What Is the Future of Firewalls? 414
jlmale0 writes "When I mess with my WAP/router at home or coordinate with the network team at work, it seems like I'm stuck in 1995. We're still manually listing IP address/port combinations for our firewall rules. There's a certain simplicity to this when dealing with a single system, but there are firewalls everywhere these days. What's available for managing complex firewall arrangements? What's being developed? Can I take a Visio diagram, run it through a script, and get a list of firewall rules? What about a GUI that illustrates the current system configuration and then lets me drag and drop systems across firewalls, and have the individual firewall ports automatically configured? What about tying a firewall into an authentication system so that when jdoe logs in, only then are the firewalls opened to pass her traffic? What about managing distributed firewalls so that one repository of rules opens up your system's firewalls, the DMZ firewall, and the public firewall all at once? Let's get a conversation started. What cool projects do I need to know about? What cool management features would you like to see? What's next for firewall management?"
When you finish your MBA- it'll all become clear. (Score:5, Funny)
When you finish your MBA- it'll all become clear.
Re:When you finish your MBA- it'll all become clea (Score:5, Funny)
Do you get a free Belkin 54g with your MBA?
Re: (Score:2)
MBAs, meet Novell BorderManager, circa 1997 (Score:3, Informative)
Novell was doing much of what the OP was asking for, back circa 1997, with their BorderManager product.
Unfortunately, Novell always seemed to have the evil MBAs running the company [is there such a good MBA?], and, the last I heard, BorderManager was allowed [decreed? required?] to wither on the vine.
But BorderManager, as originally envisioned [and it was a hellu
Re: (Score:3, Interesting)
I don't have a one-of-those, I just have my scripts call iptables :-/ it's not as flash as drag 'n drop, but I tried programming a virtual usb mouse to automate clicking things on the screen when things happen, but while trying to write the detection software that tells it to click certain rules when somebody plugs their computer into the network, which was detected by pointing a webcam at the network switch to watch when lights came on/off, my head fell off. Turns out, I needed my head on.
Re: (Score:2)
Re: (Score:2)
how was the resulting game of Marco-Polo? fun?
Re: (Score:2)
When you finish your MBA- it'll all become clear.
After some cost/benefit analysis on the ideas above, I think yes. It's not going anywhere.
Re: (Score:3, Interesting)
When you finish your MBA- it'll all become clear.
After I got my MSSE (I guess the MBA for Nerds, though I didn't realize it at the time), I figured that was because all firewalls were supposed to be rendered obsolete and unnecessary by IPv6. Which explains why we're still stuck in 1995.
So yeah, this is the answer, this is the ending. I shall drive without license, without clothing, without direction, and if I make it to Arkansas fine; if I'm running late; if I'm running a numbers game, it doesn't matter, I'll keep on running! Because a body in motion t
Digital Mongolians (Score:2)
Standardized Firewall Config Scripts (Score:2, Interesting)
Did anyone play Borderlands for the PC? Remember what a nightmare it was to get multiplayer working on that thing? uPnP sorts out some bits, but having a file that you can upload to the firewall to configure that would be nice. There are scores of profitable websites out there that will walk you through how to configure your router for bit torrent -- clearly there's a need for Something Better. If not config scripts/files, then something else.
I still can't host Borderlands multiplayer games.
Re: (Score:2)
And how much of this had to do with NAT rules rather than firewalls?
Re: (Score:2)
NAT or no NAT - any protocol which requires connections be accepted on varying port numbers is going to cause problems. Examples - SIP, BT, most IM protocols for file send.
Best is if there's a netfilter module for the protocol; it can watch the traffic and open up holes dynamically for related connections.
Re: (Score:2)
What, you mean NAT isn't a firewall?
There are a ton of people who don't know enough to know what the actual problems are. Hosting a Borderlands server would be trivial on IPv6, removing NAT, and you would still be able to have a firewall.
Re: (Score:2)
Try hamachi. Free, incredibly easy VPN software. Me and friends host borderlands all the time and never have any trouble at all.
Future of Internet and firewalls (Score:5, Insightful)
INTERNET -> PORT80, PORT443
His point being more and more is routed through ports 80 and 443 in an effort to avoid firewall restrictions. I often think he was right. Consequences for firewalls left up to reader.
Re:Future of Internet and firewalls (Score:4, Insightful)
Shouldn't it be INTERNET <- PORT80, PORT443? You're talking about outbound traffic firewalling, right? Inbound is explainable by the limitations imposed by NAT.
Re: (Score:3, Insightful)
and the funny thing is - if they allow anything through, ssh tunneling proxy pretty much nixes anything they're trying to block.
Yep! That's why the future is in smarter devices (Score:2)
I've been contacted by several Internet security product vendors recently (after I attended a free network security conference in town). The "in" thing right now seems to be selling "security appliances" that can intelligently sniff traffic on port 80 or 443 and discern what's actually going through. Of course, right now, they seem to be trying to sell these as additions to your environment, rather than replacements for existing traditional firewalls ... but it's only a matter of time before it all gets r
Re: (Score:2)
A wise wise network engineer at UW once showed me the following diagram several years ago:
INTERNET -> PORT80, PORT443
Actually, it's more like: INTERNET -> PORT22, since just about anything can be sent through an ssh tunnel. And the encryption makes most types of deep packet inspection impossible.
Re: (Score:3, Funny)
BitterOak's Sig:
"If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?"
No, You can be modded up for being a Unix Sysadmin, Unix Developer, or M$ hater. All of the others you mention are downward.
Re: (Score:3, Interesting)
Actually, it's more like: INTERNET -> PORT22, since just about anything can be sent through an ssh tunnel. And the encryption makes most types of deep packet inspection impossible.
You missed his point which wasn't about the protocol, but the port being used. If you use port 22, it'll be blocked many places because they don't want to allow you to ssh. If you use port 443 it'll be allowed since https is "necessary", even if you're using 443 to carry your ssh traffic. What's sad is seeing other services move to 443 to be more accessible. Most usenet providers offer SSL encrypted NNTP on port 443 [giganews.com] (despite having an RFC port specifically for nntps).
But it is much harder to block if th
Re: (Score:3, Insightful)
Security through obscurity?
It doesn't matter what port SSH is on. If an attacker is even remotely interested he'll run a port scan and find your SSH port soon enough.
Better to invest your time into properly configuring/locking-down SSH. Good luck to any attacker trying to gain access if you only allow authkey access. Putting SSH on a different port is only giving you a false sense of security.
Re: (Score:3, Insightful)
Or no change in your sense of security, but a much smaller log file because of the lack of script-kiddy brute force attacks on the service. It depends on who you are and what you know.
Re: (Score:3, Insightful)
Security through obscurity?
It doesn't matter what port SSH is on. If an attacker is even remotely interested he'll run a port scan and find your SSH port soon enough.
Better to invest your time into properly configuring/locking-down SSH. Good luck to any attacker trying to gain access if you only allow authkey access. Putting SSH on a different port is only giving you a false sense of security.
Sir –
There are valid reasons to move the SSH port around, including:
1. It decreases the number of "script kiddie" attempts that do not look beyond the standard port for a known exploit (i.e. your server is no longer "low hanging fruit"); and
2. You can react to a port-scan from a single host - e.g. by blacklisting the IP the portscan came from.
Sophisticated, dedicated attackers can get around these. However, the vast majority of attempts will be made by people who are neither sophisticated nor dedicate
Google's capirca (Score:3, Interesting)
Complex often means hand tweak. No way around it (Score:2)
I don't have a lot of trouble with firewalls at home. I'm running a WRT54GL with Tomato (previously was using DD-WRT but I like the graphing in Tomato, and didn't need anything available in DD-WRT but not Tomato so I switched). This setup has given me no trouble (baring one stupid r/c game/simulator with networking that is a total mess and doesn't work properly with or without a router - and even that works intermittently). However I'm not doing anything too advanced with it.
Once you do get to enterprise ne
Re: (Score:3, Interesting)
Yes, there are those outside cases. However, consider how many scenarios can be easily covered with an "exceptioned template".
Take IP tables, for instance. It typically goes something like this: Deny all, do NAT/masq from the inside, do traffic shaping/QoS, and finally allow specific ports/do specific port forwarding. It's formalistic and not all that complex, once you understand it - and it's largely linear, with most of the scripts following the same basics.
For 90%+ of scenarios, it would be easy to insti
What's next for firewall management? (Score:5, Funny)
I haven't looked, but I'm sure there's and iPhone app for that.
Feature, not bug (Score:5, Insightful)
Re: (Score:3, Informative)
Slow and stupid, though, are dangerous. Humans have a tendency to make stupid, sloppy
Re:Feature, not bug (Score:5, Funny)
It's about demand –or lack thereof (Score:5, Insightful)
I think that firewall administration has been allowed to remain shoddy because most people who aren't gamers or server admins don't need to change the settings at all. Gamers are usually obsessed enough with playing that they will take the time to figure it out. And sysadmins, well it's their job to know how to do that stuff.
This isn't an excuse for things being the way they are, but an explanation. Most people just vaguely understand that a firewall protects their computer, but they don't know any more than that and will probably never have to configure one. If the archetypal grandmother or joe six pack ever has a reason to manage firewall settings (unlikely) then an easy configuration tool will appear over night. Unless a widespread need arises, limited demand will translate to limited effort spent developing user-friendly tools.
I've said it before, and I'll say it again. (Score:2)
If you can get past that, then you deserve the goodies, IMHO.
Just run it through a Chinese server (Score:2, Funny)
They'll firewall it for you..
Standardization is EXTREMELY difficult (Score:2, Informative)
In a star trek world people would work well together but the money is made coming up with the next biggest and best product meaning you beat our the competitors. Working together often eliminates that huge profit margin one gets when they have the "best" tech for "this need". Open Source solutions are often (not always) designed from this viewpoint that "A collaborative effort will result in an ideal product with the motivation being profit profit profit".
Add on top of that is that there are many things tha
Re: (Score:2)
You have a great point about "networking in the home being simple". Now let me remind you:
There's problems connecting to nearly every game server through a router when a non-technical person is doing the connecting, because there's no standard way for the creators of the games to open up the correct ports; this is a simple thing the question asks, yet is still completely unaddressed by the guys making home routers. They could easily come up with a method to accept a small text file with the proper informa
Re: (Score:2)
There is, it's called uPnP. It sucks, terribly. It was made by a pack of gibbering idiots. Different vendors having dick sizing competitions managed to implement it in ways that are completely incompatible and broken. The home users stupid enough to really need it own cheap, shitty routers (often provided by their ISP) that implement it in a broken manner if it all. The users with better routers that implement it correctly all disable it, because the creators did not bother to include any sort of authe
Re: (Score:2)
For outbound connections, what's so complicated? My Linux gateway box, not to mention every NATting router I've seen, does it automatically.
For inbound connections, again what's so complicated? I set up a firewall specifically so the outside world could not make inbound connections to my machines without my intervention to allow it. If I wanted it to be otherwise, I wouldn't've installed the firewall. You aren't asking for innovation, you're asking for the ability to completely circumvent my security. And n
Certs? (Score:2)
I feel like things might be able to be simplified a little better if there were better use of certificates for authentication and encryption. Of course, that requires a better (free) method of managing and authenticating the certificates themselves.
It might not have a lot of improvements in the realm of firewalls, but it might enable better/easier VPN and control over routing rules. Instead of dealing with IPs and MAC addresses, you could allow specific users and machines. Of course, I'm not sure how mu
I like PF, try PFSense (Score:5, Insightful)
The BSD 'pf' packet filter is pretty good. There is even a FreeBSD-based project known as pfsense [pfsense.org] which you might want to take a look at, as it offers a pretty-much drop-in solution for packet filtering, as well as NAT, load balancing, VPN connectivity, etc. There is a web-based administration GUI as well. It looks pretty sweet, but I haven't played with it much in any serious deployment personally.
Cisco Security Manager (Score:2)
Cisco Security Manager does all that and more. The key features being Interface roles and ACL/device hierarchy.
Obviously this is not opensource.
Re: (Score:2)
Look into more serious UTM firewalls (Score:2)
UTM: unified threat management.
Disclaimer: I work for a manufacturer of such devices.
The better ones integrate with Active Directory and/or Kerberos to authenticate sessions, and do spam and virus scanning (using a quarantine server, if available).
Some will even decrypt and reencrypt HTTPS traffic to check what's in it. (They resign the server's cert with their own CA cert that the user's browser has to trust -- in some environments, an intermediate CA cert can be imported signed by a CA cert that has alrea
Comment removed (Score:5, Insightful)
I smell marketing (Score:5, Insightful)
I've got the fix for you (Score:2, Funny)
systematic (Score:2)
I always forward a block of 100 ports to each active intranet IP on my network, with the first digits being the last octet of the IP.
eg: 192.168.x.101 gets ports 10100-10199.
Using this system, along with a domain server that will assign each machine a predictable IP, makes things a lot easier.
If you're using Visio, you're doing it wrong (Score:5, Interesting)
There are two problems with your question.
The first is you may believe tools and diagrams will take the pain out of implementing and enforcing security policy. Network design is systems design. Diagrams are essential in communicating that a system meets the requirements to stakeholders and management who make budgets and can't visualize how improved security adds value. But firewalls and their associated diagrams are just one element of security. What about OS patches, authentication and physical security? You know that firewalls run software and software needs maintenance. Pointing to a well executed diagram won't save you from applying vendor software updates. Are your policies sane? Security tools are only as good as the policies they implement and the people who use them. You're tool may show you that you have correctly hidden an important asset from the outside world, but are all your assets protected? Does your organization give out VPN logins to unqualified users? Are you using a VPN? Can your services run over a tunnel? If your servers or services can be secured do you really need to block all ports and selectively open a few? Can any of your services take advantage of TCP Wrappers?
"When you finish your MBA- it'll all become clear." is spot on. Perform a cost benefit analysis. Figure out how many hours at your rate it will take to to cobble together some scripts or pay a developer for a custom tool. Then figure out how much it would cost to hire a qualified network engineer. Then figure out the cost of loosing business due to denial of service or network intrusions. Then realize that you still probably a network engineer to correct your diagrams and security policies after you use a custom tool. You can always do your own taxes and defend yourself in court, but can you afford to be wrong? Complex problems need people with specialized knowledge.
The second problem is no tool programmer in their right mind would want to write a program to generate scripts from Visio. I'm a programmer, not a network guy, but like many programmers I've run Linux and OpenBSD development and webservers and done my best to keep them secure. I've also used Viso, and Visual Paradigm and some other very expensive commercial tools for creating UML diagrams. In less time than it would take me to figure out how to correctly draw something in Visio, I could have skimmed the man pages and the internet for the correct syntax required to write a rule in iptables or pf. Viso is not an intuitive tool for working in most domains. Adobe Illustrator with all its quirks makes more sense in comparison. If you want a neat toy or project, take a look at GNU DIA, or Argo UML and write patches to generate configuration files. Even if you are successful there is no standard operating system or vendor independent language for defining firewall rules. Don't ever expect to drag and drop a policy to migrate rules from a Linux based appliance to a Cisco router to a Juniper switch to a BSD based appliance. Cisco has made billions by locking in customers to their own standards. Linux and BSD are integrated into many firewall appliances but they also have their own version dependent quirks and special sauce from vendors.
If you need a GUI... (Score:2, Insightful)
you should not be configuring a mission critical firewall.
To sum up (Score:2)
New advances in firewall technology (Score:5, Funny)
Re: (Score:2)
TFF
Re:The future is now (Score:4, Insightful)
I love how you *nix guys don't ever take end users into consideration. You think "Oh, just learn how to script the stuff together with some shell and you'll be good!".
All the while, the end users are saying "We don't care about having to learn to write a script; just include one with your damned program, and have a standard that routers can accept this file and it will just work and be simple."
Re: (Score:3, Insightful)
The "Simple Way" is usually the wrong way when dealing with complex systems.
There are tools that make things easier for "roughing out" what you want, but fine tuning is always breaking out a text editor and making adjustments.
What about the users? Fuck them. They don't even know what an operating system is and don't care what it is, don't care what a firewall is outside of "it keeps the bad guys out," don't care what a router or switch is, and mostly don't care how a network works or even bother to learn
Re:The future is now (Score:5, Insightful)
"Yeah, fuck those end users! We'll make it a bitch and a half to use our product even though the fixes are simple!"
Honestly now, I'm talking about home users, the other people who use firewalls, even though they don't know it. Make it a standard on routers where on the router's config page, it can accept a small text file with ports to be routed to the current connection. Even better, have the program send that information when the game starts, and have the ports un-routed when the game ends. It's a relatively simple, easy fix for the headache that is "finding out the proper ports for XBox Live to work" and entering them manually.
I know how to do it, but let me tell you, I don't know many other people that can install a router to begin with, let alone get their port forwarding to work for Gears of War; and they don't care to learn. Ease of use and the user interfaces on routers haven't improved one bit for consumers from the Belkin I had in 2002; why the should a market completely stagnate in user friendliness for that long?
Oh, that's right. It's because every *nix head doesn't think about the real end user, just what's "most powerful" in terms of features. Design solely for the power users and administrators, and you miss 95% of the market - what Linux has excelled at for many, many years.
Re:The future is now (Score:4, Insightful)
Make it a standard on routers where on the router's config page, it can accept a small text file with ports to be routed to the current connection. Even better, have the program send that information when the game starts, and have the ports un-routed when the game ends. It's a relatively simple, easy fix for the headache that is "finding out the proper ports for XBox Live to work" and entering them manually.
That already exists. It's called UPnP. [wikipedia.org] Xbox Live even supports it.
Re: (Score:2)
Isn't this an incredible security risk?
--
BMO
Re: (Score:3, Insightful)
It's a trade-off of security for convenience, sure. It's not something you would enable on anything other than a private home network.
Re: (Score:2, Insightful)
If a game can send a "text" file to open up port automagically, so can any malware or malicious site. You could implement a list of "approved" games but then who maintains a list, rejects/accepts entries, etc...?
Re:The future is now (Score:4, Insightful)
have the program send that information when the game starts, and have the ports un-routed when the game ends.
This is insane. This really is an insane concept. If you think that the home user is the black-hat botnet operator's bitch, this will only exacerbate the situation. You are removing what little human interaction there is in configuring a router and turning it over to software completely. You really need to examine what you just asked for, because it's stupid.
Why not just supply the user with a pail of K-Y Jelly?
--
BMO
Re: (Score:3, Insightful)
Because the average home computer is already 97 different flavors of pwned. We're not talking about people jumping on your wifi and fucking with your router, we are talking about malware already present on damned near every windows machine in the wild suddenly being able to easily blow whatever firewall might be present wide fucking open.
Re: (Score:2)
Huh? Just look for "UPnP" on the router's box...
Re: (Score:2)
Ease of use and the user interfaces on routers haven't improved one bit for consumers from the Belkin I had in 2002; why the should a market completely stagnate in user friendliness for that long?
Not that I completely disagree with your point of routers needing to be simpler, however I think we are dealing with another issue here. Game companies stopped writing games to be firewall friendly, and documenting the ports that are needed for connections. Then the move from dedicated servers to peer-to-peer matchmaking has made that even more difficult. I remember playing many games online around 2000 that had well defined ports which needed to be opened or NAT'd. Now-a-days good luck, the companies
Re: (Score:3, Interesting)
So your objection is with some *nix guys sense of superiority, rather than with the actual issues. Your problem can likely be fixed by one form of anti-psychotic or anti-depressant or another. I mean, you come to what amounts to a forum for tech geeks, most of which aren't just MCSEs, but who deal with all sorts of OSs, and with firewalls, with pretty complicated systems based on iptables and other firewall solutions, and complain because they suggest scripting your solution.
Live with it. GUIs have inher
Re:The future is now (Score:5, Insightful)
As to firewalls and routers specifically? I believe UPnP does what you would like for the most part if app developers would make use of it (I haven't ever made use of it that I can think of, so I'm not 100% certain), although I believe having app developers include something that just goes in and modifies firewall rules as a black box to the end user is a risky idea. The app developer has no idea what else the user has on their system and how their changes to the firewall might affect that. This is the sort of thing end users should know about at a basic level, akin to changing a tire, checking coolant, etc. on a car. Many probably don't know and get by just fine, but they should know, it's definitely in their best interest.
I've said this before on here and I'm sure I'll say it many more times. While the internet has provided a lot of good and a lot of knowledge and I wouldn't ever support taking it away from people, you have to wonder what the hell the first guy who thought it would be a good idea to make normal users system adminstrators (that is what a home user is) on the largest, most complex network in the world was thinking.
Re:The future is now (Score:5, Interesting)
let alone get their port forwarding to work for Gears of War
Did the Gears of War developers at least bother to tell you what ports you needed, or did they leave that to be discovered in the forums by a bunch of people guessing random numbers until it kind-of works for some people [epicgames.com]?
Re:The future is now (Score:5, Insightful)
"Yeah, fuck those end users! We'll make it a bitch and a half to use our product even though the fixes are simple!"
No, the fixes are not simple. I don't know why you feel qualified to proclaim that they are, but you are mistaken.
I'm also not sure where you got the idea that anyone intentionally makes their products difficult to use. It is far more likely that the device you struggle to use is "difficult" due to lack of any effort, not because of a specific effort to make it difficult.
Honestly now, I'm talking about home users, the other people who use firewalls, even though they don't know it. Make it a standard on routers where on the router's config page, it can accept a small text file with ports to be routed to the current connection. Even better, have the program send that information when the game starts, and have the ports un-routed when the game ends. It's a relatively simple, easy fix for the headache that is "finding out the proper ports for XBox Live to work" and entering them manually.
Once again, your simplistic "solution" reveals how little you understand about the problem. Ignoring the technical issues (and the fact that all of this has been possible via uPnP which works much more simply than your proposal), why would a user know what a "router config page" or a "text file" is? Why would a home user know how to acquire this text file or how to submit it to a router config page? You've defined "typical user" in terms of what *you* know how to do, which is just as foolish as a unix admin defining the typical user in terms of what they understand.
I know how to do it, but let me tell you, I don't know many other people that can install a router to begin with, let alone get their port forwarding to work for Gears of War; and they don't care to learn. Ease of use and the user interfaces on routers haven't improved one bit for consumers from the Belkin I had in 2002; why the should a market completely stagnate in user friendliness for that long?
Oh, that's right. It's because every *nix head doesn't think about the real end user, just what's "most powerful" in terms of features. Design solely for the power users and administrators, and you miss 95% of the market - what Linux has excelled at for many, many years.
So much misunderstanding.. so little time. What do "*nix heads" have to do with routers? Very few routers run unix, and home router user interfaces certainly have nothing to do with unix. Why haven't you seen changes in these devices since 2002? Basically because they work well enough for that 95% of the market you mention. You know what has changed? They cost a lot less. This is really all that same 95% give a shit about.
And finally.. what gives you the idea that Linux wants anything to do with this 95%? Linux is made by skilled folks who were nice enough to share so that other skilled folks can use it and hopefully add something back to the pool. That 95% has very little to offer us.
Comments like "linux will never 'win' until it's easy to use" are silly.. Linux already won, it just isn't playing with you.
Re: (Score:2)
What about the drivers? Fuck them. They don't even know what a fuel system is and don't care what it is, don't care what fuel injector is outside of "it makes the car go," don't care what a master cylinder or caliper is, and mostly don't care how an ignition system works or even bother to learn how to navigate with a stick shift. Most of all, they
Re: (Score:2)
Re: (Score:2, Insightful)
Re: (Score:3, Insightful)
Your average end user is going to likely be quite satisfied with a basic web-based firewall GUI sitting over top of iptables. However, your average end user is highly unlikely going to need to an in-depth understanding of complex routing tables, queue rules, etc. I mean, why aren't you bitching about Cisco, which is every bit as difficult to work with for complex networks?
For most users, a basic web-based configuration set up is great. For another subset something like Webmin or the Cisco GUI tools will
Re: (Score:2)
If we're talking about average home users, UPnP works well enough, if they even need it which many don't. On the other hand, if your "end users" are system admins managing large, complex networks, then there just isn't going to be a one-size-fits-all solution. The more complex and specialized your demands on the system are, the more effort you're going to have to put into configuring it.
Re: (Score:2)
If we're talking about average home users, UPnP works well enough, if they even need it which many don't. On the other hand, if your "end users" are system admins managing large, complex networks, then there just isn't going to be a one-size-fits-all solution. The more complex and specialized your demands on the system are, the more effort you're going to have to put into configuring it.
Reason number 1,456,930 why not to use UPnP.
The whole idea behind UPnP is that you can have any program dynamically change configuration on your router/firewall (read: open/close ports, create NAT entries). Do you see any problem with this? If not perhaps searching for "Problems with UPnP" will make things more clear.
-matt
Re: (Score:2)
We don't care about having to learn to write a script; just include one with your damned program
Which reminds me, one of the reasons developers stop doing open source is because end users can be really demanding, and really annoying in the way they demand.
Re:The future is now (Score:5, Interesting)
You may not be worth this reply, however, I will try to overcome my Unixism.
"It can scarcely be denied that the supreme goal of all theory is to make the irreducible basic elements as simple and as few as possible without having to surrender the adequate representation of a single datum of experience." - Albert Einstein
I don't mean to quote and sound all guru-ish, however, this particular quote has a deep meaning with regard to this discussion.
"Shits tough, you have to be tough too." - I think I invented that one.
Basically, if you can't swim then get out of the water, or learn to swim; those are your only choices.
Stuff like networking is zen, it's just bits on a wire. On the other hand, it can be hard. Waah.
Re: (Score:3, Insightful)
Re: (Score:2)
We certainly dont want the end users changing firewall configurations. I'd suggest you need to start back at the top of the thread again...you know, somewhere near the summary...
Re: (Score:2)
yeah yeah I know - depends how you think of "end users". I was thinking of a corporate environment, where dragging pc's across firewalls might be useful.
I realise now that for home users, a GUI may be useful, but there's only a select few home users who need to do anything beyond turning the firewall on their modem on...and they have a "GUI" for that.
Re: (Score:2)
I agree NAT and port forwarding aspects will(should) be out the window but I still think firewalls that, say, ringfence subnets will still be of value.
Particularly if its a choice between that and letting machines (more specifically a particular OS) handle their own security. That would be a terrifying thought.
Re: (Score:2)
The need for firewalls in the first place would be negated if every operating system out there didn't ship with a substantial set of outside-facing services enabled. A network connection should always be considered to be a hostile, unsafe environment: you enable what you need, when you need it. Make the UI easy to do so, sure; but don't make it the default.
Re: (Score:3, Insightful)
Re:I, For one, (Score:5, Informative)
Actually on our network we've ended up installing personal firewalls AND boundary ones.
They end up protecting from different attacks, really.
It's all about the defense in depth. We also have intrusion detection and other stuff(I'm not going to get real specific).
If nothing else, a set of hardware firewalls are quicker to update against a new attack than umpteen clients.
Re: (Score:2)
If I have systems, and I do, which require the utmost in performance, and which also have to connect to the outside world, the last thing I want is for those systems to IN ANY way be impacted b/c some bozo wants to flood me with packets. I want that cut off somewhere else, not at my box. I have a well-known, small set of external systems I want to connect to, and I only want to see traffic from them. It's not about my host being poorly designed, it's simply that I want to have my system focus only on the
Re: (Score:3, Insightful)
IPv6 isn't going to eliminate the need for DMZs and stuff like that. Sure, NAT can be don away with, but NAT isn't "firewalling". Really, what we should be talking about is packet filtering, and in this sense, dedicated packet filtering boxes are key. There is no reason that network hosts should be wasting cycles on packet filtering if putting a box out in front a network segment, say, behind a boarder router or in front of an aggregation switch, can dedicate cycles to the task -- especially if the box d
Re: (Score:2, Insightful)
Thanks, well stated. Very constructive and kind.
I still believe that host level security is lacking and should be addressed, because problems can arise from the outside world or within the firewalled subnet.
The assumptions that the outside world is 'big, bad, and evil' and 'my subnet is cookies and cream' is a very bad one and very detrimental to security IMHO. That's why I say security is primarily a host-level concern, because the *real* mindset should be 'everything off my machine is potentially big, bad
Re: (Score:2)
Well, you're right that not all threats are external. That is why proper egress ACLs are necessary as well as ingress filtering. Egress filtering is often neglected. Having security at the host level shouldn't be foregone entirely, but having dedicated hardware packet filtering solutions cleaning up network traffic off-host, you can reduce the number of rules you need to enforce host-level, and thus free up more cycles for actual work... which is allegedly why we have computers in the first place -- to d
Re: (Score:2)
Additional device based firewalls are often a good idea, but at least for s
Re: (Score:2)
I'm slowly moving everything to pfSense, tired of dealing with shit firewalls or over-the-top bullshit to configure simple rules on a firewall (Sonicwall, Cisco, im looking at you and your goddamn requirement for Java to use the web interface on a PIX if the client doesn't have a competent onsite tech that can handle ssh/console commands safely).
Checkpoint wasn't too terrible but its GUI had a certain learning curve.
I am, of course, looking at it from a small business support standpoint. Tell me if I'm off
Re: (Score:2, Interesting)
Re: (Score:3, Interesting)
Firewall Builder does most of what the submitter is looking for already.
.
Just browsing through here, but I'm surprised (and then again, I'm NOT surprised) at the answers thus far. I get the same replies when I ask a similar question.
What the submitter is talking about is a 21st Century Firewall (capitalized out of reverence). Why not have automatic host discovery? Why should I have to painstakingly come up with a list of all target machines with IP addresses? Is this not 2010? :)
Did everyone miss the question about "jdoe's" computer being connected, and then (and ONLY then) her
Re: (Score:2)
They all follow that paradigm because they "correctly" assume that you cannot enumerate badness. Sense you cannot create a comprehensive list of all possible attacks and exploits to block you must instead enumerate all the know flows you want to permit.
Most firewalls are WAY TO PERMISSIVE to be of much practical benefit. They typical home firewall to this day assumes that traffic from the internal network should be trusted. THIS IS DEEPLY FALSE. Look its bad if you get botnet software installed on your
Re:Leave the networking stuff to the networking te (Score:5, Insightful)
Yes, find someone who knows something about networking and more importantly about firewalls Try someone who has a CCSP or CCIE:Security as part of their title. Some of the things you are talking about have existed for years on Cisco Pix and ASAs like downloadable ACLs (Where based on your credentials you get firewalled differently) which can be applied across a whole enterprise of firewalls. Dynamic inspection of traffic, like h.323 traffic, so you don't have to open a whole range of ports other than the signalling port.
Dear lord, gui based management of a fleet of firewalls? You want to drag and drop things and make magic happen when you do that? Sounds pretty reckless and dangerous to me. That's like saying because you can ride a bicycle, you should be allowed to drive a hazmat semi at top speed through downtown LA. If you don't understand what the rules are and how they will be applied in the first place, you are likely just going to cause problems (like accidentally shutting off your company's ability to sell their trinkets online because you locked it down on accident.)
By the way, I don't care what the kid from the nerd herd tells you, Belkin and Linksys do not sell firewalls. They sell quasi-routers with nat and some limited form of access control. Finally, UPnP is not the answer to your problem, that just makes it easy for people to put devices on your network to open security holes up in your firewall, which is why it's not supported on most enterprise grade firewalls (and wouldn't work anyway if you looked at the way most enterprises build their networks)
Re: (Score:3, Insightful)
Dear lord, gui based management of a fleet of firewalls? You want to drag and drop things and make magic happen when you do that? Sounds pretty reckless and dangerous to me. That's like saying because you can ride a bicycle, you should be allowed to drive a hazmat semi at top speed through downtown LA. If you don't understand what the rules are and how they will be applied in the first place, you are likely just going to cause problems (like accidentally shutting off your company's ability to sell their tr
Balderdash, poppycock.. (Score:3, Insightful)
Re: (Score:3, Insightful)
I'll take a shot,
With automation via scripting you have to know BOTH he scripting language AND firewall management.
With a GUI you don't _need_ to know either.
Re: (Score:3, Interesting)
It DOES insure you have a better idea of what you are doing and exactly how it was done.
With a GUI you are assuming that the person that wrote the GUI has done everything in exactly the right way but you can't prove it. Nor can you prove that it's entirely correct for your application, the gui HIDES the important details in favor of simplicity.
Further, you cannot automate a gui to do the same thing to 62 different routers on 11 subnets without having to do those exact same seventeen clicks on each one. Nor
Re: (Score:3, Insightful)
I can't think of a single reason why knowing what the rules do precludes using a GUI tool to simplify and automate management.
I can think of lots of reasons. The only reason I can think of having a GUI automated management tool is so some dumbass that doesn't know what he's doing can appear to manage firewalls.
Now, I can see the purpose of a GUI inspection tool for independent verification. But even then, I believe automated scripts are better.
Manually editing text is time-consuming, fatiguing and error prone. Have a tool to automate that sort of thing is one of the fundamental reasons for having computers in the first place.
This is why we have scripts. I would never manually configure the thing more than once, and that's only during the initial discovery phase. After that, it's script and test, script and test,
Re:Leave the networking stuff to the networking te (Score:4, Insightful)
Secure perimeters are illusions. Every machine needs its own defense. Firewalls are good for NAT, which foils a few, and stateful inspection, which fools a few more. Otherwise, internal firewalling and boundary checks are the only answer, coupled to download security hashing checks-- and those get bitten, too.
Belief in firewalls and secure perimeters are the reason that some 30% of all machines in a domain are bot'd somehow..... along with Checkpoint, Norton, Microsoft, and so on. A CCIE or CCSP gives you someone that can help, but there's no guarantee that someone won't click on a site that will give your browsers a headache, then the infection, and so on.
The MuSystems guys can tell you about fuzzing attacks that will leave most equipment in a state of mush. With enough pounding, you can break about anything. Sorry to be dour, but you have to use best practices, and protect each indivdual device, not just the perimeter.
Re: (Score:3, Interesting)
Secure perimeters are illusions. Every machine needs its own defense. Firewalls are good for NAT, which foils a few, and stateful inspection, which fools a few more. Otherwise, internal firewalling and boundary checks are the only answer, coupled to download security hashing checks-- and those get bitten, too.
Secure perimeters are real, if done correctly. I know of one personally that has not been breached in a decade. :)
Every machine needs to be properly configured (I guess that can be stated as having its own defense, but I doubt you meant it this way)
Firewalls are not good for NAT. They have nothing to do with NAT.
Firewalls are not good for stateful inspection, they have nothing to do with that either.
What firewalls do is allow connections inbound and outbound. The better ones allow for more rich rules like w