mailing list archives
RE: External Network / Firewall Setup.
From: Jayson Anderson <sonick () sonick com>
Date: Thu, 08 Sep 2005 01:42:37 -0700
True, though even the most basic of filters today provide any (hand
configured) set of options available in both the Layer3 AND Layer4
The main reason I wanted to reply though was to cite the reason that Tim
even had to write this email: The exclusive yet INCORRECT use of the
term 'firewall' in every environment today. There was a time when it was
still important to differentiate between the terms 'firewall' and
'filter'. If you interviewed for a consultant position at INS from
1997-1998 and you referred to an IP filter as a firewall, and continued
to do so as you were nudged to stop doing it...... that resume went in
the round file. Harsh perhaps, but the correctness issue remains the
same today: any system that is limited to Layer3 and Layer4 criteria
(along with speed, burst, etc. other simple mnemonics) then in fact the
device is only a filter, not a firewall. The very use of the term
firewall by default describes at least an L2-L7 system, some even
included L1 diagnostics. In the example that started this thread, the
term 'firewall' in fact would describe the entire diagram minus the
bastion host; though some consider that integral to the firewall as
well. This definition has been watered down due to terminology creep
shortly after cheswick/bellovin. I, for one, do not feel that the
ubiquitous use of firewall to describe a [IP] filter makes it now the
correct term; as it causes confusion and follow-ups such as that Tim
wrote here, every time a firewall system is discussed.
Anyhow, I'm not personally affected, I'm not 'that guy' pointing out
minutia just to be a pansy.... in fact I'm jaded, indifferent and quick
to defer or avoid contention altogether. But, for academic's sake I
wanted to bring it up since I haven't yet seen the distinction here on
the list; and it should be known going forward in one's career as this
technically is fundamental knowledge now obscured. Plus, this is
security-basics to boot ;) Blocking a single IPX SAP is no more a
firewall by design than a box with a primary IP default-deny function.
I do think today's [free] filters will be firewalls by definition in the
near future, each new major release of iptables and others creep further
and further up the stack.......
On Thu, 2005-09-08 at 08:41 +1000, Tim.BUTTON () Dest gov au wrote:
I meant if firewall (1) is compromised, firewall (2)should prevent
attack from getting into the internal network.<<<
Ok, it's important to remember that firewalls will only stop
ILLEGITIMATE traffic, and, depending on the type of firewall, they may
only match illegitimate traffic against its LAYER 3 fingerprint. Unless
the firewall is an application level firewall such as Sidewinder,
Cyberguard or Netscreen (or even an old Gauntlet), the firewall only
cares if the source, destination and protocol is allowed and if the
connection is stateful. It won't stop malformed packets, buffer
overflows and so forth. If you want that sort of protection (say for
inbound HTTP to a web server), then you either need to spend the big
$$'s and start looking at an application level firewall (which still may
not do 100% of the job) OR look into configuring squid as a reverse
proxy (really only applicable to HTTP and maybe HTTPS when the squid
project includes SSL acceleration).
Firewalls aren't a replacement for hardening a box and strong
processes...they're an addition. Always remember, security is like an
onion....it should be layered.
From: lists () ninjafriendly com [mailto:lists () ninjafriendly com]
Sent: Thursday, 8 September 2005 0:01
To: security-basics () securityfocus com
Subject: RE: External Network / Firewall Setup.
Quoting Tim.BUTTON () Dest gov au:
but I'm wary of a single point of failure<<<<
I'm not sure what you're referring to about a single point of failure.
sorry, wrong terminology. I meant if firewall (1) is compromised,
should prevent attack from getting into the internal network.
avoid that, you'll need multiple devices in HA, which may well be
overkill for what you need.
yup, which is just as well because we can't afford it.
Something I'm still unsure about is internal clients connecting to
the mailserver in the DMZ - how much of a security issue is this?
Should I use the DMZ mailserver simply as a relay for an internal
IMHO, better to use your box in the DMZ as a relay only. You can run
postfix/sendmail/whatever and use it to do some granular filtering. If
you're keen enough, install some different virus scanner/anti-spam
software on there, and get your box to pass the mail to that before
allowing anything inbound. The other advantage of doing this is that
allows you to kill anything you don't want at the border. Finally, it
means that if your internal server blows up or something, you'll still
queue inbound mail....which is good.
If you get super keen, you can set it up to run iptables and
and tie it down.
Cheers - I have some reading to do.
The information contained in this e-mail message and any attached files may
be confidential information, and may also be the subject of legal
professional privilege. If you are not the intended recipient any use,
disclosure or copying of this e-mail is unauthorised. If you have received
this e-mail in error, please notify the sender immediately by reply e-mail
and delete all copies of this transmission together with any attachments.
- Re: External Network / Firewall Setup., (continued)