Re: Lets talk about firewalls - what do we as a group think a firewall should be/have?

Leythos wrote:
[...]
1) A firewall should block all outbound by default (as shipped).

2) A firewall should block all inbound by default (as shipped).

Yes.

3) A firewall should know the difference between protocols: HTTP and
DNS as an example. Nothing should pass through a rule except the
proper protocol it was configured for.

Not necessarily. If the firewall is supposed to filter on layers above
OSI layer 4 it should, otherwise it shouldn't, so I'd consider this
optional rather than required.

4) A firewall should support direct VPN connections to/from itself,
as a end-point.

Only if the firewall is supposed to provide VPN endpoint functionality.
Not everyone needs this, so I'd consider this optional as well.

5) A firewall should have a real DMZ if it claims to have a DMZ -
meaning that it should have a physical jack for a DMZ that is not
part of the same network as the LAN.

I agree to a point. Each interface of a firewall should be distinct from
each other. However, a firewall does not necessarily need more than two
interfaces, so a "DMZ interface" is not a requirement.

6) A firewall with a DMZ/LAN should have no default rules allowing
access between them.

I'd rather summarize this with points 1) and 2) to "A firewall should by
default deny all traffic between all interfaces."

7) A firewall should clearly log/report all traffic, in/out, and make
it easy to determine if it was approved/unapproved, etc...

Yes.

8) A firewall should be able to detect threats, internal and
external, on any port, and block those attack origination locations
from access.

Intrusion detection is a two-edged sword as it may consume a
considerable amount of resources. I wouldn't consider this a requirement
for any firewall. Even if a firewall included an IDS it should IMHO be
disabled by default. And automatic network shunning ("block those attack
origination locations") is still a REALLY BAD IDEA and should NOT be
done AT ALL, much less be a default.

9) A firewall should be able to allow the user to create rules that
can be used to cause the blocking of hosts attaching via specific
rule (ports) - this would be used to block access from hosts probing
the firewall for open ports, or to block worms (TCP 1433/1434 as an
example).

See above. I'll agree that a firewall admin should be able to create
such rules, but they're dangerous and should be used with caution.

10) A firewall should provide for multiple subnets on any network
interface.

I'm not sure I understand what you mean by that.

11) A firewall should not have DHCP Service enabled on the LAN/DMZ by
default.

Make that "any service on any interface". One reasonable exception may
be a service providing a (secure) configuration frontend on one distinct
interface, that is marked as such (see also below).

12) A firewall should be certified as a firewall by some reputable
authority.

That only helps your legal department. If you think you need that: fine,
but it's most definitely not a technical requirement for a firewall.

I'd like to add:

13) In case of a failure/doubt a firewall should by default deny traffic
rather than allow it (fail-close).

14) A firewall should by default provide a secure configuration
interface on exactly one physical interface (e.g. a serial console, or
ssh or https on a LAN interface).

cu
59cobalt
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq
.

Relevant Pages

  • Re: ftp problem
    ... > here is my whole firewall script ... > # No restrictions on Loopback Interface ... > # or from this gateway server destine for the public Internet. ... > # Allow out secure FTP, Telnet, and SCP ...
    (freebsd-questions)
  • Shorewall Application Problem On A Xen Dom0
    ... integrate the firewall into one configuration for ease of management. ... The Xen host is laid out like this. ... One physical ethernet interface connected to a local network. ... The Shorewall configuration on the system is configured in the following ...
    (uk.comp.os.linux)
  • Re: Samba wont dance [Solved - sort of]
    ... interface for iptables script coding; it offered a smattering of preconfigured services you could enable/disable; it let you trust an interface but with little customization; if you wanted to add custom rules, they had to be in the form of iptables based scripts that you could point to ... It lets you quickly start and stop the firewall which is very useful for testing. ... It's not actually my favored firewall app for Fedora but I use it as a personal firewall for individual machines that are already otherwise firewalled from the internet - for machines I put up on the net, I personally prefer FWBuilder, which is a much more robust configuration utility that allows very complex setups and rules with an object/table based GUI configuration system - ...
    (Fedora)
  • Re: Checkpoint experiences
    ... decide they want the firewall used by the big boys...often repeated, ... The Nokia appliance IPSO, is useful if you don't want to take the ... It is no wonder that the Nokia interface is called ... > billions on training, and classes, consultants, support contracts, etc. ...
    (comp.security.firewalls)
  • Re: Lets talk about firewalls - what do we as a group think a firewall should be/have?
    ... Even if a firewall included an IDS it should IMHO be ... And automatic network shunning ("block those attack ... block the source of those on any interface. ... rule (ports) - this would be used to block access from hosts probing ...
    (comp.security.firewalls)