[121072] in North American Network Operators' Group
Re: I don't need no stinking firewall!
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Sat Jan 9 20:37:46 2010
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Sun, 10 Jan 2010 01:31:05 +0000
In-Reply-To: <836bf1f91001091451la8a2a2dy356ab1a5d7aa4e7b@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 10, 2010, at 5:51 AM, harbor235 wrote:
> Other security features in an Enterprise Class firewall;
> -Inside source based NAT, reinforces secure traffic flow by allowing o=
utside to inside flows based on
> configured translations and allowed security policies
Terrible from an availability perspective, troubleshooting perspective, too=
. Just dumb, dumb, dumb - NATted servers fall over at the drop of a hat du=
e to the NAT device choking.
> -TCP sequence number randomization (to prevent TCP seq number guessing=
)
Server IP stack does this itself just fine.
> -Intrusion Detection and Prevention (subset of most common signatures)
> recognize scanning attempts and mitigate
> recognize common attacks and mitigate
Snake-oil.
> -Deep packet inspection (application aware inspection for common netwo=
rk services)
Terrible from an availability perspective, snake-oil.
> - Policy based tools for custom traffic classification and filtering
Can be done statelessly, no firewall required.
> -Layer 3 segmentation (creates inspection and enforcement points)
Doesn't require a firewall.
> -Full/Partial Proxy services with authentication
If needed, can be better handled by transparent reverse-proxy farms; auth h=
andled on the servers themselves.
> - Alarm/Logging capabilities providing info on potential attacks
> -etc ......
NetFlow from the network infrastructure, the OS/apps/services on the server=
itself do this, etc.
>=20
> Statefull inspection further enhances the security capabilities of a fire=
wall.
No, it doesn't, not in front of servers where there's no state to inspect, =
in the first place, given that every incoming packet is unsolicited.
> You may choose not to use a firewall or implement a sound security postur=
e utilizing the "Defense in Depth" philosophy, however you chances of being=
compromised are dramatically increased.
Choosing not to make the mistake of putting a useless, counterproductive fi=
rewall in front of a server doesn't mean one isn't employing a sound, multi=
-faceted opsec strategy.
I know that all the firewall propaganda denoted above is repeated endlessly=
, ad nauseam, in the Confused Information Systems Security Professional sel=
f-study comic books, but I've found that a bit of real-world operational ex=
perience serves as a wonderful antidote, heh.
;>
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
