What Is the Future of Firewalls? 414
jlmale0 writes "When I mess with my WAP/router at home or coordinate with the network team at work, it seems like I'm stuck in 1995. We're still manually listing IP address/port combinations for our firewall rules. There's a certain simplicity to this when dealing with a single system, but there are firewalls everywhere these days. What's available for managing complex firewall arrangements? What's being developed? Can I take a Visio diagram, run it through a script, and get a list of firewall rules? What about a GUI that illustrates the current system configuration and then lets me drag and drop systems across firewalls, and have the individual firewall ports automatically configured? What about tying a firewall into an authentication system so that when jdoe logs in, only then are the firewalls opened to pass her traffic? What about managing distributed firewalls so that one repository of rules opens up your system's firewalls, the DMZ firewall, and the public firewall all at once? Let's get a conversation started. What cool projects do I need to know about? What cool management features would you like to see? What's next for firewall management?"
Standardized Firewall Config Scripts (Score:2, Interesting)
Did anyone play Borderlands for the PC? Remember what a nightmare it was to get multiplayer working on that thing? uPnP sorts out some bits, but having a file that you can upload to the firewall to configure that would be nice. There are scores of profitable websites out there that will walk you through how to configure your router for bit torrent -- clearly there's a need for Something Better. If not config scripts/files, then something else.
I still can't host Borderlands multiplayer games.
Google's capirca (Score:3, Interesting)
Re:Firewall Builder (Score:2, Interesting)
Re:When you finish your MBA- it'll all become clea (Score:3, Interesting)
I don't have a one-of-those, I just have my scripts call iptables :-/ it's not as flash as drag 'n drop, but I tried programming a virtual usb mouse to automate clicking things on the screen when things happen, but while trying to write the detection software that tells it to click certain rules when somebody plugs their computer into the network, which was detected by pointing a webcam at the network switch to watch when lights came on/off, my head fell off. Turns out, I needed my head on.
Re:Firewall Builder (Score:3, Interesting)
Firewall Builder does most of what the submitter is looking for already.
.
Just browsing through here, but I'm surprised (and then again, I'm NOT surprised) at the answers thus far. I get the same replies when I ask a similar question.
What the submitter is talking about is a 21st Century Firewall (capitalized out of reverence). Why not have automatic host discovery? Why should I have to painstakingly come up with a list of all target machines with IP addresses? Is this not 2010? :)
Did everyone miss the question about "jdoe's" computer being connected, and then (and ONLY then) her needed ports being enabled in some other PC on the network? That would actually be a VERY nice capability.
For the record, I've looked at IPCop; Shorewall; SuSEFirewall2; the firewall tools built into Webmin; (and years ago) Mandrake's firewall package; you name it (this is just a partial list off the top of my head). All of them follow the same paradigm: YOU must come up with the list of IPs and ports. If anything moves or changes, YOU have to painstakingly re-enter all of the port/IP info (and hope you didn't miss something!).
So-called GUI interfaces and/or firewall "builder" tools still follow this same basic config paradigm. Just adding automatic discovery would be a HUGE help ... simply put, someone connects a machine, the firewall says, "new PC added at 192.168.1.100, DHCP, it's exposing ports 100, 200 and 500."
Everything I've tried thus far can't even reliably list all PCs on the network! I have to run an NMAP discovery or (under Windoze) something like the Angry IP Scanner. It doesn't make sense.
Some of what the submitter is asking would most properly be done in a really smart firewall/network switch combination. You would probably have to install a small software package on each network machine, too, that could "talk" to the firewall. But the question remains, why isn't this kind of thing available? It *IS* a little surprising (and frustrating) the someone hasn't developed a point-and-click, self-discovering, self-cataloging firewall system by now.
I think the real problem is that true propeller-headed geeks actually *enjoy* poking in stuff with iptables rules at a prompt. They're the most likely to have the skills to develop something like a true GUI firewall, but they're the least likely to want to.
Re:Complex often means hand tweak. No way around i (Score:3, Interesting)
Yes, there are those outside cases. However, consider how many scenarios can be easily covered with an "exceptioned template".
Take IP tables, for instance. It typically goes something like this: Deny all, do NAT/masq from the inside, do traffic shaping/QoS, and finally allow specific ports/do specific port forwarding. It's formalistic and not all that complex, once you understand it - and it's largely linear, with most of the scripts following the same basics.
For 90%+ of scenarios, it would be easy to instigate a framework for transparent transport of rules between systems (homogeneous and maybe even heterogeneous ones) or automatically setting rules based on inside services. The problem with doing it, however, is that it would provide a negligible benefit over what's out there now (as firewall rules tend to rarely change).
The security ramifications of such an application seem like they'd be hit and miss, internally. Yes. you want to prevent hosts from talking to each other when they've got no reason to - though there are other methods for doing this in a cleaner, less granular/more centralized fashion (802.1q VLANs). It works better because, again, it covers 90%+ of conceivable scenarios with less configuration.
It all comes down to KISS. Sometimes firewall restrictions are appropriate; sometimes something else is. More often than not, though, people use what they know and misapply it for fear of not being able to grasp a new technology in time to properly implement it, and we end up with a gongshow.
Re:The future is now (Score:5, Interesting)
You may not be worth this reply, however, I will try to overcome my Unixism.
"It can scarcely be denied that the supreme goal of all theory is to make the irreducible basic elements as simple and as few as possible without having to surrender the adequate representation of a single datum of experience." - Albert Einstein
I don't mean to quote and sound all guru-ish, however, this particular quote has a deep meaning with regard to this discussion.
"Shits tough, you have to be tough too." - I think I invented that one.
Basically, if you can't swim then get out of the water, or learn to swim; those are your only choices.
Stuff like networking is zen, it's just bits on a wire. On the other hand, it can be hard. Waah.
If you're using Visio, you're doing it wrong (Score:5, Interesting)
There are two problems with your question.
The first is you may believe tools and diagrams will take the pain out of implementing and enforcing security policy. Network design is systems design. Diagrams are essential in communicating that a system meets the requirements to stakeholders and management who make budgets and can't visualize how improved security adds value. But firewalls and their associated diagrams are just one element of security. What about OS patches, authentication and physical security? You know that firewalls run software and software needs maintenance. Pointing to a well executed diagram won't save you from applying vendor software updates. Are your policies sane? Security tools are only as good as the policies they implement and the people who use them. You're tool may show you that you have correctly hidden an important asset from the outside world, but are all your assets protected? Does your organization give out VPN logins to unqualified users? Are you using a VPN? Can your services run over a tunnel? If your servers or services can be secured do you really need to block all ports and selectively open a few? Can any of your services take advantage of TCP Wrappers?
"When you finish your MBA- it'll all become clear." is spot on. Perform a cost benefit analysis. Figure out how many hours at your rate it will take to to cobble together some scripts or pay a developer for a custom tool. Then figure out how much it would cost to hire a qualified network engineer. Then figure out the cost of loosing business due to denial of service or network intrusions. Then realize that you still probably a network engineer to correct your diagrams and security policies after you use a custom tool. You can always do your own taxes and defend yourself in court, but can you afford to be wrong? Complex problems need people with specialized knowledge.
The second problem is no tool programmer in their right mind would want to write a program to generate scripts from Visio. I'm a programmer, not a network guy, but like many programmers I've run Linux and OpenBSD development and webservers and done my best to keep them secure. I've also used Viso, and Visual Paradigm and some other very expensive commercial tools for creating UML diagrams. In less time than it would take me to figure out how to correctly draw something in Visio, I could have skimmed the man pages and the internet for the correct syntax required to write a rule in iptables or pf. Viso is not an intuitive tool for working in most domains. Adobe Illustrator with all its quirks makes more sense in comparison. If you want a neat toy or project, take a look at GNU DIA, or Argo UML and write patches to generate configuration files. Even if you are successful there is no standard operating system or vendor independent language for defining firewall rules. Don't ever expect to drag and drop a policy to migrate rules from a Linux based appliance to a Cisco router to a Juniper switch to a BSD based appliance. Cisco has made billions by locking in customers to their own standards. Linux and BSD are integrated into many firewall appliances but they also have their own version dependent quirks and special sauce from vendors.
Re:Future of Internet and firewalls (Score:3, Interesting)
Actually, it's more like: INTERNET -> PORT22, since just about anything can be sent through an ssh tunnel. And the encryption makes most types of deep packet inspection impossible.
You missed his point which wasn't about the protocol, but the port being used. If you use port 22, it'll be blocked many places because they don't want to allow you to ssh. If you use port 443 it'll be allowed since https is "necessary", even if you're using 443 to carry your ssh traffic. What's sad is seeing other services move to 443 to be more accessible. Most usenet providers offer SSL encrypted NNTP on port 443 [giganews.com] (despite having an RFC port specifically for nntps).
But it is much harder to block if they actually use legitimate looking packets for protocols that get out rather then just it's port. So people have encapsulated IP within real HTTP traffic [softpedia.com]. Better yet they'll use ICMP [github.com] or even DNS [nongnu.org] to carry your traffic. I find the DNS one particularly amusing because it uses your nameserver to redirect the traffic even if the host isn't given any outside access.
Re:The future is now (Score:5, Interesting)
let alone get their port forwarding to work for Gears of War
Did the Gears of War developers at least bother to tell you what ports you needed, or did they leave that to be discovered in the forums by a bunch of people guessing random numbers until it kind-of works for some people [epicgames.com]?
Re:Leave the networking stuff to the networking te (Score:3, Interesting)
Secure perimeters are illusions. Every machine needs its own defense. Firewalls are good for NAT, which foils a few, and stateful inspection, which fools a few more. Otherwise, internal firewalling and boundary checks are the only answer, coupled to download security hashing checks-- and those get bitten, too.
Secure perimeters are real, if done correctly. I know of one personally that has not been breached in a decade. :)
Every machine needs to be properly configured (I guess that can be stated as having its own defense, but I doubt you meant it this way)
Firewalls are not good for NAT. They have nothing to do with NAT.
Firewalls are not good for stateful inspection, they have nothing to do with that either.
What firewalls do is allow connections inbound and outbound. The better ones allow for more rich rules like which protocols on which ports, which machines/macs can connect or even force a user authentication before they can connect to an IP/port. There are also the on the desktop firewalls that allow an application IP/port designation. But that's all a Firewall does.
You do have one point though - if you're running MS desktops yes, they can be owned if they're allowed to connect to external entities at all, and that includes USB drives.
Re:The future is now (Score:3, Interesting)
So your objection is with some *nix guys sense of superiority, rather than with the actual issues. Your problem can likely be fixed by one form of anti-psychotic or anti-depressant or another. I mean, you come to what amounts to a forum for tech geeks, most of which aren't just MCSEs, but who deal with all sorts of OSs, and with firewalls, with pretty complicated systems based on iptables and other firewall solutions, and complain because they suggest scripting your solution.
Live with it. GUIs have inherent limitations. Draw a non-trivial network diagram and you'll see why it's so difficult to build automated tools for the job, and why some of the uber-simplified tools like uPNP in fact introduce serious security issues. Unfortunately routing, firewalls, VPNs and the like can grow in complexity very quickly even in home user situations. Solutions to these issues are often non-trivial and require a degree of expertise, and that means going beyond simplistic point-and-clicks and drop down menus, and means, one way or the other, some kind of scripting.
Re:Balderdash, poppycock.. (Score:3, Interesting)
It DOES insure you have a better idea of what you are doing and exactly how it was done.
With a GUI you are assuming that the person that wrote the GUI has done everything in exactly the right way but you can't prove it. Nor can you prove that it's entirely correct for your application, the gui HIDES the important details in favor of simplicity.
Further, you cannot automate a gui to do the same thing to 62 different routers on 11 subnets without having to do those exact same seventeen clicks on each one. Nor can I read through the (non-existent) script at a later date to remind me what the heck it was I did. Yes it should be all documented but I can't tell you how many times I have spent an hour determining that someone skipped a single click or check box in a windows setup that makes one machine act differently from the others.
Re:When you finish your MBA- it'll all become clea (Score:3, Interesting)
When you finish your MBA- it'll all become clear.
After I got my MSSE (I guess the MBA for Nerds, though I didn't realize it at the time), I figured that was because all firewalls were supposed to be rendered obsolete and unnecessary by IPv6. Which explains why we're still stuck in 1995.
So yeah, this is the answer, this is the ending. I shall drive without license, without clothing, without direction, and if I make it to Arkansas fine; if I'm running late; if I'm running a numbers game, it doesn't matter, I'll keep on running! Because a body in motion tends to stay in motion, and it's better to feel. Pain is better than emptiness. Emptiness is better than nothing; and nothing is better than this.