RE: External Network / Firewall Setup.

[Jayson Anderson <sonick () sonick com>]

True, though even the most basic of filters today provide any (hand
configured) set of options available in both the Layer3 AND Layer4
headers. 

The main reason I wanted to reply though was to cite the reason that Tim
even had to write this email: The exclusive yet INCORRECT use of the
term 'firewall' in every environment today. There was a time when it was
still important to differentiate between the terms 'firewall' and
'filter'. If you interviewed for a consultant position at INS from
1997-1998 and you referred to an IP filter as a firewall, and continued
to do so as you were nudged to stop doing it...... that resume went in
the round file. Harsh perhaps, but the correctness issue remains the
same today: any system that is limited to Layer3 and Layer4 criteria
(along with speed, burst, etc. other simple mnemonics) then in fact the
device is only a filter, not a firewall.  The very use of the term
firewall by default describes at least an L2-L7 system, some even
included L1 diagnostics. In the example that started this thread, the
term 'firewall' in fact would describe the entire diagram minus the
bastion host; though some consider that integral to the firewall as
well. This definition has been watered down due to terminology creep
shortly after cheswick/bellovin.  I, for one, do not feel that the
ubiquitous use of firewall to describe a [IP] filter makes it now the
correct term; as it causes confusion and follow-ups such as that Tim
wrote here, every time a firewall system is discussed. 

Anyhow, I'm not personally affected, I'm not 'that guy' pointing out
minutia just to be a pansy.... in fact I'm jaded, indifferent and quick
to defer or avoid contention altogether. But, for academic's sake I
wanted to bring it up since I haven't yet seen the distinction here on
the list; and it should be known going forward in one's career as this
technically is fundamental knowledge now obscured. Plus, this is
security-basics to boot ;) Blocking a single IPX SAP is no more a
firewall by design than a box with a primary IP default-deny function.
IP filter. 

I do think today's [free] filters will be firewalls by definition in the
near future, each new major release of iptables and others creep further
and further up the stack.......

Peace
Jayson


On Thu, 2005-09-08 at 08:41 +1000, Tim.BUTTON () Dest gov au wrote:
> > > > I meant if firewall (1) is compromised, firewall (2)should prevent
> attack from getting into the internal network.<<<
>
> Ok, it's important to remember that firewalls will only stop
> ILLEGITIMATE traffic, and, depending on the type of firewall, they may
> only match illegitimate traffic against its LAYER 3 fingerprint.  Unless
> the firewall is an application level firewall such as Sidewinder,
> Cyberguard or Netscreen (or even an old Gauntlet), the firewall only
> cares if the source, destination and protocol is allowed and if the
> connection is stateful.  It won't stop malformed packets, buffer
> overflows and so forth.  If you want that sort of protection (say for
> inbound HTTP to a web server), then you either need to spend the big
> $$'s and start looking at an application level firewall (which still may
> not do 100% of the job) OR look into configuring squid as a reverse
> proxy (really only applicable to HTTP and maybe HTTPS when the squid
> project includes SSL acceleration).
>
> Firewalls aren't a replacement for hardening a box and strong
> processes...they're an addition.  Always remember, security is like an
> onion....it should be layered.
>
>
>
> -----Original Message-----
> From: lists () ninjafriendly com [mailto:lists () ninjafriendly com] 
> Sent: Thursday, 8 September 2005 0:01
> To: security-basics () securityfocus com
> Subject: RE: External Network / Firewall Setup.
>
> Quoting Tim.BUTTON () Dest gov au:
>
> > > > > but I'm wary of a single point of failure<<<<
> >
> > I'm not sure what you're referring to about a single point of failure.
> sorry, wrong terminology.  I meant if firewall (1) is compromised, 
> firewall (2)
> should prevent attack from getting into the internal network.
>
> > avoid that, you'll need multiple devices in HA, which may well be
> > overkill for what you need.
>
> yup, which is just as well because we can't afford it.
>
> > > > > > Something I'm still unsure about is internal clients connecting to
> > the mailserver in the DMZ - how much of a security issue is this?
> >
> > Should I use the DMZ mailserver simply as a relay for an internal
> > mailserver?<<<
> >
> > IMHO, better to use your box in the DMZ as a relay only. You can run
> > postfix/sendmail/whatever and use it to do some granular filtering. If
> > you're keen enough, install some different virus scanner/anti-spam
> > software on there, and get your box to pass the mail to that before
> > allowing anything inbound. The other advantage of doing this is that
> it
> > allows you to kill anything you don't want at the border. Finally, it
> > means that if your internal server blows up or something, you'll still
> > queue inbound mail....which is good.
> >
> > If you get super keen, you can set it up to run iptables and
> tcpwrappers
> > and tie it down.
>
> Cheers - I have some reading to do.
>
>
> Notice:
> The information contained in this e-mail message and any attached files may
> be confidential information, and may also be the subject of legal
> professional privilege.  If you are not the intended recipient any use,
> disclosure or copying of this e-mail is unauthorised.  If you have received
> this e-mail in error, please notify the sender immediately by reply e-mail
> and delete all copies of this transmission together with any attachments.