Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
GUI Networking Technology

What Is the Future of Firewalls? 414

Posted by kdawson
from the engine-block-goes-in-front dept.
jlmale0 writes "When I mess with my WAP/router at home or coordinate with the network team at work, it seems like I'm stuck in 1995. We're still manually listing IP address/port combinations for our firewall rules. There's a certain simplicity to this when dealing with a single system, but there are firewalls everywhere these days. What's available for managing complex firewall arrangements? What's being developed? Can I take a Visio diagram, run it through a script, and get a list of firewall rules? What about a GUI that illustrates the current system configuration and then lets me drag and drop systems across firewalls, and have the individual firewall ports automatically configured? What about tying a firewall into an authentication system so that when jdoe logs in, only then are the firewalls opened to pass her traffic? What about managing distributed firewalls so that one repository of rules opens up your system's firewalls, the DMZ firewall, and the public firewall all at once? Let's get a conversation started. What cool projects do I need to know about? What cool management features would you like to see? What's next for firewall management?"
This discussion has been archived. No new comments can be posted.

What Is the Future of Firewalls?

Comments Filter:
  • by bsane (148894) on Monday April 19, 2010 @07:51PM (#31904784)

    When you finish your MBA- it'll all become clear.

    • by RobDollar (1137885) on Monday April 19, 2010 @07:52PM (#31904800)

      Do you get a free Belkin 54g with your MBA?

      • by NemosomeN (670035)
        Yes sir, couldn't get it working properly at first, but I dragged and dropped it outside the red box, and it seems to be working. Problem solved!
      • What about tying a firewall into an authentication system so that when jdoe logs in, only then are the firewalls opened to pass her traffic?

        Novell was doing much of what the OP was asking for, back circa 1997, with their BorderManager product.

        Unfortunately, Novell always seemed to have the evil MBAs running the company [is there such a good MBA?], and, the last I heard, BorderManager was allowed [decreed? required?] to wither on the vine.

        But BorderManager, as originally envisioned [and it was a hellu
    • Re: (Score:3, Interesting)

      by x2A (858210)

      I don't have a one-of-those, I just have my scripts call iptables :-/ it's not as flash as drag 'n drop, but I tried programming a virtual usb mouse to automate clicking things on the screen when things happen, but while trying to write the detection software that tells it to click certain rules when somebody plugs their computer into the network, which was detected by pointing a webcam at the network switch to watch when lights came on/off, my head fell off. Turns out, I needed my head on.

      • by bds1986 (1268378)

        when somebody plugs their computer into the network, which was detected by pointing a webcam at the network switch to watch when lights came on/off

        You seem to be going to a lot of trouble to avoid using SNMP ;) .

      • by dudpixel (1429789)

        how was the resulting game of Marco-Polo? fun?

    • by Kjella (173770)

      When you finish your MBA- it'll all become clear.

      After some cost/benefit analysis on the ideas above, I think yes. It's not going anywhere.

    • Re: (Score:3, Interesting)

      by rwa2 (4391) *

      When you finish your MBA- it'll all become clear.

      After I got my MSSE (I guess the MBA for Nerds, though I didn't realize it at the time), I figured that was because all firewalls were supposed to be rendered obsolete and unnecessary by IPv6. Which explains why we're still stuck in 1995.

      So yeah, this is the answer, this is the ending. I shall drive without license, without clothing, without direction, and if I make it to Arkansas fine; if I'm running late; if I'm running a numbers game, it doesn't matter, I'll keep on running! Because a body in motion t

  • Damn you spam Mongolians [youtube.com]!
  • Did anyone play Borderlands for the PC? Remember what a nightmare it was to get multiplayer working on that thing? uPnP sorts out some bits, but having a file that you can upload to the firewall to configure that would be nice. There are scores of profitable websites out there that will walk you through how to configure your router for bit torrent -- clearly there's a need for Something Better. If not config scripts/files, then something else.

    I still can't host Borderlands multiplayer games.

    • by Kizeh (71312)

      And how much of this had to do with NAT rules rather than firewalls?

      • by elronxenu (117773)

        NAT or no NAT - any protocol which requires connections be accepted on varying port numbers is going to cause problems. Examples - SIP, BT, most IM protocols for file send.

        Best is if there's a netfilter module for the protocol; it can watch the traffic and open up holes dynamically for related connections.

      • by PitaBred (632671)

        What, you mean NAT isn't a firewall?

        There are a ton of people who don't know enough to know what the actual problems are. Hosting a Borderlands server would be trivial on IPv6, removing NAT, and you would still be able to have a firewall.

    • by Aranykai (1053846)

      Try hamachi. Free, incredibly easy VPN software. Me and friends host borderlands all the time and never have any trouble at all.

  • by seawall (549985) on Monday April 19, 2010 @07:58PM (#31904858)
    A wise wise network engineer at UW once showed me the following diagram several years ago:

    INTERNET -> PORT80, PORT443

    His point being more and more is routed through ports 80 and 443 in an effort to avoid firewall restrictions. I often think he was right. Consequences for firewalls left up to reader.

    • by bersl2 (689221) on Monday April 19, 2010 @08:10PM (#31904988) Journal

      Shouldn't it be INTERNET <- PORT80, PORT443? You're talking about outbound traffic firewalling, right? Inbound is explainable by the limitations imposed by NAT.

    • I've been contacted by several Internet security product vendors recently (after I attended a free network security conference in town). The "in" thing right now seems to be selling "security appliances" that can intelligently sniff traffic on port 80 or 443 and discern what's actually going through. Of course, right now, they seem to be trying to sell these as additions to your environment, rather than replacements for existing traditional firewalls ... but it's only a matter of time before it all gets r

    • by BitterOak (537666)

      A wise wise network engineer at UW once showed me the following diagram several years ago:

      INTERNET -> PORT80, PORT443

      Actually, it's more like: INTERNET -> PORT22, since just about anything can be sent through an ssh tunnel. And the encryption makes most types of deep packet inspection impossible.

      • Re: (Score:3, Funny)

        by Crackez (605836)

        BitterOak's Sig:
        "If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?"

        No, You can be modded up for being a Unix Sysadmin, Unix Developer, or M$ hater. All of the others you mention are downward.

      • Re: (Score:3, Interesting)

        by Stray7Xi (698337)

        Actually, it's more like: INTERNET -> PORT22, since just about anything can be sent through an ssh tunnel. And the encryption makes most types of deep packet inspection impossible.

        You missed his point which wasn't about the protocol, but the port being used. If you use port 22, it'll be blocked many places because they don't want to allow you to ssh. If you use port 443 it'll be allowed since https is "necessary", even if you're using 443 to carry your ssh traffic. What's sad is seeing other services move to 443 to be more accessible. Most usenet providers offer SSL encrypted NNTP on port 443 [giganews.com] (despite having an RFC port specifically for nntps).

        But it is much harder to block if th

  • Google's capirca (Score:3, Interesting)

    by Anonymous Coward on Monday April 19, 2010 @07:58PM (#31904860)
    "Developed internally at Google, this system is designed to utilize common definitions of networks and services and high-level policy files to facilitate the development and manipulation of network access control filters (ACLs) for various platforms." http://code.google.com/p/capirca/ [google.com]
  • I don't have a lot of trouble with firewalls at home. I'm running a WRT54GL with Tomato (previously was using DD-WRT but I like the graphing in Tomato, and didn't need anything available in DD-WRT but not Tomato so I switched). This setup has given me no trouble (baring one stupid r/c game/simulator with networking that is a total mess and doesn't work properly with or without a router - and even that works intermittently). However I'm not doing anything too advanced with it.

    Once you do get to enterprise ne

    • Re: (Score:3, Interesting)

      by CAIMLAS (41445)

      Yes, there are those outside cases. However, consider how many scenarios can be easily covered with an "exceptioned template".

      Take IP tables, for instance. It typically goes something like this: Deny all, do NAT/masq from the inside, do traffic shaping/QoS, and finally allow specific ports/do specific port forwarding. It's formalistic and not all that complex, once you understand it - and it's largely linear, with most of the scripts following the same basics.

      For 90%+ of scenarios, it would be easy to insti

  • I haven't looked, but I'm sure there's and iPhone app for that.

  • Feature, not bug (Score:5, Insightful)

    by RightwingNutjob (1302813) on Monday April 19, 2010 @08:14PM (#31905018)
    Anything that lets you automagically configure a firewall from outside of it is a potential exploit waiting to happen. Things that are stupid, slow, and require physical access are that much more secure.
    • Re: (Score:3, Informative)

      Only partially true. Physical access is, indeed, generally a security plus(though not a cure-all: if the inconvenience causes somebody to jury-rig their own remote access solution, you now almost certainly have a much less secure system than one that was designed for remote access in the first place. Also, just because the janitor earns 6 bucks an hour and no hablo ingles doesn't mean he can't connect a serial cable...)

      Slow and stupid, though, are dangerous. Humans have a tendency to make stupid, sloppy
    • by clintonmonk (1411953) on Monday April 19, 2010 @09:01PM (#31905388)
      Things that are stupid, slow, and require physical access are that much more secure... in bed.
  • by dn15 (735502) on Monday April 19, 2010 @08:18PM (#31905038)

    I think that firewall administration has been allowed to remain shoddy because most people who aren't gamers or server admins don't need to change the settings at all. Gamers are usually obsessed enough with playing that they will take the time to figure it out. And sysadmins, well it's their job to know how to do that stuff.

    This isn't an excuse for things being the way they are, but an explanation. Most people just vaguely understand that a firewall protects their computer, but they don't know any more than that and will probably never have to configure one. If the archetypal grandmother or joe six pack ever has a reason to manage firewall settings (unlikely) then an easy configuration tool will appear over night. Unless a widespread need arises, limited demand will translate to limited effort spent developing user-friendly tools.

  • 99% of what anyone needs in a firewall can be accomplished by an ISA2006 Server (reverse proxy and AD authentication) fronted by a Cisco Pix for port management.

    If you can get past that, then you deserve the goodies, IMHO.

  • They'll firewall it for you..

  • In a star trek world people would work well together but the money is made coming up with the next biggest and best product meaning you beat our the competitors. Working together often eliminates that huge profit margin one gets when they have the "best" tech for "this need". Open Source solutions are often (not always) designed from this viewpoint that "A collaborative effort will result in an ideal product with the motivation being profit profit profit".

    Add on top of that is that there are many things tha

    • You have a great point about "networking in the home being simple". Now let me remind you:

      There's problems connecting to nearly every game server through a router when a non-technical person is doing the connecting, because there's no standard way for the creators of the games to open up the correct ports; this is a simple thing the question asks, yet is still completely unaddressed by the guys making home routers. They could easily come up with a method to accept a small text file with the proper informa

      • by Kaboom13 (235759)

        There is, it's called uPnP. It sucks, terribly. It was made by a pack of gibbering idiots. Different vendors having dick sizing competitions managed to implement it in ways that are completely incompatible and broken. The home users stupid enough to really need it own cheap, shitty routers (often provided by their ISP) that implement it in a broken manner if it all. The users with better routers that implement it correctly all disable it, because the creators did not bother to include any sort of authe

      • by Todd Knarr (15451)

        For outbound connections, what's so complicated? My Linux gateway box, not to mention every NATting router I've seen, does it automatically.

        For inbound connections, again what's so complicated? I set up a firewall specifically so the outside world could not make inbound connections to my machines without my intervention to allow it. If I wanted it to be otherwise, I wouldn't've installed the firewall. You aren't asking for innovation, you're asking for the ability to completely circumvent my security. And n

  • I feel like things might be able to be simplified a little better if there were better use of certificates for authentication and encryption. Of course, that requires a better (free) method of managing and authenticating the certificates themselves.

    It might not have a lot of improvements in the realm of firewalls, but it might enable better/easier VPN and control over routing rules. Instead of dealing with IPs and MAC addresses, you could allow specific users and machines. Of course, I'm not sure how mu

  • by bsDaemon (87307) on Monday April 19, 2010 @08:37PM (#31905212)

    The BSD 'pf' packet filter is pretty good. There is even a FreeBSD-based project known as pfsense [pfsense.org] which you might want to take a look at, as it offers a pretty-much drop-in solution for packet filtering, as well as NAT, load balancing, VPN connectivity, etc. There is a web-based administration GUI as well. It looks pretty sweet, but I haven't played with it much in any serious deployment personally.

  • Cisco Security Manager does all that and more. The key features being Interface roles and ACL/device hierarchy.

    Obviously this is not opensource.

    • by sampas (256178)
      pfSense is great, but it does not scale to the level of Cisco Security Manager, which is enterprise ($$$) software to manage all the devices you already bought ($$$) from Cisco and paid more to support ($$$). CSM tracks changes and does workflow, too. I use both pfSense and Cisco almost every day. While CSM saves a lot of time, knowing how to configure which policies to share and how to share them is still complex and requires some thought. Cisco has a checkbox that will either limit all your user VPN tunne
  • UTM: unified threat management.

    Disclaimer: I work for a manufacturer of such devices.

    The better ones integrate with Active Directory and/or Kerberos to authenticate sessions, and do spam and virus scanning (using a quarantine server, if available).

    Some will even decrypt and reencrypt HTTPS traffic to check what's in it. (They resign the server's cert with their own CA cert that the user's browser has to trust -- in some environments, an intermediate CA cert can be imported signed by a CA cert that has alrea

  • by adosch (1397357) on Monday April 19, 2010 @08:49PM (#31905306)

    Characteristically, firewalls are simply just that: a barrier to entry into a restricted, trusted area unless you're a loud to do so. So I'm confused why I would, first of all, want something 'automagically' configured for me in an enterprise setting? There's a very good reason your network admins at your workplace highly scrutinise over a single IP address: because it's important your infrastructure, IT/perimeter security standards and business, and it's their job to. If they aren't at least, on a high-level, asking you the 5-W's about why you need the rule(s) and you don't have answers, why should they even allow it?

    What about tying a firewall into an authentication system so that when jdoe logs in, only then are the firewalls opened to pass her traffic?

    That's what tiered firewall-VPN solutions are for.

    What about managing distributed firewalls so that one repository of rules opens up your system's firewalls, the DMZ firewall, and the public firewall all at once?

    Port knocking is pretty helpful in this, but can also bite your security-through-stealthy-obscurity right in the ass as well.

    Can I take a Visio diagram, run it through a script, and get a list of firewall rules?

    Visio diagrams are for documentation and suits. I couldn't hold any merit to that because firewall rules aren't just something you slap together (unless you're doing it for fun or at home or want Johnny Cracker hosting pr0n on an anonymous FTP on your computer at home). Flow-based solutions process rules in a top-down fashion, so it takes very good sets of eyes to develop rules that aren't going to be a liability, cause backdoors, trump existing rules and break security or flat out cause things to not work anymore in your production environment.

  • I smell marketing (Score:5, Insightful)

    by JoeBuck (7947) on Monday April 19, 2010 @08:54PM (#31905346) Homepage
    OK, jlmale0, are you working on requirements or marketing for a product in this space? You can tell us, it's OK.
  • Create a GUI interface using Visual Basic. See if you can track an IP address
  • I always forward a block of 100 ports to each active intranet IP on my network, with the first digits being the last octet of the IP.

    eg: 192.168.x.101 gets ports 10100-10199.

    Using this system, along with a domain server that will assign each machine a predictable IP, makes things a lot easier.

  • by morphage (62416) on Monday April 19, 2010 @09:17PM (#31905510)

    There are two problems with your question.

    The first is you may believe tools and diagrams will take the pain out of implementing and enforcing security policy. Network design is systems design. Diagrams are essential in communicating that a system meets the requirements to stakeholders and management who make budgets and can't visualize how improved security adds value. But firewalls and their associated diagrams are just one element of security. What about OS patches, authentication and physical security? You know that firewalls run software and software needs maintenance. Pointing to a well executed diagram won't save you from applying vendor software updates. Are your policies sane? Security tools are only as good as the policies they implement and the people who use them. You're tool may show you that you have correctly hidden an important asset from the outside world, but are all your assets protected? Does your organization give out VPN logins to unqualified users? Are you using a VPN? Can your services run over a tunnel? If your servers or services can be secured do you really need to block all ports and selectively open a few? Can any of your services take advantage of TCP Wrappers?

    "When you finish your MBA- it'll all become clear." is spot on. Perform a cost benefit analysis. Figure out how many hours at your rate it will take to to cobble together some scripts or pay a developer for a custom tool. Then figure out how much it would cost to hire a qualified network engineer. Then figure out the cost of loosing business due to denial of service or network intrusions. Then realize that you still probably a network engineer to correct your diagrams and security policies after you use a custom tool. You can always do your own taxes and defend yourself in court, but can you afford to be wrong? Complex problems need people with specialized knowledge.

    The second problem is no tool programmer in their right mind would want to write a program to generate scripts from Visio. I'm a programmer, not a network guy, but like many programmers I've run Linux and OpenBSD development and webservers and done my best to keep them secure. I've also used Viso, and Visual Paradigm and some other very expensive commercial tools for creating UML diagrams. In less time than it would take me to figure out how to correctly draw something in Visio, I could have skimmed the man pages and the internet for the correct syntax required to write a rule in iptables or pf. Viso is not an intuitive tool for working in most domains. Adobe Illustrator with all its quirks makes more sense in comparison. If you want a neat toy or project, take a look at GNU DIA, or Argo UML and write patches to generate configuration files. Even if you are successful there is no standard operating system or vendor independent language for defining firewall rules. Don't ever expect to drag and drop a policy to migrate rules from a Linux based appliance to a Cisco router to a Juniper switch to a BSD based appliance. Cisco has made billions by locking in customers to their own standards. Linux and BSD are integrated into many firewall appliances but they also have their own version dependent quirks and special sauce from vendors.

  • by xianthax (963773)

    you should not be configuring a mission critical firewall.

  • "When I mess with my WAP/router at home or coordinate with the network team at work, it seems like I'm stuck in 1995. We're still manually listing IP address/port combinations for our firewall rules. There's a certain simplicity to this when dealing with a single system, but there are firewalls everywhere these days. Now, I don't like my job, and want to get paid in the short term to setup a system that will ultimately make my position redundant. My question to slashdot is: How do I make myself no longer re

  • by bl8n8r (649187) on Monday April 19, 2010 @10:23PM (#31905998)
    There are currently a number of applications being developed by DORKA which will allow PHBs to manage their own corporate firewalls from an Excel spreadsheet or Microsoft JET database. The applications are being developed from a usability standpoint rather than a security standpoint which allows all traffic to be allowed by default (IPv6 is ignored for simplicity because nobody understands it anyway). When the software detects a DDoS, Intrusion, or Security Breach in progress, it will send an email to the managing PHB and trigger a rule to route BLAME packets through Layer 8 instead. All there is to the interface is a red button marked "Easy" a Yellow button marked "Out To Lunch", and a red button marked "WTF?". You should find it very exciting.

"Bureaucracy is the enemy of innovation." -- Mark Shepherd, former President and CEO of Texas Instruments

Working...