Full Disclosure: Re: Sony: No firewall and no patches

[phocean <0x90 () phocean net>]

 Thanks this useful sum-up for the discussion.

 I have a few comments though:

  - DDoS : anyway, a firewall isn't more susceptible to DoS than the 
 server it protects. If you look at the hardware performance of modern 
 firewalls, if an attacker has the ability to DoS it, then only a 
 considerable server farm that very few companies can afford will be able 
 to sustain it. So I think this can't be counted as a negative point, 
 even if in theory it has less performance than stateless.
  - SPoF : there are clusters (active/active or active/passive) for 
 firewalls as well as for server.
  - stateless scales badly on large networks, because it requires much 
 more complex and lengthy rules if you are serious with security.

 Another advantage of stateful is that there is a first sanity check of 
 the sessions on a specialized hardware rather than on a generic TCP/IP 
 stack of a bloated server OS.
 For instance, the network stack of Windows is probably much more prone 
 to bug/crash due to poor handling of crafted packets than a dedicated 
 firewall (Checkpoint, Cisco, Fortinet...) may be.


 On Wed, 11 May 2011 09:22:33 -0500, Michael Krymson wrote:
> I can't speak for everyone, but I certainly find this discussion far 
> more
> interesting and useful to security than quite a few others on here. 
> So feel
> free to keep it public.
>
> I'm not about to wade in too deeply, but I thought I'd summarize and 
> add a
> few notes.
>
> ----------------------------------------------------------
> STATEFUL (session-based filter)
> Pros
> - can provide other filtering services during inspection (depends on 
> device
> feature set)
> - won't have to constantly fight battles (against admins, vendors, 
> clients,
> auditors, managers, outsiders) to explain why you don't have a 
> "firewall"
> - handles ephemeral ports, dynamic connections, and matches returning
> traffic well
>
> Cons
> - more DDoS susceptible
> - another piece of hardware so another point of failure
> - won't add much when you're already accepting * into IP x on port n
>
> ----------------------------------------------------------
> ACLs (packet-based filter)
> Pros
> - with pure ACLs, will always be faster
> - as such it can scale with traffic better
> - excellent when you're just blanket stopping all traffic except * to 
> x on
> port n
>
> Cons
> - poor filter for ephermeral port needs, or dynamic connections
> - susceptible to protocol anamolies used in attacks (includes covert
> channels)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/