|
Firewall Wizards
mailing list archives
RE: Firewalls v. Router ACLs
From: "Ben Nagy" <ben () iagu net>
Date: Fri, 12 Dec 2003 18:12:46 +0100
My rambling inline.
-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf
Of WhiteHat () btclick com
[...]
I currently work for a department in a large company. Our
department has always used firewalls (CheckPoint on Nokia) to
protect our part of the network from network worms and other
'nasty stuff' on the rest of the network. [...]
We are now being pressurised to remove the firewalls by the
rest of the company.
[...]
In particular, I am concerned about:
- performance - will the routers be able to manage this as
they are designed to route traffic, not stop it?
An appropriately sized router will not have any performance problems. If I
were a betting man, I would probably back a router against a firewall to
discard traffic based on simple, stateless criteria (eg drop all
135,137,138,139 entering or leaving the network).
- logging - what would be the best way to consolidate the
router logs for analysis etc.?
Tricky. Firewalls have a big advantage here, although it's all possible in
the end. Personally, however, I question the true value of those router
logs.
There are lots of guys on the list that know an awful lot about secure and
reliable log consolidation and analysis for both routers and firewalls, so
I'm not going to expound here.
- incident management - if a router is being hammered by a
network worm (e.g.
MSBlaster/LovSan), how easy will it be to manage to make any
emergency changes necessary? Won't it be so busy dropping
packets it becomes impossible to make the change?
Not unless it's badly configured or under-specified. I've never seen simple
packet discarding or routes to null0 cause a 'decent' router any problems -
keeping state excepted. YMMV if you're routing lots of gigabits of traffic.
At worst, the console will probably stay alive. I've seen nice solutions
using dedicated management VLANs and multi-port serial routers to manage
core equipment via the console for security and reliability.
- future capability - I see the AI-type technologies evolving
in firewalls as providing a useful IPS-type functionality in
the future.
I don't. IMO the protection will move host-based - it really has to. My
cracked crystal ball says that firewalls get dumber, not smarter, in the
future. They're already too damn smart for their own good, IMHO.
There are some REALLY interesting ideas that are lurking around here...
This will allow more open rule sets but automated
protection if things go wrong. Has anyone successfully
implemented this yet? Can this be enough justification to
keep the firewalls?
Well all the firewall companies can see the recent spate of worms, and I'm
sure that they understand that the model isn't working. Hell, we've been
whining about it for as long as I can remember. There is still a lot of
stuff that firewalls are good for, and being a real point of control between
networks with different security levels is one of those things.
However, if you're talking about adding a level of defence in depth by
killing certain kinds of known-bad traffic in a 'coarse filter' approach at
the network layer then my personal opinion is that the router is a good
place to do that. The switch is better still. The NIC....well that gets
trickier. Maybe we could embed some sort of ASIC in the CAT-6 RJ-45
connector.... :)
Anyway, there's lots of depth here, and I look forward to seeing what people
think.
Cheers,
ben
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
| 
Intro
