[4851] in WWW Security List Archive
Re: Packet Filters or Proxy Firewalls?
daemon@ATHENA.MIT.EDU (Richard Costine)
Wed Mar 19 17:14:58 1997
Date: Wed, 19 Mar 1997 15:17:15 -0400
From: Richard Costine <rjc@n2k.com>
To: Simon Yeo <syeo@cs.stanford.edu>
CC: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Simon Yeo wrote:
>
> Hello,
>
> We're looking to set up an interior firewall for our internet network
> mainly consisting of NT machines. We already have an exterior firewall
> set up, and will put our web, mail, and dns servers in the perimeter zone
> (between the two firewalls).
>
> I have had some experience with packet filtering routers (CISCO), so I'm
> inclined to purchase a similar router for the firewall. Before I do that,
> I need some opinions on why I should choose a proxy firewall instead of a
> simple packet filtering router, and visa versa. Things to consider are:
>
> 1) Cost
> 2) Performance
> 3) Management cost (maintenance)
> 4) Level of security
> 5) etc.
We currently are using both. We use a combination of Cisco filtering
routers and homegrown BSDI-based bastion hosts for our firewall. The
BSDI systems run the sockd to perform proxying functions from the inside
net to the outside world. Most services are blocked at the filtering
router, exceptions are http, some ftp, real and liquid audio. Recently,
though we've had circumstances where we have some services that do not
have proxies written for them. We've been contemplating on changing the
bastions to a commercial vendor firewall that supports something called
"stateful inspection with address translation". This will allow us to be
very specific about what kind of services we want to block without
having to rely on a bastion host that will only do proxying. We looked
at a number of firewalls, Checkpoint-1 seemed to be a good one.
I would say it really depends on what kind of services you want to allow
in/out of your "soft-chewy center". If all the services have proxies,
and do not try to bind to random ports, a home grown proxy gateway
combined with filtering routers will probably be sufficient. If you have
Oracle DB's on the inside that you want to allow Outside people to
access, then a stateful inspection firewall will be necessary.
Obviously, if you want to grow your own, you'll be responsible for
keeping up with the latest threats on your network, and you'll have to
make sure they don't affect you. This is in addition to the daily
administration - things like scanning the logs for doorknob-twisting and
actual breakins which can only be truly detected by means of a
"drop-safe" log. Commercial firewall packages are expensive (>$10k), and
if you get one you'll still need to keep up with the latest security
threats - you just won't have to fix them or find free-software that
will. You'll call the vendor when you hear of an attack and ask them
what they're doing to plug the hole. You will implicitly be trusting
your security to an outside organization (ie. the firewall vendor) - but
they make their money on that, so they'll want to make sure you don't
get broken into. Also some commercial vendors make the admin of these
easier by wrapping a GUI around all the command line stuff. Some have
Windows-based administrative clients. Personally, I wouldn't trust NT as
a bastion host. It's too big and bloated, and there are too many moving
parts that I can't see. But if you trust Microsoft with your security,
be my guest.
As far as performance - we're using a Pentium 166 (for the bastion) and
that seems to work for us and we get about 1.5 Million hits a day (on
the Pentium 166 that is our main webserver) . Our webservers are
actually on the Internet - you still have to connect to them somehow.
Only a small part (about 10000) of those hits actually requires data
which resides on our inside network. These machines may change as the
number of hits increase.
I would suggest the following books:
Building Internet Firewalls - Chapman & Zwicky; O'Reilly & Assoc.
(this is good if you want to build your own)
Firewalls and Internet Security - Cheswick & Bellovin; Addison-Wesley
(this is good to have - it will answer most of the FAQ)
Also:
There's a firewalls mailing list which is more appropriate for this
discussion. subscribe to Firewalls@GreatCircle.COM
Checkpoint-1 and the other vendors have web sites. Altavista or other
search engines will locate them for you.
