Re: Lets talk about firewalls - what do we as a group think a firewall should be/have?

On Tue, 22 Aug 2006, in the Usenet newsgroup comp.security.firewalls, in article
<4JJGg.64283$vl5.57009@xxxxxxxxxxxxxxxxxxxxxx>, Leythos wrote:

Sorry, sometimes my fingers type faster than my brain.

I hear you. This tool has a Spell Chequer, but it lacks it grammar
checker and despite re-reading the post before hitting 'Send'...

Your use of the DMZ is different from what I see to be normal. The only
things we put in the DMZ are those hosts that need to be reachable from
the WAN side.

Same here, but I have a number of clients with multiple DMZ's where the
training centers have access to the internet, but they also isolate
teach room from the others.

Well, the client is always right. Isolating the classrooms is correct,
but this is more a semantics issue.

In your example, the classrooms would likely not be offering such
services, and probably should be isolated on their own NATing firewall
^^^^^^^^^^^^^^^^^^^
- to allow (probably controlled) access OUT to the Internet, and
limited (if any) access to the rest of the internal networks.

That's one way to do it, but, we can look at things in different
methods. I would rather have my classrooms behind a firewall, not just a
NAT, and the DMZ, since it's already secured, is a good place to tack
them on to, so that they don't have LAN access by mistake anywhere.

If the "company" is not offering services to the Internet, then the
otherwise unused DMZ would be a good place. If they are offering any
service - to me, that means any application that is accepting new
connections from outside (receiving mail, DNS, web service), then I
prefer these servers to be isolated in the DMZ without access from
inside. Administration, and connections to the internal LAN should
be by means of a second interface on the server. By this, I means
that (example) mail gets received by the mail server on a DMZ interface
on the "public" server. An "internal" server then connects to a second
(isolated) interface, and extracts the mail for delivery. (The external
mail server needs to have a copy of a list of valid users it will accept
mail for - but that's a trivial server configuration issue.) Systems in
the DMZ are not allowed to _initiate_ connections to the internal LAN,
and only accept connections from a limited set of internal hosts. Thus,
in the worst case when a host in the DMZ is subverted, it can't reach
into the internal network. Those who would complain about the added
complexity (true, but a one-time setup) or cost (how much are you paying
for NICs and a small hub/switch?) need to think how much this mechanism
adds to security.

As regards the classroom setup - again, are any of the system in the
classroom serving to the Internet (other than perhaps 113/tcp)? If no,
then a relatively simple ruleset is needed to block incoming SYN packets
while allowing SYN/ACK. As for blocking "inter-classroom" traffic, and
traffic to/from the classrooms and the rest of the network, this can be
done with any competent router by simply not supplying routing rules
between those networks.

11) A firewall should not have DHCP Service enabled on the LAN/DMZ by
default.

What do you propose instead? No DHCP - so it's static or LinkLocal? Or
is it some other box separate from the firewall/user systems?

It can offer DHCP, but it should not be enabled by default. I've seen
too many people install devices called firewalls and never learn another
thing about them - and many times they are wide open (wireless units).
Having them not offer DHCP as a default, meaning it's not enabled, would
mean that users would have to configure them before using them.

Personally, I prefer static addressing, but I can see where you are
coming from. I just don't know if this is a viable solution. Many home
entertainment systems are now picking up time-of-day information from
remote sources automagically because most users can't be bothered to
read the manual to see how to set the clock manually. How many of your
customers would know what an RFC1918 address[1] is (or if they have real
addresses, what they are, what the netmask is, and what is the next-hop
router address[es])? Not enabling stuff by default is an established
procedure (look at OpenBSD, which claims an out-of-box install has never
been r00ted - mainly because nothing is enabled out-of-box), but this
requires knowledge on the user's side (a rare commodity), or that the
user gets (at least temporary) outside help. Given the current customer
expectations (have you actually read the "Instruction Book" that comes
with most consumer goods today), I suspect this might be a non-starter.
People expect that you need only plug it in, turn it on, and "it works".
Read some manual??? Why? (Of course, this is also helped by the fact
that most so-called "Instruction Books" are really just filled with
legal notices telling the user not to immerse the product in the bath
tub while it's plugged in, and the actual "how to use it" stuff is
limited to a half page written by a poorly configured artificial [lack
of] intelligence program.)

I can see your point, but what do you define as a reputable authority?
ANSI? IEEE? IETF? NIST? NSA? Some supra-national entity from
the EU, or similar? Good Housekeeping magazine? ;-)

I'll start with CERT and go with places like that.

Isn't that a bit off their turf? Certainly "Good Housekeeping magazine"
was offered in jest, but I'd think the other organizations would be
somewhat more appropriate.

Old guy

[1] Saw a Usenet posting where someone was statically configuring hosts
to 169.254.0.0/16 "because that's the addresses the DHCP server is
providing". And then wonder why connectivity to the world was hosed.
.

Relevant Pages

  • Re: SBS 2003 IIS BASED SERVICES FAIL INTERMITTENTLY
    ... If I read your post correctly, you have a switch where the SBS ... Run DHCP server on your SBS, and set all client machine nics to dynamic. ... Once you have your nics configured, run the Connect to the Internet wizard, ... QUESTION1 - what is REFUSING CONNECTIONS? ...
    (microsoft.public.windows.server.sbs)
  • RE: Remote access problem
    ... CEICW setting RWW is OK. ... I clicked "Connect to server desktops" and got the screen with all the ... Remote connections ... > Internet Connection wizard' to configure the server networking settings? ...
    (microsoft.public.windows.server.sbs)
  • Re: Connection Sharing on demand
    ... user has to authenticate for each time they want an Internet service, ... That can be done as a firewall application with lots ... you'd have the user connect to a server ... mentioned blocking inbound connections - that's trivial to do with the ...
    (comp.os.linux.networking)
  • Re: windows 2003 server routing and remote access setup
    ... or by computer) level permissions for using the outbound connections only ... connected to the internet. ... ...and permit VPN for external users that you want to access your LAN. ... Your server needs to have access to both ...
    (microsoft.public.windows.server.general)
  • Re: Man gets nine years for spamming
    ... > I don't think we've ever had web access. ... > connect to an inner server where you logged in and actually did stuff. ... We have 12 DMZ interfaces. ... the DMZs and in between the Internet routers and the first ...
    (alt.computer.security)