrote:

> On Wed, 13 Apr 2005 06:08:38 -0500, Darko Gavrilovic wrote:
>>
>> your methodology may work - if you knew for sure 110% where you target
>> customers/visitors are connecting from. but what information makes you
>> so sure? and how do you know you aren't losing customers?
>
> You must be assuming that we don't know who our clients are? If I
> design/host a web site for a roofing company based in the USA, there is
> little chance they are going to get a request for a bid from Oz or from
> Asia, and no reason for them to expose their site to those countries as
> their business model doesn't cover doing work outside the USA (outside
> their state for that matter). The same is true for many businesses.
>
>> the way i see it, your site is either on the internet and public or it's
>> on intranet and private. if it's private, then by all means place behind
>> F/W and filter to your own corp. subnets.
>
> All web servers, or anything that provides public access (ftp, smtp,
> etc..) should be behind a quality firewall device.
>
>> but if it's public, it's public. where is your reasoning to adjust IP
>> filter to target audience connections? the site is in english, so you
>> will just assume that anyone who can't read english won't visit - so you
>> will filter out non-english speaking countries?
>
> You're wrong, public doesn't mean World, it means open to as far as you
> want it to reach. In many cases, there are no reasons for non-global
> companies or organizations to reach beyond their local country. Even if
> the company did get a request for third-world services they would not be
> able to service it as their infrastructure would not be setup for it. For
> those that want to service third-world countries, more power to them, and
> they would need to remain unblocked, but I see no reason to expose
> services that should not be available to others.
>
> The way to look at it is simple - reduce your exposure as much as
> possible, which will also reduce your load/management needs, and also
> helps to reduce your exposure to threats.
>
> Oh, it has nothing to do with the language of any peoples, it's got
> everything to do with where you want to expose your services too. If you
> know that you're never going to sell/service places in country XYZ, then
> you can block all the IP ranges in country XYZ - this eliminates a
> direct threat area/path.
>
>> also, relying on IP filtering is a little weak. as we all know, IP's can
>> be spoofed. or even simpler, you can find a proxy from allowed IP and
>> use it to get in. a guy who has targeted *your* site for an attack
>> probably learnt *that* way before he learn how to be a scripter.
>
> And, in this discussion, you should already understand that it's a PART of
> the entire solution, not the sole method. Blocking connections to
> countries that you don't do business with is a valid means of eliminating
> threats. In case you missed it, this is only a small part of a security
> solution.
>
>> filtering SMTP proto so asian countries are excluded is common practice
>> and makes sense. but filtering HTTP proto, i do not come across that too
>> often.
>
> I see daily connection attempts to HTTP, FTP, SMTP, 4899, and several
> others, from many foreign sites. In the early days I would track the IP,
> block just the IP, and then move on. Now, as it's more evident, it's
> easier to block the country or net-block used by the prober, I don't block
> /8's, but I do block /16's and /24's all the time.
>

yeah - i guess a lot depends on the type of business and services you are
selling.

it still seems weird to "penalize" entire chunks of the internet based on
something/action/hack attempt that has not happened yet.

would it not make more sense to automate & integrate an IDS (snort) with
your firewall and have it auto block any suspicious hits. you might wind up
blocking a lot of false positives - but at least your are not blocking
right across the board.

(p.s. for the purposes of this thread - lets assume you are selling services
to anyone willing to pay. not selling services to just your local
community. lets say you are selling web design services.)

-- 
"Why do they call it rush hour when nothing moves?", Robin Williams