Re: Lets talk about firewalls - what do we as a group think a firewall should be/have?

Leythos wrote:
Sorry, hit the wrong key and it sent before I was ready:

Try "supersede" next time.

Quote levels below fixed.

In article <4l0b83Fe3nesU1@xxxxxxxxxxxxxx>, usenet-2006@xxxxxxxxxxxxxxxx
says...
8) A firewall should be able to detect threats, internal and
external, on any port, and block those attack origination locations
from access.

Intrusion detection is a two-edged sword as it may consume a
considerable amount of resources. I wouldn't consider this a requirement
for any firewall. Even if a firewall included an IDS it should IMHO be
disabled by default. And automatic network shunning ("block those attack
origination locations") is still a REALLY BAD IDEA and should NOT be
done AT ALL, much less be a default.

I wasn't thinking of IDS when I wrote the above, but it should be able
to detect various threads (Spoofing, DOS, DDOS, etc...) and it should
block the source of those on any interface. I did not include IDS at
all, as there are other products for that.

9) A firewall should be able to allow the user to create rules that
can be used to cause the blocking of hosts attaching via specific
rule (ports) - this would be used to block access from hosts probing
the firewall for open ports, or to block worms (TCP 1433/1434 as an
example).

See above. I'll agree that a firewall admin should be able to create
such rules, but they're dangerous and should be used with caution.

They are not dangerous, they are great at helping block intruders. We
setup all our firewalls to detect traffic on select ports, when detected
we block that source IP for 20 minutes. When the SQL slammer hit it was
easy to see it start, our block list increased hundreds of times in
size.

No. See my last post. Automatic network shunning enables an attacker to
DoS your connection, because he can spoof the source address of the
packets he sends. Thus blocking rules should only be used when you know
EXACTLY what you're doing, and they should NEVER be enabled by default.

10) A firewall should provide for multiple subnets on any network
interface.

I'm not sure I understand what you mean by that.

In my networks I have multiple networks behind each network in many
cases. As an example, I might have a DMZ with a network with servers
in it (say 192.168.16.1/24) and then inside that network I might have
classrooms with their own isolated networks (10.1.0.1/24,
10.2.0.1/24...). The firewall has to know that there is also the
10.x.x.x networks on that interface or it will block traffic from them
- or it should block traffic from them.

You mean the firewall should allow rules for arbitrary/multiple network
addresses on each interface? Yes, it most definitely should.

11) A firewall should not have DHCP Service enabled on the LAN/DMZ
by default.

Make that "any service on any interface". One reasonable exception
may be a service providing a (secure) configuration frontend on one
distinct interface, that is marked as such (see also below).

Yes, but I was specifically thinking about Drop-In devices like the
household NAT appliances that come with DHCP Service enabled to make
it easy for users.

Ummm... I'm a little confused now. Are we talking about requirements for
a firewall in general, or are we talking about requirements for firewall
appliances for the home/SOHO-market?

12) A firewall should be certified as a firewall by some reputable
authority.

That only helps your legal department. If you think you need that:
fine, but it's most definitely not a technical requirement for a
firewall.

But, if it's not certified, then anyone can call an appliance a
firewall and the public will buy it as a firewall - See all the
residential devices out on the market.

I have seen way too much certified crap to give a damn about
certificates. Like I said: IMHO the only value they have is for your
legal department.

cu
59cobalt
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq
.

Relevant Pages

  • Re: Publish Web Server behind SBS 2003 Standard
    ... Microsoft CSS Online Newsgroup Support ... When opening a new thread via the web interface, ... |> Method 2: Different ports ... |> "Network Connection". ...
    (microsoft.public.windows.server.sbs)
  • Re: [Full-Disclosure] Blocking Music Sharing.
    ... and Network. ... Any connection allowed out by your firewall will probably let the return ... block the ports used for communication between the client & server ... Subject: Blocking Music Sharing. ...
    (Full-Disclosure)
  • Re: Lets talk about firewalls - what do we as a group think a firewall should be/have?
    ... part of the same network as the LAN. ... Each interface of a firewall should be distinct from ... interfaces, so a "DMZ interface" is not a requirement. ...
    (comp.security.firewalls)
  • Re: NetBios Names and SP2
    ... This will tell you which ports are open in the firewall as well as some ... Run the command (note: you must have the Support Tools from the Windows ... Check that "Enable NetBIOS over TCP/IP" is selected in the network ...
    (microsoft.public.windowsxp.network_web)
  • Re: securing Ubuntu and firewall
    ... ports are for services the server provides such as web or email services. ... You do not needa firewall on a linux desktop. ... any network-connected computer if it's connected to an untrusted network ...
    (Ubuntu)