What Is the Future of Firewalls? 414
jlmale0 writes "When I mess with my WAP/router at home or coordinate with the network team at work, it seems like I'm stuck in 1995. We're still manually listing IP address/port combinations for our firewall rules. There's a certain simplicity to this when dealing with a single system, but there are firewalls everywhere these days. What's available for managing complex firewall arrangements? What's being developed? Can I take a Visio diagram, run it through a script, and get a list of firewall rules? What about a GUI that illustrates the current system configuration and then lets me drag and drop systems across firewalls, and have the individual firewall ports automatically configured? What about tying a firewall into an authentication system so that when jdoe logs in, only then are the firewalls opened to pass her traffic? What about managing distributed firewalls so that one repository of rules opens up your system's firewalls, the DMZ firewall, and the public firewall all at once? Let's get a conversation started. What cool projects do I need to know about? What cool management features would you like to see? What's next for firewall management?"
Leave the networking stuff to the networking team (Score:1, Insightful)
Sounds like someone wants to get rid of the network team by implementing a few DIY tools...
Future of Internet and firewalls (Score:5, Insightful)
INTERNET -> PORT80, PORT443
His point being more and more is routed through ports 80 and 443 in an effort to avoid firewall restrictions. I often think he was right. Consequences for firewalls left up to reader.
Re:The future is now (Score:4, Insightful)
I love how you *nix guys don't ever take end users into consideration. You think "Oh, just learn how to script the stuff together with some shell and you'll be good!".
All the while, the end users are saying "We don't care about having to learn to write a script; just include one with your damned program, and have a standard that routers can accept this file and it will just work and be simple."
Re:Future of Internet and firewalls (Score:4, Insightful)
Shouldn't it be INTERNET <- PORT80, PORT443? You're talking about outbound traffic firewalling, right? Inbound is explainable by the limitations imposed by NAT.
I, For one, (Score:1, Insightful)
I hope firewalls (well, specifically, NAT routers, DMZs, port forwarding, etc- which all seem to get grouped in 'firewalls') in general will become much LESS of an issue in the future thanks to IPv6. In that world, everything's got a unique address so there's really no need for NAT, private subnets, or the routing issues associated with those.
IMHO, the task of firewalling has been (somewhat incorrectly) pushed on the device doing the routing, when it should be handled on the device itself. Hosts, actual end points, should be able to decided what they will do with the traffic that gets to them, not something in the middle. It's been placed on the router because in our current IPv4 / NAT world, it has to be put there, so the traffic can even *make it to* said end point host. That's not the case with the worldwide-unique addresses of IPv6.
As such, in the IPv6 world of the eventual future, firewalls will exist more due to policy than security (i.e. access to certain services will be disallowed if you're on a corporate network). The security firewalling will need to be done on the device itself, which makes good sense- don't want people ssh hammering your laptop? Well, don't run that service, or restrict it to only devices you trust.
Feature, not bug (Score:5, Insightful)
It's about demand –or lack thereof (Score:5, Insightful)
I think that firewall administration has been allowed to remain shoddy because most people who aren't gamers or server admins don't need to change the settings at all. Gamers are usually obsessed enough with playing that they will take the time to figure it out. And sysadmins, well it's their job to know how to do that stuff.
This isn't an excuse for things being the way they are, but an explanation. Most people just vaguely understand that a firewall protects their computer, but they don't know any more than that and will probably never have to configure one. If the archetypal grandmother or joe six pack ever has a reason to manage firewall settings (unlikely) then an easy configuration tool will appear over night. Unless a widespread need arises, limited demand will translate to limited effort spent developing user-friendly tools.
Re:The future is now (Score:3, Insightful)
The "Simple Way" is usually the wrong way when dealing with complex systems.
There are tools that make things easier for "roughing out" what you want, but fine tuning is always breaking out a text editor and making adjustments.
What about the users? Fuck them. They don't even know what an operating system is and don't care what it is, don't care what a firewall is outside of "it keeps the bad guys out," don't care what a router or switch is, and mostly don't care how a network works or even bother to learn how to navigate a file system. Most of all, they cannot be trusted to reliably run a script without somehow screwing it up, even if it's one click of a mouse.
This is why your system administrator treats you like someone who just got off the short bus.
--
BMOs
Re:The future is now (Score:2, Insightful)
I like PF, try PFSense (Score:5, Insightful)
The BSD 'pf' packet filter is pretty good. There is even a FreeBSD-based project known as pfsense [pfsense.org] which you might want to take a look at, as it offers a pretty-much drop-in solution for packet filtering, as well as NAT, load balancing, VPN connectivity, etc. There is a web-based administration GUI as well. It looks pretty sweet, but I haven't played with it much in any serious deployment personally.
Re:The future is now (Score:3, Insightful)
Your average end user is going to likely be quite satisfied with a basic web-based firewall GUI sitting over top of iptables. However, your average end user is highly unlikely going to need to an in-depth understanding of complex routing tables, queue rules, etc. I mean, why aren't you bitching about Cisco, which is every bit as difficult to work with for complex networks?
For most users, a basic web-based configuration set up is great. For another subset something like Webmin or the Cisco GUI tools will probably do the trick. But there will always been some subset that need to do very complex firewall and routing jobs.
In other words, what the fuck is your problem?
Re:The future is now (Score:5, Insightful)
"Yeah, fuck those end users! We'll make it a bitch and a half to use our product even though the fixes are simple!"
Honestly now, I'm talking about home users, the other people who use firewalls, even though they don't know it. Make it a standard on routers where on the router's config page, it can accept a small text file with ports to be routed to the current connection. Even better, have the program send that information when the game starts, and have the ports un-routed when the game ends. It's a relatively simple, easy fix for the headache that is "finding out the proper ports for XBox Live to work" and entering them manually.
I know how to do it, but let me tell you, I don't know many other people that can install a router to begin with, let alone get their port forwarding to work for Gears of War; and they don't care to learn. Ease of use and the user interfaces on routers haven't improved one bit for consumers from the Belkin I had in 2002; why the should a market completely stagnate in user friendliness for that long?
Oh, that's right. It's because every *nix head doesn't think about the real end user, just what's "most powerful" in terms of features. Design solely for the power users and administrators, and you miss 95% of the market - what Linux has excelled at for many, many years.
Re:I, For one, (Score:3, Insightful)
Re:I, For one, (Score:3, Insightful)
IPv6 isn't going to eliminate the need for DMZs and stuff like that. Sure, NAT can be don away with, but NAT isn't "firewalling". Really, what we should be talking about is packet filtering, and in this sense, dedicated packet filtering boxes are key. There is no reason that network hosts should be wasting cycles on packet filtering if putting a box out in front a network segment, say, behind a boarder router or in front of an aggregation switch, can dedicate cycles to the task -- especially if the box doing the packet filtering doesn't introduce latency beyond an acceptable level.
Comment removed (Score:5, Insightful)
I smell marketing (Score:5, Insightful)
Re:Leave the networking stuff to the networking te (Score:5, Insightful)
Yes, find someone who knows something about networking and more importantly about firewalls Try someone who has a CCSP or CCIE:Security as part of their title. Some of the things you are talking about have existed for years on Cisco Pix and ASAs like downloadable ACLs (Where based on your credentials you get firewalled differently) which can be applied across a whole enterprise of firewalls. Dynamic inspection of traffic, like h.323 traffic, so you don't have to open a whole range of ports other than the signalling port.
Dear lord, gui based management of a fleet of firewalls? You want to drag and drop things and make magic happen when you do that? Sounds pretty reckless and dangerous to me. That's like saying because you can ride a bicycle, you should be allowed to drive a hazmat semi at top speed through downtown LA. If you don't understand what the rules are and how they will be applied in the first place, you are likely just going to cause problems (like accidentally shutting off your company's ability to sell their trinkets online because you locked it down on accident.)
By the way, I don't care what the kid from the nerd herd tells you, Belkin and Linksys do not sell firewalls. They sell quasi-routers with nat and some limited form of access control. Finally, UPnP is not the answer to your problem, that just makes it easy for people to put devices on your network to open security holes up in your firewall, which is why it's not supported on most enterprise grade firewalls (and wouldn't work anyway if you looked at the way most enterprises build their networks)
Re:The future is now (Score:4, Insightful)
Make it a standard on routers where on the router's config page, it can accept a small text file with ports to be routed to the current connection. Even better, have the program send that information when the game starts, and have the ports un-routed when the game ends. It's a relatively simple, easy fix for the headache that is "finding out the proper ports for XBox Live to work" and entering them manually.
That already exists. It's called UPnP. [wikipedia.org] Xbox Live even supports it.
Re:I, For one, (Score:2, Insightful)
Thanks, well stated. Very constructive and kind.
I still believe that host level security is lacking and should be addressed, because problems can arise from the outside world or within the firewalled subnet.
The assumptions that the outside world is 'big, bad, and evil' and 'my subnet is cookies and cream' is a very bad one and very detrimental to security IMHO. That's why I say security is primarily a host-level concern, because the *real* mindset should be 'everything off my machine is potentially big, bad and evil.'
I don't want to discount the niceties of centralized rules and reporting, or as you point out, potential performance impact. I'm just trying to point out that the security model we've settled into is a result of the hosts being insecure (mostly due to legacy OS's suddenly getting worldwide internet access). Adding a new piece of hardware doesn't fix the core problem, it just patches it- and it still leaves you open to attacks from within your subnet.
Accountability for security should be at the host level.
Re:The future is now (Score:4, Insightful)
have the program send that information when the game starts, and have the ports un-routed when the game ends.
This is insane. This really is an insane concept. If you think that the home user is the black-hat botnet operator's bitch, this will only exacerbate the situation. You are removing what little human interaction there is in configuring a router and turning it over to software completely. You really need to examine what you just asked for, because it's stupid.
Why not just supply the user with a pail of K-Y Jelly?
--
BMO
Re:The future is now (Score:3, Insightful)
Re:Leave the networking stuff to the networking te (Score:3, Insightful)
Dear lord, gui based management of a fleet of firewalls? You want to drag and drop things and make magic happen when you do that? Sounds pretty reckless and dangerous to me. That's like saying because you can ride a bicycle, you should be allowed to drive a hazmat semi at top speed through downtown LA. If you don't understand what the rules are and how they will be applied in the first place, you are likely just going to cause problems (like accidentally shutting off your company's ability to sell their trinkets online because you locked it down on accident.)
I can't think of a single reason why knowing what the rules do precludes using a GUI tool to simplify and automate management.
Manually editing text is time-consuming, fatiguing and error prone. Have a tool to automate that sort of thing is one of the fundamental reasons for having computers in the first place.
If you need a GUI... (Score:2, Insightful)
you should not be configuring a mission critical firewall.
Re:Leave the networking stuff to the networking te (Score:4, Insightful)
Secure perimeters are illusions. Every machine needs its own defense. Firewalls are good for NAT, which foils a few, and stateful inspection, which fools a few more. Otherwise, internal firewalling and boundary checks are the only answer, coupled to download security hashing checks-- and those get bitten, too.
Belief in firewalls and secure perimeters are the reason that some 30% of all machines in a domain are bot'd somehow..... along with Checkpoint, Norton, Microsoft, and so on. A CCIE or CCSP gives you someone that can help, but there's no guarantee that someone won't click on a site that will give your browsers a headache, then the infection, and so on.
The MuSystems guys can tell you about fuzzing attacks that will leave most equipment in a state of mush. With enough pounding, you can break about anything. Sorry to be dour, but you have to use best practices, and protect each indivdual device, not just the perimeter.
Re:The future is now (Score:3, Insightful)
It's a trade-off of security for convenience, sure. It's not something you would enable on anything other than a private home network.
Re:The future is now (Score:5, Insightful)
As to firewalls and routers specifically? I believe UPnP does what you would like for the most part if app developers would make use of it (I haven't ever made use of it that I can think of, so I'm not 100% certain), although I believe having app developers include something that just goes in and modifies firewall rules as a black box to the end user is a risky idea. The app developer has no idea what else the user has on their system and how their changes to the firewall might affect that. This is the sort of thing end users should know about at a basic level, akin to changing a tire, checking coolant, etc. on a car. Many probably don't know and get by just fine, but they should know, it's definitely in their best interest.
I've said this before on here and I'm sure I'll say it many more times. While the internet has provided a lot of good and a lot of knowledge and I wouldn't ever support taking it away from people, you have to wonder what the hell the first guy who thought it would be a good idea to make normal users system adminstrators (that is what a home user is) on the largest, most complex network in the world was thinking.
Re:The future is now (Score:2, Insightful)
If a game can send a "text" file to open up port automagically, so can any malware or malicious site. You could implement a list of "approved" games but then who maintains a list, rejects/accepts entries, etc...?
Re:Leave the networking stuff to the networking te (Score:1, Insightful)
I can't think of a single reason why knowing what the rules do precludes using a GUI tool to simplify and automate management.
Manually editing text is time-consuming, fatiguing and error prone. Have a tool to automate that sort of thing is one of the fundamental reasons for having computers in the first place.
Fair enough. It might have been presumptuous of me to assume that a gui based "drag 'n drop" system would lead to someone creating policies and applying them before checking to see how they are applied and what the end-effect would be. A lot of time when someone is looking for a GUI system of that nature, they are looking for a way to not spend money on a security professional, but instead let a person with minimal training manage these devices.
Any tool is only as useful as the person using it. If you have your janitor programming your firewall because it happens to sit in his closet, then you probably have bigger problems on your hands anyway.
I'll admit, in my office, we script the heck out of a lot of configurations, but that doesn't mean we fire and forget. We still have to look at the end result and see how this stuff is going to fly before we apply it.
Re:The future is now (Score:5, Insightful)
"Yeah, fuck those end users! We'll make it a bitch and a half to use our product even though the fixes are simple!"
No, the fixes are not simple. I don't know why you feel qualified to proclaim that they are, but you are mistaken.
I'm also not sure where you got the idea that anyone intentionally makes their products difficult to use. It is far more likely that the device you struggle to use is "difficult" due to lack of any effort, not because of a specific effort to make it difficult.
Honestly now, I'm talking about home users, the other people who use firewalls, even though they don't know it. Make it a standard on routers where on the router's config page, it can accept a small text file with ports to be routed to the current connection. Even better, have the program send that information when the game starts, and have the ports un-routed when the game ends. It's a relatively simple, easy fix for the headache that is "finding out the proper ports for XBox Live to work" and entering them manually.
Once again, your simplistic "solution" reveals how little you understand about the problem. Ignoring the technical issues (and the fact that all of this has been possible via uPnP which works much more simply than your proposal), why would a user know what a "router config page" or a "text file" is? Why would a home user know how to acquire this text file or how to submit it to a router config page? You've defined "typical user" in terms of what *you* know how to do, which is just as foolish as a unix admin defining the typical user in terms of what they understand.
I know how to do it, but let me tell you, I don't know many other people that can install a router to begin with, let alone get their port forwarding to work for Gears of War; and they don't care to learn. Ease of use and the user interfaces on routers haven't improved one bit for consumers from the Belkin I had in 2002; why the should a market completely stagnate in user friendliness for that long?
Oh, that's right. It's because every *nix head doesn't think about the real end user, just what's "most powerful" in terms of features. Design solely for the power users and administrators, and you miss 95% of the market - what Linux has excelled at for many, many years.
So much misunderstanding.. so little time. What do "*nix heads" have to do with routers? Very few routers run unix, and home router user interfaces certainly have nothing to do with unix. Why haven't you seen changes in these devices since 2002? Basically because they work well enough for that 95% of the market you mention. You know what has changed? They cost a lot less. This is really all that same 95% give a shit about.
And finally.. what gives you the idea that Linux wants anything to do with this 95%? Linux is made by skilled folks who were nice enough to share so that other skilled folks can use it and hopefully add something back to the pool. That 95% has very little to offer us.
Comments like "linux will never 'win' until it's easy to use" are silly.. Linux already won, it just isn't playing with you.
Re:The future is now (Score:3, Insightful)
Because the average home computer is already 97 different flavors of pwned. We're not talking about people jumping on your wifi and fucking with your router, we are talking about malware already present on damned near every windows machine in the wild suddenly being able to easily blow whatever firewall might be present wide fucking open.
Balderdash, poppycock.. (Score:3, Insightful)
Re:Leave the networking stuff to the networking te (Score:3, Insightful)
I can't think of a single reason why knowing what the rules do precludes using a GUI tool to simplify and automate management.
I can think of lots of reasons. The only reason I can think of having a GUI automated management tool is so some dumbass that doesn't know what he's doing can appear to manage firewalls.
Now, I can see the purpose of a GUI inspection tool for independent verification. But even then, I believe automated scripts are better.
Manually editing text is time-consuming, fatiguing and error prone. Have a tool to automate that sort of thing is one of the fundamental reasons for having computers in the first place.
This is why we have scripts. I would never manually configure the thing more than once, and that's only during the initial discovery phase. After that, it's script and test, script and test, then deploy when the scripts are spotless. This way I can always recreate anything at any time, without having to go dig up the guy that configured firewall xya 3 years ago and moved on to another division or even external job.
Scripts are repeatable. Scripts and their results can be objectively validated and verified.
GUI tools cannot. They're a nicety for inspection for those that cannot read or understand the scripts, however.
Re:If you're using Visio, you're doing it wrong (Score:2, Insightful)
Wow, amen to that. I'm so sick of visual representations of workflows it makes me sick. There are just too many cases where a minor change in a visual diagram can affect the underlying workings in a major way. Because most visual tools for workflows I've seen use proprietary formats, the visual representations remove the ability use a diff tool on them to determine what has changed from one version to the next. Add in complications for deploying across multiple systems that may have one or two lines change. Take away the ability to do a full audit without clicking the damn mouse 600 times so you can look at each piece of the diagram, drill into it, look at what it does, drill into sub-parts, make sure you didn't change something vital, heaven forbid you move one of those pieces a little bit when opening it, now you have differences in you file again. Ahh, SSIS is my own little piece of hell. Yes, it is stored in XML, but add in a third party component and the commercial diff tools build specifically for it choke. For minor changes in formatting it moves whole blocks of the file around. Even with tools that clean up the xml enough to determine what has changed, the information that tells the program *how* to display the file gets in the way of the information that tells it what to do.
Re:Future of Internet and firewalls (Score:3, Insightful)
and the funny thing is - if they allow anything through, ssh tunneling proxy pretty much nixes anything they're trying to block.
Re:The future is now (Score:1, Insightful)
Much of this comes (IMHO) from people who don't have a clue about what kind of system they are talking about. It sounds easy, until you get to the little details, which they never get to because they don't know anything about them. These are the people depicted in the recent Windows 7 ads ("I told them to make it easy, you can thank me now" crap). If this sort of work was easy then someone would have done it by now. There is a reason it hasn't been done. There are some things you still need experts for in this world. Taking out an appendix doesn't sound all that hard, but you wouldn't expect a home user to do it, would you? And why is that? Could it be because so much could go horribly wrong?
Re:The future is now (Score:1, Insightful)
Yes, some people like needless complexity because it gives them more power within a given context (like those who think every child should learn 8 languages for the sake of community cohesion). That is not the case here. the reason routers, home and enterprise, haven't changed in 15 years is because the underlying infrastructure hasn't changed either. We're still using IPv4, 802.2/3 and various other layer 2/3 standards which all define how these devices have to work. You're welcome to attempt simpler solutions to these protocols but it is unlikely you'll succeed. The problems they solve are intrinsic to the basic concepts that define a computer network logically. You'll just end up reinventing the wheel.
The best thing for security (and most other societal problems, real and politician created) would be to kill off this dumb it down culture that you're promoting. Yes, people have to learn things they don't want to.. too bad. Not everything can be simplified further than it is just because the majority has trouble comprehending it. The best thing to do is offer sane defaults that cover most cases, leaving the corners to figure their own shit out. The really scary part is when people who think as you do get to take charge because then needed flexibility is removed from products to make them 'simpler.'
Re:Balderdash, poppycock.. (Score:3, Insightful)
I'll take a shot,
With automation via scripting you have to know BOTH he scripting language AND firewall management.
With a GUI you don't _need_ to know either.
Re:Future of Internet and firewalls (Score:3, Insightful)
Security through obscurity?
It doesn't matter what port SSH is on. If an attacker is even remotely interested he'll run a port scan and find your SSH port soon enough.
Better to invest your time into properly configuring/locking-down SSH. Good luck to any attacker trying to gain access if you only allow authkey access. Putting SSH on a different port is only giving you a false sense of security.
Re:The future is now (Score:2, Insightful)
Re:Future of Internet and firewalls (Score:3, Insightful)
Or no change in your sense of security, but a much smaller log file because of the lack of script-kiddy brute force attacks on the service. It depends on who you are and what you know.
Re:Future of Internet and firewalls (Score:3, Insightful)
Security through obscurity?
It doesn't matter what port SSH is on. If an attacker is even remotely interested he'll run a port scan and find your SSH port soon enough.
Better to invest your time into properly configuring/locking-down SSH. Good luck to any attacker trying to gain access if you only allow authkey access. Putting SSH on a different port is only giving you a false sense of security.
Sir –
There are valid reasons to move the SSH port around, including:
1. It decreases the number of "script kiddie" attempts that do not look beyond the standard port for a known exploit (i.e. your server is no longer "low hanging fruit"); and
2. You can react to a port-scan from a single host - e.g. by blacklisting the IP the portscan came from.
Sophisticated, dedicated attackers can get around these. However, the vast majority of attempts will be made by people who are neither sophisticated nor dedicated (depending on what you're securing, of course).
All to say, moving the port around isn't just security through obscurity. It decreases the statistical phenomenon of unwanted access by a measurable degree by slightly raising the difficulty of detecting and exploiting a given service. I completely agree, though, that this ought not give a heightened sense of security - the SSH server ought to be appropriately hardened. Nevertheless, where there is an exploit of the SSH server (of which there are examples) in the wild, you may reduce your chances of your server beng exploited before the exploit is fixed by operating on a nonstandard port.
A better alternative to a non-standard port, for those so inclined, is port knocking [portknocking.org].