Slashdot Mirror
Tear Down the Firewall
lousyd writes "'What's the best firewall for servers?' asked one Slashdot poster. 'Give up the firewall' answers Security Pipeline columnist Stuart Berman. Through creatively separating server functions into different, isolated servers, and assigning them to a three tiered system of security levels, his company has almost completely eliminated the need for (and headache of) network firewalls. "Taking that crutch away has forced us to rethink our security model," Berman says. The cost of the added servers is greatly minimized by making them virtual servers on the same machine, using Xen. With the new security-enhanced XenSE, this might become easier and more possible. What has you chained to your firewall?"
Firewalls are such a band-aid solution to the problem of unknown processes running on your own computers. The right way to solve the problem of rejecting incoming and outgoing requests is to make it easy to see which processes are accepting and making connections on which port.s
Through creatively separating server functions into different, isolated servers, and assigning them to a three tiered system of security levels, his company has almost completely eliminated the need for (and headache of) network firewalls.
Not wanting to go what you went through.
But it is still more expensive than a software firewall in terms of resources. Do I really need that expense for my webserver? Not if I'm someone who's not collecting money or other personal data.
obviously, if you can rethink your security model AND keep up a well-maintained firewall, you will likely be better off :)
How hard can it be to do BOTH, not one or the other?
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
Let me try selling THIS to my boss, with the Cisco guys whispering sweet nothings in his ear about PiX Firewalls and all this wonderful "solution in a box".
Or is this another Flavor of the Month event?
Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo! http://goo.gl/J9bkO
only paranoid people use host based firewalls. the corporate checkpoint firewalls is enouth network protection
Realistically, I'm not sure there is much more I can really do other than logging in a checking things out when ever I can (which is often).
It's worked well for me (so far), and I've had server directly on the internet since 1999. I got hit with code-red on a server once.
By defining simple ACLs, we further isolate our backend servers.
Personally, I've never found ACLs as easy (or as flexible) as other firewall solutions. But in any event, ACLs are firewalls, call them what you will....
If you're not living on the edge, you're just taking up space!
It's one thing to give up the firewall if all you have behind it is servers. It's quite another to give it up if you're protecting user workstations. While it's certainly possible to carefully arrange your external services such that they are secure, it's really only possible if you have absolute control over every single device behind the firewall.
I was present at the XenSE meeting (that's me at the bottom of the list ;-) I'd like to clarify exactly what XenSE is and what it isn't:
What XenSE isn't:
* it's not Xen's "security issues team". It's not for patching exploits, etc.
What XenSE is:
* the "virtual machine monitor" equivalent of SELinux
* mandatory access control for virtual machines
- e.g. you might enforce some sort of information flow between virtual machines (e.g. "Top Secret" only talks to other "Top Secret")
* enforced from the very lowest levels of the system, so should be very trustworthy
The goal is that the complete XenSE system achieve a higher security rating than currently possible with SELinux alone. The initial prototype of the mandatory access controls has been supplied by IBM and is in the 3.0-testing tree right now. Fully achieving the project's security goals will take considerably longer (Xen 4.0 timeframe).
I know it's a rhetorical question, but let's say some script kiddie is trying a dictionary attack on ssh. The firewall will be useful to block that IP. Of course it is just _a_ tool, not _the_ tool for the job.
;)
I'm not giving up iptables anytime soon
I see 57005 people
I have some Debian Linux desktops and and NetBSD/FreeBSD servers on my network, along with a 133 MHz Windows 2000 machine with 32 MB of RAM for compiling my source in MinGW. (I didn't want to put Windows 2000 on my 300 MHz PII machine, that is for my FreeBSD server). I can tell you that I need to keep my firewall. As a lazy admin, I can't worry about the adverse effects of not keeping up on the latest vurnerbilities on securityfocus. And no one should run a regular desktop machine (even Linux or *BSD) directly on their broadband connection. That makes it too easy for the malicous. I think ISPs should require all users have at least a software firewall. Maybe if you aren't a lazy admin like me, you can afford the risk of running your server without a firewall in between.
Powered by caffeine and sugar; BSD
- the roof is leaky
- you want to make your yard free of rain
- you own a number of houses, and want to ensure they will be free of rain even if the houses' caretakers are idiots
In other words, firewalls are of any use only if:- you're defending a grossly insecure system (Windows?)
- you have unprotected communication on a network
- you want to enforce a policy
The tarp does nothing for a sturdy roof. There is no way to attack bare kernel (ok, ping of death), and firewalls do nothing to protect services which are already visible to the network. And if you want to use the firewall to block off unneeded services, why in the hell are you running them in the first place?The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Nooo, ACLs are Access Control Lists are ACLs. Firewalls are routers. Use each tool where applicable.
I agree that firewalls should not be implemented as a crutch in lieu of a good security model for your servers, but why not have that and a firewall. TFA makes a good point but most sysadmins who have any experience with good security already know it. Only run the services needed on the servers dedicated to those services.
But it seems to me that rejecting all other traffic with a firewall is a good added measure of security that can only improve the overall security of your setup. It also makes you less visible to attackers and wastes there time.
Brilliant! You can save money by sacrificing security! Now why didn't I think of that?
PCI, CISP, ISO 17799, and SAS-70 are just 4 reasons I have to have not one, but two firewalls. I have to say, I think it is overkill. Yet, I sleep well at night knowing that it should be much easier for someone to move on to another company's servers than to get through the layers of security put in place.
The premise is simple. Multiple layers. Sure you could probably build a box that is very difficult to get into, but do you really think anything is 100% safe? If somebody wants in, I have a belief that they will find a way. That is why you have multiple layers that a would be attacker must traverse. Have an IDS/IPS along the way, and monitor the logs.
Bottom line, is even with all this, it isn't 100%.
If I had my way, I would just use iptables on my outside machines and drop any packets I didn't like. But the powers at be have decided this isn't good enough, and so I have to jump through the hoops to make everybody happy.
So every server running an application has its own firewall? A network firewall was to just that, but on a central place. Of course a good network hierarchy helps, but clients need to get to connect to the servers, which is not in the proposed setup.
It's a rather sensationalist headline. He's not really ditching his firewall, he's replacing the one border firewall with multiple firewalls in the internal network, and is keeping the production environment isolated from the non-production (Office & Development) networks.
He removed the firewall between the Production Environment and the Internel, and is replacing it with several firewalls on the internal network. I count 4 firewalls-- One between the Webservers & Application server, a second firewall between the Application server and DB server, a third firewall between the production environment and non-production environments; and he discusses using ACLs to isolate subnets -- that's conceptually the same thing as a firewall.
But that's not a very new concept, and even with his plan, it still seems like you'd be more secure if you have an external firewall on the added network.
What's the harm in adding one more firewall and only allowing traffic on the HTTP port, HTTPS port and possibly VPN? It's cheap insurance just in case someone made a mistake and left some services running on one of the machines.
"Can of worms? The can is open... the worms are everywhere."
I'm running all kinds of crud on the intranet that I don't want exposed to the Internet, such as NetBIOS on Windows and some permissive SAMBA shares on assorted servers.
;)
So, the services are running so that I can use them from the inside (with any device on the inside, without mucking with ACLs, additional equipment aside from a switch, etc.) without having the services exposed to the outside.
Now, if you're running services which aren't being used by legitimage users at all...
Firewalls are still important in the entire security model. I do a lot of working on shared servers that host websites and have found a firewall can stop a lot of headaches. When some users script gets compromised and a script kiddies goes to send out a DOS of some sort the firewall can block it. I have found that the firewall is more important for exgress monitoring for this type of market but it is very valuable.
:)
While it is true people have the wrong image of a firewall they are still very useful when used correctly. Security is not just a single thing you do to a system but many different layers and the firewall plays into that field. It is also a lot easier to just block some script kiddie at a firewall if they keep trying to brute force a server. I think I am going to keep my firewall for a little longer
This article shows that the guy is now realizing that you also need network design besides only putting a firewall at the border and hoping it magically makes everything ok. He's quoting "innovative" networking desings, like
...except there are mentions of "Active Directory", so I guess not.
- Segmenting your network to
- Workstations
- Internal servers
- Internal databases etc (accessed by servers)
- DMZ
- Setting up stringent ACLs to only permit specific traffic between segments.
C'mon, this is pretty much elementary stuff. Any network adming should know to design his network like this even in small companies where you have 2 workstations and a single server.
Then he makes a claim that you don't need firewall because only things accessible to Internet (Workstations and stuff in DMZ, like your public website) are running secure OSs patched constantly. I guess they are running OpenBSD with default config then...
Only real "innovation" comes at the end: The article states that they are running some sort of IDS/IDP system in their network, presumbaly monitoring for any wormlike packets. This is nothing too interesting, anybody can set up Snort and have it running at your switch's monitor port. Only thing is that if it is running only as a logger, it cannot really react fast enough if one of your boxes gets infected with the latest worm from the completely unsecured Internet connection.
If it is running in some sort of transparent bridging mode, where it blocks those packets too on detection, it is pretty much like any...you guessed it...FIREWALL.
He DOES have a point on the fact that numerous applications require intelligent firewalls, the most basic case of course being active FTP. However, almost any commercial firewall (and Linux kernel iptables) supports numerous protocols. Most recent additions are SIP. P2P protocols are prominently missing so far, but I'm guessing that at least Bittorrent will be added soon (at least to Cisco IOS/PIX and Checkpoint).
Still, I wouldn't give too much credit for this article until he provides us with a detailed network diagram and more specifically states what are the exact benefits.
...when you pry it from my cold, dead fingers.
i do concede, though, that my environments are such that the internal networks (and users) *are* trustworthy.
if i'm a grammar nazi, you're an illiteracy nazi.
But I ceritnaly thing it's the best practise. The principle is simple: Only allow access to things that people should have access to. That way, if something is accidentally set up that could be compramised, it's not a danger since people just can't get to it.
It's no magic bullet for sure, the services behind the open parts of the firewall have to be secure or it does no good, but it restricts the possible places an attack can occur.
The post proposes a pretty novel solution---maintain separate hosts for each server---but it seems really inefficient. I mean, Xen as I understand it will run full operating systems in each of its virtual domains, including separate kernels and whatever else the system needs running.
Why not just work with chroot jails? They accomplish the same thing---keeping things isolated from dangerous interaction with the rest of the system---but without the ridiculous performance overhead of running entire and discrete systems for each service provided.
This concept can largely be summed up as 'defense in depth'. You use multiple layers to defend that which you value the most.
Saying 'I have secured my OS, I no longer need a firewall' is like saying 'I have an airbag, thus I do not need this seatbelt'. One complements the other.
I hope VA Software Corporation (owners of Slashdot) got some cash for that blatant Novell advertisement.
As always the amount of security you deploy depends on the risk level you are willing take and the amount of work/money you are willing to spend.
At the organization I have we have NO firewall because it is designed as an environment for the deployment of services (videoconferencing, ect..) and users who need unrestricted network access to the outside world. The security policy is written so that the user is completely in charge of their system. If it becomes comprimised and we find out about it...it's disconnected.
Networks rarely are compromised but the edge devices ARE. With the exception of some vulnerabilities in routers of late, networks do what they are supposed to do.
It's NOT nework security....it should NOT be the job of the network to protect hosts from themselves. It's HOST security and the people in charge of the HOSTS are responsible. "Not my fault" you say? Windows is insecure? It's precisely this mindset which has isolated MS for so long and pushed the responsibility back on the network admins that have kept microsoft (and OS vendors in general) and application developers from being serious about securing their systems and applications.
They still have a DMZ. What they actually did is moved people's laptops and personal computers outside the firewall. The servers are apparently still still locked down using "application-level" firewalls.
The idea is that people will taking their laptops home and on the road and need to be secure in those conditions. If they have to secure the clients anyway, there's no point in maintaining two different configurations and they might as well assume all clients are on a hostile network all the time.
Even for servers. I don't know about anyone else, but I have services running on my server at work that I use internally that I don't want to expose to the outside world.
"Your not Stuart Berman, your really social engineering expert Kevin Mitnick, and you almost tricked everyone into taking down their firewalls".
"And I would have gotten away with it if it wasn't for you nosey Slashdotters!"
I only run essential services - ssh, http, https, and secure imap. That's it. If you don't have any other services on the inet interfaces you don't need a firewall at all.
As others have already said, "why not do both"?
Without a firewall to block incoming-random-port traffic, client machines are still vulnerable to day-zero open-port vulnerabilities. Granted, a software firewall SHOULD prevent this but a second, independent firewall helps.
What this guy is doing is A Very Good Thing, but there's no need to turn off those external firewalls completely.
My rating of the original article:
Informative, but overstated.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
"This begins with separating our servers from our clients. We can do that now, thanks to layer-3 data center switches that allow for the low-cost creation of subnets. By defining simple ACLs, we further isolate our backend servers."
Oh so they elimiated their firewalls to go back a few generations and implement packet filter firewall.oops I mean access lists, I mean oh hell its still a firewall just implmeneted in adifferent piece of equipment.
while I agree the border is going away and information and its integrity has to stand alone, he didn't write it very well by saying lets just do packet filtering..haha
> What has you chained to your firewall?
The fact that I can't rely on a program to so much as accept a name and password without risk of a buffer overflow exploit?
As a previous poster said, why not do both?
They've taken a nugget of insight, that the reliance on a firewall can make you sloppy, and built a whole mountain of security policy on it. Trouble is, that's upside down architecture.
Good security is about building up as many layers as you can that are easier on you than on your attacker. The goal isn't to be impenetrable, it's to look like too much work so the attacker goes away.
We have a firewall so that we CAN be a little sloppy inside if needed. It's the balance between security and usability. It doesn't mean you rely solely on the firewall. It means that the "firewall", which you should treat more like a window screen, is just another layer of defense.
And when everyone else has a firewall, your unfirewalled network stands out like a house with no window screens.
There is another big picture here, too. If everyone has a firewall, having one doesn't make you look like you've got something to hide. If only 1% of networks were protected, then your firewall makes you look suspicious.
So thanks, but quit telling people they shouldn't use a firewall. Some of them might take your advice.
Raise your children as if you were teaching them to raise your grandchildren, because you are.
Meanwhile, the clients sit in the clear. We protect them by boosting their immunity levels so that they can exist in harsher conditions. They run secure OSs, fully patched with current anti-virus protection. We assign each user a central identity, which is authenticated and validated before accessing the internal DMZ. We use central directories to manage identity privileges and PKI certificates. Existing systems, such as Active Directory, allow for low-cost private certificate authorities where PKI isn't well-established. We also log and monitor the activity and enforce acceptable application behavior.
Sounds like a pain in the ass to me...
Frankly, there's too many damn buzzwords.
Do both. Eliminating their firewall was just the motivation to do more comprehensive security work. That motivation should come from IT management, and self-interest in preparing a manageable system, rather than fighting fires. Every insecure part of a system should be secured. A firewall has a unique role in providing a good amount of cover for an entire organization for its cost. Especially valuable when making changes to security configurations, which might temporarily expose resources in the transition.
--
make install -not war
OK, I haven't read the article (I'm on Slashdot, after all), so maybe I misunderstood the article post (they are often misleading). What the hell is wrong with having multiple layers of security? That's what's been preached for years now, and it makes sense,
Of course one should strive for having one's servers secure enough to stand on their own in case someone breaks through the firewall, and also because attacks can come from within. You don't need to remove your firewall to do that, however; use your imagination! What happenes if there's a flaw in the server's built in security? Bugs have been known to happen. Paranoia becomes a wonderful trait when you're dealing with network securiity.
So a firewall is that much extra work; boo hoo!
We apologize for the inconvenience.
I applaud these people for trying to limit the vunerablity of there systems and for all, but my understanding is the more layers of security you have the better off you are. updated servers/systems/applications security policies auditing firewalls if one thing breaksdown (patch gets delayed being deployed) i'd rather have something to serve as a 2nd line of defense than not?
actually I am happy to see you, however that is in fact a banana in my pocket.
Helevius
If you run only secure services(latest versions/patches) as you should there is no need for firewalls anymore. Firewalls create only unnecessary overhead and latencies.
Unless we all move to IPv6, his proposal cannot be widely implemented, since it appears to do away with NAT and hence all "clients" must have their own routable IP address.
The real "Libtards" are the Libertarians!
Umm, a firewall is a set of security policies and a set of systems and procedures to implement those security policies. Where did it say that a network perimeter firewall is the be-all and end-all? Where did it say that each set had only one non-null member? Did I miss that?
I am starting a petition to tear down your firewalls all across the Internet. Please join us as we liberate these captive servers and spread security best practices all across the Internet.
Post a child-post to this post listing your Slashdot user-id and the subnet that your firewall has been removed from so that we can validate that you have indeed joined the revolution.
Ingolfke - 172.16.56.0/24
--
Bot-net for sale. Contact me.
that is blatantly an advertizement. Xen's PR person must be crying in happiness. Shame on you slash
Error: Id10t detected
when i first heard about firewalls a decade ago i thought "heh, thats a cool name for a lazy hack". the need for firewalls comes from the crazy overdesign of operating systems. seriously, how many people use the rpc or dcom functions of windows? or use linux rpc for much more than nfs?
for me, a gentoo box that hasn't been around or played with long enough to have servers i don't remember running on it is easily safe enough to put up naked on the net. true, i will echo icmp and a few other in-kernel protocols, but how many script kiddies (and really thats what most of us are hiding from, maybe enterprises have targetted attacks, or that geek whose sister you hit on) will go any farther than "sh apache_vuln_109123_kit.sh" and sit back?
btw, if you are being cased by people who targetted you, this strategy won't cover you that well, but neither will a half-assed firewall.
the word "firewall" really sounds cool if you don't know what it means, but it's a lot smarter to just not bind insecure servers to your outbound interface. a firewall is basically saying "i have no clue whats running on this box, so ill just stop everything", which is fine, but for a serious production server thats not the right attitude to have.
for windows, or a specialized application that's hard to secure and/or uses a few ports, yeah it's the right solution. theoretically you could probably disable all the stupid services in windows to make a bulletproof box, but you'd still have patches and 0-day vulns to deal with.
do have to give this guy credit for the xenSE angle. someday when lizards rule the earth from their giant underground caves, and the mach kernel is usable natively for an os (i know osx, but thats more a hack), maybe we can have that kind of security in all computers without having to partition it into 5 different run-time images. i tend to say things like that about every 5 years, before i give up and get drunk instead.
ps. someone should make a process audit call that allows you to restrict userspace processes to given interfaces or bind addresses, so those little apps that are written to bind to ANY_ADDRESS are forced to a programmed one instead. even a post-fork, pre-exec type call would be nice, so all shell children are restricted. you could even have outbound servers running on one intf, and other people using firefox or other clients on another interface with different routing.
The first rule of USENET is you do not talk about USENET.
From TFA:
We can do that now, thanks to layer-3 data center switches that allow for the low-cost creation of subnets. By defining simple ACLs, we further isolate our backend servers.
So, in reality, he has not given up on firewalls, he has simply transitioned to a different firewall structure based on primitive firewalling. "Simple ACLs" are neither simple nor effective.
The other point is that yes, you can create all kinds of contrived security structures if that's how you want to spend all your time/resources (setting up and managing a contrived structure). But, most organizations can't afford to do that. Instead, they buy a commercial firewall, which allows a single person to manage the network controls as a small part of their job.
Also, a commercial firewall has support for a huge range of applications/protocols. The article kept mentioning the limits on applications when using a firewall. From this I would have to infer that he was using a very poor firewall solution in the past (simple router ACLs?, one-way NAT gateway?, stateless firewall?)
I admit that the hosts.files are much better in general, but I guess you could use both methods for an extra layer of security.
Escher was the first MC and Giger invented the HR department.
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
iptables -A OUTPUT -j ACCEPT -o lo
iptables -A INPUT -j ACCEPT -i lo
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT --dport 22
assigning them to a three tiered system of security levels
I'm curious what the justification for a 3-tier system is. Why not 2 or 4? If it's arbitrary then it may be worse than what they're trying to fix.The cost of the added servers is greatly minimized by making them virtual servers on the same machine
But then an attack on one virtual server for a particular functionality takes out all other virtual servers on that machine? How does this fix anything?With the new security-enhanced XenSE, this might become easier and more possible.
If I had a dollar for every time I've read about a new OS that is "vastly more secure" than anything else... and it still gets hacked.What has you chained to your firewall?
How about the ability to control, monitor, and filter traffic through an external border point? And isn't most DOS-resiliant software written for the firewall-type application?Not replying to the article as much as the original poster... ;-) But it sure limits the amount of work I personally have to do, compartmentalises my systems, and allows me to sleep at night.
My personal system, which I and only I manage, does quite well w/o a firewall. I built it, I hardened it, I only run those services that I need, and I am the only one who could do something stupid to it. I am on it daily, and KNOW what is and isn't going on with it.
My corporate systems (250+ Windows, Linux, and Solaris servers providing various services to the Internet, with over a 100 various 3rd party VPN or leased line connections from customers, vendors, etc, with six different T3 Internet pipes) are managed by various people, from geniuses to newbs whose grasp of English comes from reruns of Friends! I can dicate what is to be done/not done on my environment, but not the customers' or vendors. Sure, I can ask, but I cannot enforce. I cannot keep anyone from doing something stupid to the servers, I cannot personally verify the configs/revisions/patch levels/etc., so I use multiple PIX 535s at each connection point to make sure that even if they DO do something stupid like turn on anonymous FTP with write, I don't get a 4am phone call wondering where all the disk space went, or a Cease and Desist from the RIAA. Does that make me invulnerable? Hell NO! (hence, I am posting as A/C since I don't want to invite problems
Before everyone starts posting "I've been doing that for ten years" and "of course, firewalls are teh suk", let me say that while TFA does make some good points (about "perceived safety" of firewalls), I still do not see any way that its conclusion would be correct.
First off, redundancy in security is good. You want multiple layers of security. It does not make sense to remove a layer just because you installed a different (non-overlapping) mechanism in place.
Second, firewalls are a policy enforcement mechanism, and a single point of control. Under stress it is much easier to control access from a firewall than the eclectic mix of machines behind it. The point needs to be made that while securing each machine is a good idea, that should not be done to replace the firewall.
Visible services can't be assumed to be bulletproof. Compromising the frontend machines can result in them becoming rogue agents (DDOS and whatnot). Firewalls attempt to mitigate this risk by blocking outgoing access and thus rendering the network less useful to the attacker. Without a firewall, well...
The network of machines is secure today, after a lot of careful design work. Is it stable ? Will it still be secure after the next site upgrade ?
While more complex systems can occasionally be more secure by their inherent obfuscation, verifying such systems from the inside is also difficult, but manageable given the manpower. When the security components are mutable though (they are OS services and custom software which are upgraded often), the complexity of the system works against us, making it that much harder to verify that all the combinations still result in a secure system. Not to mention that the machine verification involves application-level checking which is either laborious or impossible for the network admin to do.
From TFA: Meanwhile, the clients sit in the clear. We protect them by boosting their immunity levels so that they can exist in harsher conditions. They run secure OSs, fully patched with current anti-virus protection.
So our definition of a secure OS is Windows (what other OS needs to have "current anti-virus protection"). That sure explains a lot. I suppose those machines wouldn't happen to have the firewall enabled, would they ?
I have a windows 2000/apache server on my cable connection which is behind a IPCop firewall. One day some retard from Infection Group used an exploit in phpbb to change the index page on my board. What this retard did was post this onto a hacked website db and stated that the "owned" box was running Linux (eh refering to the IPCop box)
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
His "new way of thinking" isn't new at all. Many large corporate networks are set up the same way - you have clients on one segment/group, servers on another, and Internet-accessable on another. You filter between the networks.
Not sure how he can say they "gave up" the firewalls - if it's a router doing filtering or a special "application firewall" (whatever the difference is) it's still doing *firewalling* and thus still needs to be managed.
He never really mentioned that they removed any firewalls, really. There's going to be packet filtering for the client machines, be it in the form of NAT or whatever. I'm sure they don't want people using Bittorrent all day, so they're going to lock it down. And that requires firewalls.
You can pretend that your firewall isn't a firewall but if it's blocking packets, it's one.
- It's not the Macs I hate. It's Digg users. -
Think cake and you'll understand. A 3 layer cake is always better than one.
Never let oneself get tricked into thinking that one big layer of defense will keep them out. The French frogs built the Maginot Line and look where it got them.
The best defense is not showing the world that you have the systems in the first place. Hostmasking, IP shrouding, wrecking the IP tables to the point where a hacker only winds up either getting rerouted or dev/null.
The 2nd layer is securing the LAN. Standard firewalls on every system are excellent if the 1st layer is breached.
The 3rd layer is terminal access. The usual workstation security applys here. Rotating passes, biokeys, magcards, or a combination of any. One-time pads are nice too.
Keep the scriptkiddies and hackers on their toes by changing the security infrastructure around. Don't get complacent.
How good is your security? How much do you have in your budget to invest in? Keep beating the PHBs and their ilk over the head when it comes to security. Don't let them think that they are safe, for every network is like a glass house.
First rule of holes; When in one, stop digging.
Two words: Regulatory Compliance. Thanks to standards like CISP (the Visa security standard) and SAS-70 (the accounting standard), HIPPA (the medical privacy standard), firewalls are mandated for many US businesses, even small ones.
At my last company, we didn't have a firewall on the website, because my philosophy was "I'm running port scanning to make sure 22, 80 and 443 are the only ports listening on the boxes - why should I put a firewall in front of it to only let those ports through?"
Unfortunately, now, if you don't have a firewall, you're not in compliance. It's simply a cost of doing business - the security concerns are completely irellevent.
Obviously, you should be building your networks so they would work without firewalls - that's a lot more secure. But, unfortunately, you can't just throw the firewalls out even if you don't need them.
with having to maintain a firewall? I don't really see why that's such a chore that it's worth the risk of eliminating. Sure, it's only perimeter defense, but depending upon an operating system to defend itself from outside attack just seems risky. The more layers a cracker has to peel back to get at the juicy insides of your server the better.
The higher the technology, the sharper that two-edged sword.
Change is Good... ... You go first.
That makes a firewall very convenient for getting stuff done at work like important applications named "kazaa", "napster", and various pr0n downloaders, etc when the IT staff decides that firewalls are the approach your company is taking to provide "security".
If these admins didn't rely so much on such firewalls, I'd have to do my kazaa & pr0n browsing from home or something.
He probably doesn't believe in parachutes, condoms, or car insurance, either.
He almost learned an important lesson, layered security is the solution, multiple tools and mechanisms are the solution. Instead, somehow he's managed to bastardize the whole thing and now he's encouraging stupidity. Any chance he'll stake his career on this network's security? I'm better he won't even stand behind it.
So his network clients can be port scanned, but the servers are in a DMZ that must be authenticated into. The advantage is that a user can now run all kinds of specialized apps that need open ports, and the admin can avoid micromanaging regulations based on specific client needs, but it opens a whole other can of worms.
Maintaining a 100% secure client OS and specialized applications aside, if a user were to download a malicious program or visit a malicious page with a new IE exploit, couldn't his authenticated computer act as a gateway to the DMZ portions? But I guess this would happen in the case of a firewall anyway.
Now the thing is if the user takes advantage of this and starts running applications that open ports, he no longer has to be lured into running a malicious program, he just needs to be running an exploitable program. It seems that this would make it easier for an attacker to compromise a pre-determined target, simply by scanning around rather than luring an actual person.
Of course the upside would be simplified management, because certain applications that were considered too "fast and loose" before are now ok. But systems aren't so secure that once you pry into even a lower privileged client, that you won't be able to somehow escalate those privileges and access the DMZ server farm. As soon as you break into a client, local exploits come into the playbook, and it only gets easier at that point, unless your local OS and internal network authentication are uncrackable.
That would be a tall claim, as any user input into the network authentication system can be recorded and played back via a locally compromised OS. From there, authenticate into the DMZ and look for local server exploits. Am I missing something?
I realize he is weighing the risks and benefits, but the risks here seem too high, especially with users allowed to run network applications that take inbound connections. Any compromise there could open the machine and network to the world of local exploits.
And if you have processes running and listening on ports that you don't want or need, why are you running them?
Because the operating system that you run is incapable of turning them off, and no other operating system is compatible with a mission-critical application or hardware device?
...that was asked "...What has you chained to your firewall?"
I'd just like to say:
I'm chained to my firewall because I'm not running a server farm, but a simple LAN for my desktop and my WiFi laptop here at home, while trying to keep the code-kiddies out of my hair.
I'll keep my firewalls, thankyouverymuch!
--
Tomas
But the port is already closed, so the firewall's just a waste of processing power and/or money
A firewall often provides network address translation, reducing the number of machines that are visible at all to the outside world.
Hear, Hear!
192.168.42.0/24.
if you really want to check my root password is "hotdog"
Let my packets go!!!
The first rule of USENET is you do not talk about USENET.
This type of network layout (defense in depth, rather than perimeter) is quite common in military (DoD) networks. Outside connections must terminate in an untrusted zone (ie on a webserver), firewall rules allow specific systems in untrust (like webserver) to talk to specific systems in semi-trust (ie app servers), and seperate firewalls allow specific systems (ie app servers) in semi-trust to talk specific systems (ie database servers) in trusted. Seperate firewalls between each zone (usually of different manufacturers, to limit vulnerability) provide high security and mean we don't rely on any 'ring' of security.
Microsoft Windows ....
But education of the end user in better security practices aren't one of them...these people are not doing something smart..they've just figured out another way to do it and frankly I think it's the wrong way...You have multiple app level firwalls, PKI, AD, the internal DMZ..oook....all this rather than keeping things patched and using a single point of configuration in addition to that stuff is easier my byte.
So once you get yourself a box to do NAT, then you've got 95% of your firewall already built. Just start tweaking it a little to deal with the stuff that you want to be able to come in, maybe add another interface if you want a DMZ, etc.
What I can agree on, though, is that you shouldn't be spending much time or money on a firewall -- a firewall shouldn't be a big deal. If you're spending serious money on it, then some vendor has conned you.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Sounds like overkill to me. I prefer to just minimize things a little bit.
Because their crappy zealot code is so damn shitty. Like linsux? Eat a dick for torvalds!
What has you chained to your firewall?"
I ain't chained nothin' to my firewall. That would be a fire hazard.
This has to be the first article I have seen in which advocates more overhead and fewer levels of security. If anything way make a network LESS security. A firewall makes a machine less visible to the outside (thats a good think), and MORE likely for a script kiddie to skip over in favor of an easier target.
-Joey
Nice advertisment.
There is a war going on for your mind.
I've argued for ages, often on deaf ears, that firewalls should be unnecessary; they really are just hacks to dodge around buggy TCP/IP implementations or configurations. Get the stack solid, and allow it to be configured properly and easily, and a firewall is moot. I'd love for these to be some ancient mythology that I tell my grandchildren about...
Love many, trust a few, do harm to none.
I don't think I've used a firewall on anything other than RH systems for a long time; I only use it there because it's sooooo easy to setup.
I simply see them as a just in case I turn on some service I didn't really want; and it keeps other people from turning on services I didn't really want (usually).
The servers and their respective applications sit in their own DMZ, protected by an Application-layer firewall. We organize servers into three tiers: The first tier consists of presentation servers such as Web and e-mail servers--these are the only servers accessible to end users. The second tier, made up of application and middleware servers, is in turn only accessible to the presentation servers. Finally, the third tier, consisting of the database servers, is only accessible to the application and middleware servers.
Right.. so I own your webservers with an exploit like I've been doing for years...then I tunnel from the webserver to your application/middleware servers.
What have you done here? NOTHING!
All through TFA he didn't once mention VLAN. That is a sign that he doesn't know a damn thing he's talking about..
n/t
The Doormat
If you're not outraged, then you're not paying attention.
Keeping all in the same server just makes it easier to use those good ol' 0dayz exploits. Hey, they all run the same architecture! What happened to multi-level firewalling?
With the rampant popularity of virtualization techniques, sooner or later will be found some security breach on it.
Also, having all your eggs in one basket will increase the possibility of you losing'em all, for example, hardware failure.
[...] firewalls are of any use only if: [your server farm has one of this set of problems]
Beg to differ.
Firewalls unload the server from spending cycles on filtering rules and memory on surviving DDoS attacks, just to name two functions.
If the servers must do their own filtering, and you have enough load that you need more than one to get everything done, offloading the filtering to a separate machine means that you need less servers. The gain is not linear, too: Keeping multiple servers synchronized (espeically those changing database state due to the transactions they serve) is an extra load, which becomes a lower fraction of the transaction cost when the server count is smaller.
Separating the functions also means that the machines can be specialized for their work - with, for instance, hardware accelleration for attack detection on the firewall - drastically cutting the box count. Putting all the eggs in a single basket means accelleartors get less usage, since they're used only for a fraction of the machines' load. Meanwhile you need more accellerators to put one on each machine - or you're stuck with using a GP machine to do the work, at much lower efficiency and a much higher box count.
Accellerators may only be available for appliance firewall solutions, not for upgrading a machine optimized for database handling or other server tasks.
If you have a license fee for the server software, having more servers means more licenses to buy. Another cost savings from specialization - this time a big one. If both the server and firewall software is licensed you have to have licenses for BOTH on ALL machines, rather than one or the other on each machine.
If you need content filtering against specific identified attacks, you need a service from a specialist organization, to track new attacks as they arise and upgrade the filtering functions. You don't want an outside house tweaking the machines which contain your own proprietary data.
Separate machines also means separate software. The firewall software can be written by people focusing JUST on secure and efficient firewalling, the server software by people focusing on efficient transaction service. Do a combined box and your firewalling functinality is just one of a bundle of functions being handled by a software team - in the server and/or the supporting system. (You only have to look at Microsoft to see the level of security produced by the latter approach.)
I could go on. But any one of the above points, by itself, shows an advantage for the separate firewall/server approach in a commercial scale, commercial grade, service. Combine them all (and others I haven't mentined) and the argument is compelling.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I have heard this guy propose his nonsense in person. This is a classic case of throwing the baby out of the bathwater; his proposition summarizes as "firewalls aren't a silver bullet, so they're worthless."
He proposes that we secure all individual boxes, which is umpteen times more difficult, more time-consuming, and less secure.
He's not an innovator; he's a contrarian.
I, for one, welcome our new Antichrist overlord.
Why is slahdot.org asking my webserver for "GET http://it.slashdot.org/ok.txt HTTP/1.0"? *tinfoil hat* Trying to compile a list of relaying http servers?
home
Check out the Jericho Forum - a group of major companies who also recognise that the role of the network perimeter firewall is becoming less relevant and an obstacle to business demands:
The Jericho Forum is an international forum of IT customer and vendor organisations who recognize that over the next few years, as technology and business continue to align closer to an open, Internet-driven world, the current security mechanisms that protect business information will not match the increasing demands for protection of business transactions and data in the future. Existing perimeters are full of holes. The 'walls' are crumbling. Managing the problems using today's security solutions is increasingly expensive and time-consuming.
A new approach is needed, to move from the traditional network perimeter down to the individual networked servers and devices - and ultimately to the level of the data being sent over the networks. The Jericho Forum aims to drive and influence development of security solutions, based on open standards, that will meet future business needs for secure interoperation of information systems to support collaboration and commerce over open networks, within and between organisations, based on a security architecture and design approach which the Forum calls de-perimeterisation.
Next major meeting is in Sydney on September 8th - join in the debate!
Andrew Yeomans
Howdy
The July 4th, 2005 issue had an article similar to this one:
Are firewalls expendable?
Quote from the article:
"But a growing number of security managers, united under the banner of the Jericho Forum, want to retire this stalwart because they say it hinders e-commerce."
cheers
front
But if you log as much as you can afford of what gets past the firewall, you'll have a chance of catching the evildoers, or at least the ability to deny that your company really wasn't willfully engaging in spam/fraud/kiddie porn/etc.
Why not JUST relax and have fun (think) like the hackers and script kids!!
Be like a KID AGAIN!!
TOOO much emphasis is being put on things that stop small attacks, while not preparing for something major like a total (or mostly total) melt down of the net (eg a terrorist event).
High crims by larger organizations and the government, are more of a threat to businesses and individuals, than the clowns we hear about all the time.
The obsession over remembering passwords which has been breed into us all, is more time consuming and frustrating, than any attacks yet.
After reading the first several comments, it became apparent that people can't even take the effort to RTFA!!
Where OH where does he claim to not use any firewalls?? Just the oposite, early in the article he clearly states that at least one is used (currently) with his little invention.
AHHHHND later on down he explains the reason for his experimenting.. and that is, that this obsession with firewalls and security in general, is more of a problem (threat, stagnation of implementing nu tec, etc) than the PUNKS out there trying to have fun.
Alternative InterNet access via shortwave (radio) over ip, WaveTop like programs (remember wavetop ;) extreme wireless nets, extreme Dns (where the masses control things more than the hand full of scum that do now) & IP6 are just a few of the possible things people should look into which will help *secure* themselvs for the crappola the *real* bad guys have in store for us poor earthlinks :)
I will gladly loose all of life's battles.. in order to win the war..
I don't trust *any* o/s to *never* be hacked - given that, it makes sense to make sure that *when* it is... the damage is contained...
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
What has you chained to your firewall?
Common sense. The fact that you've implemented a layer of security doesn't eliminate the need for another layer.
Why not just work with chroot jails?
Indeed.
FreeBSD jails provide about the same level of isolation as virtual servers for a fraction of the cost in disk space and virtually none in performance.
This whole scheme seems like a massive step backwards... do they sell blade servers?
Through creatively separating server functions into different, isolated servers, and assigning them to a three tiered system of security levels, his company has almost completely eliminated the need for (and headache of) network firewalls.
"Network firewalls" being dedicated perimiter firewalls. Regardless these should add security. If firewalling is a headache for someone, they are using a crappy one or do not understand the issues and should be delegating that role to somebody who does.
Getting rid of perimiter firewalls and relying on application firewalls on each host, is not going to avoid firewalling headaches. Having a firewall on each network is no different to having a single perimiter firewall, except that it adds complexity for little gain. The beauty of a dedicated perimiter firewall is that it should not be running any services and should thus be extremely difficult to exploit. Especially if it is a bridge firewall.
"Taking that crutch away has forced us to rethink our security model," Berman says.
I would not call a perimiter firewall a "crutch". We'll see if it's a crutch when an accessible service on a host is exploited, gaining administrative privs and leading to the local application firewall being turned off or configured in some way to mess you and your customers around and ease the hackers further exploits.
I had a client who, one day, decided to become an ISP. Just like that! Threw away some money on some big cisco routers (purchased for almost nothing from a bankrupt dot.bomb) and bought a few 1U rackmount servers. They wanted me to set them up with a few internet feeds, BGP, and whatever else it takes to make the RIPE believe they were an ISP.
So I took a couple of servers, installed OpenBSD, and set them up as DNS+NTP servers. Hooked up the ciscos and got everything running. No problems at all.
A few weeks later, the client decides to take on a "security conslutant". He knows nothing, proves it by waving around his week old MCSE, and insists on putting firewalls everywhere. Not just any firewall, but windoze2000 based firewalls. Even the ciscos had to have a Win2k firewall between them and "the evil internet" on every port. Otherwise, how could the ciscos be protected from hackers?
I walked away from the insanity, told the client he could re-hire me when the M$ certified idiot and his auto-update-is-faster-than-any-hacker machines were no longer part of the network. A few weeks later, I got the call. They were asking me to explain why they were the laughing stock of all the ISPs, and why no ISPs seemed to have firewalls in their networks.
The Internet doesn't have firewalls in it. At the far edges of the Internet, there are firewalls to protect customer networks. The routers, servers and switches that make up the Internet don't have dozens of useless services running that can allow exploits. If an ISP is just running BIND on their DNS servers, they configure the application for secure operation. Don't want the whole internet to make recursive lookups? Its a few lines in some config files. Don't want your sendmail to relay? Don't use a firewall, just clean up your configuration. Every other useless service on your servers? Strip them off so they can't run. The security is in the applications, not in the firewall.
Sure, there are some ACLs in the routers that can clean up spoofed addresses, and limit garbage and bogons. Those could be considered basic firewalls, but each router or DNS server doesn't have a separate firewall to protect it.
The internet is a lot simpler than people imagine, but it works.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
"Mr. IT Professional, Tear Down this Firewall!"
"There is more worth loving than we have strength to love." - Brian Jay Stanley
What has you chained to your firewall?
Windows. The 400-pound gorilla of a man with a mean disposition and the keys around his neck tends to discourage any attempts at escaping.
Oh, and he's got "I LUV M$" tattooed to his biceps too.
just like everyone else seems to miss, firewalls are not just for incoming traffic, but for out going as well. security is in layers, throwing away firewalls is the most stupid idea i've heard in a long time.
If you mod me down, I will become more powerful than you can imagine....
There's plenty of "background radiation" on the 'net, your firewall can turn that down. Really, though, firewalls are just a hack, especially with all this tunnelling going on nowadays. Yeah, let's block all ports but HTTP, then tunnel every packet through HTTP. Smart move, Poindexter!
because thousands of blackhats are depending upon you.
Yeah, right.
The higher the technology, the sharper that two-edged sword.
I've been using this security setup for a while now. Smoothwall has this option available to advanced users. Basically, you configure your network to have Green + Orange + Red interfaces.
The Green interface is where you connect your standard LAN router/switch.
The Red is where you connect your WAN cable.
The Orange is the DMZ your servers go on.
The Green zone has full access to both Red and Orange.
The Red zone (outside traffic) is denied by default unless requested or allowed by port forwarding rules.
The Orange zone is completely denied access to the Green zone. Therefor if someone from the Red zone hacking your servers gains root access to your servers, they will not be able to access or see any of the computers on the Green zone.
If you're very network savvy, you could set this up for free in one weekend.
Dollar Highway Financial News
What has you chained to your firewall?"
My firewall? (Oh, do you mean my macintosh?)
I work for the Department of Redundancy Department.
Inspired by this article, I've decided to remove the lock on my front door, and instead install individual locks on my closet, entertainment center, computer desk, and fridge.
The security is great, but getting another Dew from the fridge is a bit of a bitch.
-David
What they call a firewall is in reality at best a network filter and networks off of it are not a "dmz", that is a total misnomer as well. Firewall protected zone (fpz) would fit far better. Dmz is just plain idiotic. Could call it what it really is - Filter protected zone.
Getting rid of the network filters out there with windows around is just plain crazy. I bet they get hacked soon. What will be the first question - Did you have a firewall in front of your machines? No? - your an idiot, no your a fool, no your a foolish idiot! I hope his resume is up to date. I also hope his company doesn't have any of our personal data on their machines. If they do and he gets hacked, he would make a great example. Let's start boiling the tar, get the feathers ready.
Ok,
They replaced a stand-alone hardware firewall with ACLs in layer 3 switches.... Um, last time I set up a network with layer 3 ACLs it was significantly more time consuming and harder to manage than a firewall.
Further if they are using Virtualization technology and they mention each virtual server sits in a "DMZ" well, they they have to be running iptables or some other type of host based FIREWALL as there is not a physical network layer, the traffic isn't getting sent through a switch to do layer 3 ACL checking!
Next in this setup the client machines (yes often the most vulnerable and least looked after machines on any network) are left completely without network level protection, and rely on antivirus and vendor patches to be "safe". Maybe you can rely on MS to always release a patch before an exploit is released, I certainly don't.
Further, Antivirus technology is wholly flawed. What kind of protection does Norton offer you in the first 2 or 3 hours after a virus is released? It takes at least that long for them to analyze the threat and publish a new def for it, in the first 3 hours of any new large scale virus everyone on the planet who is relying on antivirus software is vulnerable.
These people are demonstrably retarded for setting their network up this way. This is certainly not the future of network security.
...there will *ALWAYS* be a need for firewalls.
It is as simple as that.
Firewalls (in most cases filtering routers) do more than just control traffic. They monitor suspicious activity, and help prevent undue amounts of information about one's network internals from getting out.
They can also take on load-ballancing functions, and split ports on a single public IP across many servers for the isolation the article discusses.
They can also act as end-points for IPSec tunnels (VPN's to extranets etc).
In essence filtering routers can act as a powerful abstraction tool-- a sort of swiss army knife of network security. Giving up on such a powerful tool is foolish in my opinion.
Now, on the other hand, going through your network design *as if you can't put in a filtering router* and then putting one in anyway is a pretty good idea.
Of course this guy has *not* gotten rid of his firewalls. Instead, he has merely changed the setup from one based on filtering routers to one based on the structure of his DMZ (remember, a DMZ as a perimeter network acts as a sort of firewall anyway). Living without a firewall means no security boundary between your internal and external networks. If you have any sort of security boundary, such as a DMZ, that is a firewall (doesn't have to be limited to a filtering router).
Remember the firewall of a large company usually includes a DMZ and at least one filtering router (between the DMZ and internal zone). The firewall between the DMZ and the internet zone is usually considered optional. However, such a firewall if properly configured, can provide substantial protection against trojans, worms, etc. as well as early warning capabilties in case of a security breach. Wonder how this works. Would you allow your web server to make arbitrary connections to the internet? Probably not.... So if someone plants a back door, not only is the inbound port blocked at the router, but so is the outbound connection request. If both of these are logged, you will say "Why is my web server trying to connect to the IRC server at 3vi1h4ck3rz.com?" and realize pretty quickly that the server has been compromized. Can a firewall be used as a crutch? Sure. But do you *really* trust a security professional who advocates getting rid of such a useful tool?
LedgerSMB: Open source Accounting/ERP
Ok, so this guy is recommending using Windows Server *and* getting rid of firewalls???
I understand the dangers of hacking from the inside, but this is as prevelent as it is largely because people better recognize the danger of the large number of internet script kiddies. Based on the firewall analysis I have generally done, the internet zone is the originating area of *far* more attacks than any internal zone.
Additionally, or requirements of usability are generally higher on the internal network (we don't have to open file sharing services out to the public, do we?) so of course the network is going to be *by nature* less secure.
Yeah, but the problem is this: what if it's your firewall admin who screws up? Granted, it's better to leave a port open on ONE device than on twenty different ones, but it's still the same problem.
What about defense in depth? Has that somehow been superceded here? Ideally, your firewalls are merely layers in your defence. They are designed merely to increase the cost of a successful attack. Getting rid of the firewalls creates a more brittle network security infrastructure, where failure in any computer is by itself sufficient to do all sort of nasty things to your network (ping or syn floods being just the beginning). Firewalls therefore also help to contain the damage.
This guy's network sounds like the Titanic. Seemingly invincible but suffering not only from the hubris of the architects but also from hidden but fatal flaws in the design which make the infrastructure fundamentally unsound even against the very dangers it was designed to withstand.
LedgerSMB: Open source Accounting/ERP
The greatest firewall in the world isn't going to stop your employees from opening attachments and running exe's they downloaded from the net. It's simple to write something that can infultrate your network that runs on port 80. Because if you close port 80, your employees can't surf the net without a proxy server.
I don't understand this "fear" of firewalls that people seem to have nowadays... firewalls are not a bandage, they are a layer of security that should not be removed. Say you want to access SSH from only computer X, well, having the service open to the world and just rejecting logins from other computers still leaves it vulnerable to buffer overflow problems if there are any discovered.
First, as you point out router with acls are firewalls. I would say that a firewall is *any device which provices a security barrier between networks* (which includes a DMZ between the internal network and the external network too).
Secondly, any security professional who recommends dispensing with firewalls, I agree, is not to be trusted at all for security advice. Firewalls have a large number of uses including damage isolation, traffic control, detection of abnormal attack or traffic patterns, etc. Dispensing with them is just not wise.
LedgerSMB: Open source Accounting/ERP
The point of the article is that your "added security" from the outer firewall is probably unnecessary and therefore nonexistent if your internal security is good. Your comment gets modded "redundant."
Sorry, but it doesn't work that way. The function of a firewall is simply to add one more obstacle between the attacker and the resource being attacked. Defense in depth is a good thing...
This being said, my business network consists mostly of externally visible servers. So I use an approach similar to that in the article (without the application server DMZ as my entire network is in a DMZ). However, I *still* use an external firewall. The firewall has a number of important functions, both as a security and a generic network appliance. It handles:
1) Some VPN termination
2) External DNS
3) Load balancing
4) masquerading my entire network behind one public IP address.
5) General network abstraction-- presenting my network to the external world as a single machine (see #4 above).
Probably 90% of the services I run are externally accessible on at least one machine. But the firewall does provide a strong degree of added protection *when combined with other means.* And it is just one more obstacle that the attacker needs ot overcome.
Redundancy in security is a good thing. Even if your security is good elsewhere, the security a firewall adds is almost never unnecessary.
LedgerSMB: Open source Accounting/ERP
I will prove you wrong
It's one thing to give up the firewall if all you have behind it is servers.
I cannot agree here, whatever you have behind your firewalls - servers/stations -,
the firewall protects your network from OUTGOING traffic, while the hosts themselves cannot. Having a webserver broken into and used as a spam base is not something any admin should accept to risk. And the firewall protects against that : outgoing traffic.
Rule of thumb : if a root on any of your front servers can do nasty things to your network or outside, then you need a firewall to filter traffic from this server.
Willy
I hold with the 80/20 rule. YOu spend 80% of your effort protecting 20% of your resources (usually your servers). Usually this is broken down as follows:
40% or so on external-facing servers in the DMZ.
40% on business-critical servers and infrastructure.
20% on workstations.
Secondly, a well designed firewall infrastructure should allow external admin applications to open ports (say connecting via SSH). So the majority of the effort in opening a port is determining whether the security and business ramifications mandate opening it or denying the request. This is what your security architects should be doing anyway.
LedgerSMB: Open source Accounting/ERP
two words: "scrub all"
A good firewall does more than just port filtering. It cleans up the traffic, writes logs (on a different machine), it terminates VPN tunnels and enforces routing policies between networks.
Maybe your firewall is a glorified ACL - mine aren't so get your dirty hands off them.
Assorted stuff I do sometimes: Lemuria.org
if the solution described didn't use a firewall, as in this line from TFA:
"The servers and their respective applications sit in their own DMZ, protected by an Application-layer firewall".
It is true that if you run dedicated FTP/www server then firewall/iptables plays limited role such as blocking IPs. But I run iptables on server to block atleast following type of stuff:
Syn-flood protection
Make sure NEW incoming tcp connections are SYN packets; otherwise drop them
Packets with incoming fragments drop them:
Incoming malformed XMAS packets drop them:
Incoming malformed NULL packets
Spoofing and bad addresses
Filter incoming ICMP, PING traffic
Block the unwanted IPS
The important thing is not to stop questioning --Albert Einstein.
Mr. Berman is an admirer of the war-strategist Thomas P.M. Barnett, and Bermans theories can be seen as war doctrine applied to IT networks.
This same story appeared on Berman's blog a month ago.
Why is their visibility a problem? If they are running services that you want accessible, they need to be visible. If you don't want people to access the services, turn them off, then the machines aren't vulnerable.
Depends on whom you mean by "people". Administrator wants authorized employees to access some of the services, not the general public. Besides, globally routable IP addresses cost money per year, which is a waste for machines that will only be used by users on the LAN or who have authenticated to the VPN.
The article describes a 3-layer model. Looks to me like they have set up a thin-client model, or at least are almost there.
For those of you who haven't totally uncloaked my conspiratorial attempts at world domination or my simply lame ass ideas, here are a few clarifications:
I wrote the article to inspire discussion among a broad audience and inspire attempts to harden the inside of corporate networks.
The Network Magazine column called 'Soapbox' requires a 650 word submission - my first attempt to write a concise summary yielded about 1500 words. Perhaps a better person would have refused to discuss such a topic with less than 1500 words, but I chose to balance idealism with pragmatism. Consequently the content got pretty hacked up and some points rose to a higher level of attention than originally desired. I have great respect for Network Magazine and I consider getting published in it an honor, and in order to have a piece published the topic should have a wide appeal, be interesting and perhaps be a bit provocative - the title reflects that.
For a Slashdot audience I certainly would not have composed an article this way since the subtleties would not get lost on a Slashdot readership. A more accurate description of the topic would be, 'stateful inspection network based firewalls are being given far too much credit for the security they and perimeter security in general can possibly bring to a system'. As several people have noted, I am not advocating that we should eliminate the perimeter or network firewall, but rather trying to get people to reconsider what it actually offers in the way of security - to sum it up concisely: it becomes a coarse grained noise filter. (In early drafts I tried to liken it to an RF choke.)
In an IT context, too many IT people who should know better see a firewall as a panacea. Threatening to remove the firewall gets their attention rather quickly. When I talk to our IT architects, managers and system admins I try to get them to work to create systems that are as reasonably secure in the environment in which we operate. If we are running an insecure desktop in an enterprise such as Windows 95 then there needs to be a wakeup call to get this situation changed. If we approach this as though we are living without a firewall, then the people responsible take a very different view of what needs to be done to correct the situation and we consider better alternatives. I am not advocating a specific solution rather an approach that views our internal network as being hostile rather than safe. I contend that there are viable solutions available to us today to build affordable and secure systems whereas many larger companies have adopted an attitude that we can live with the status of our internal networks as they exist today.
For those people that put a lot of faith in firewalls, I simply say that most significant threats go around the firewall (e.g., reverse proxies ala Adrian Lamo; war dialing; and access via VPNs and remote site penetration); go through firewalls (e.g., embedded content in e-mail; direct user downloaded content; XML vulnerabilities; and spyware) or simply exist within the internal network and don't need to consider the firewall (e.g., malicious employees; partnerships with organizations that don't respect our 'property' or are careless about handling access). For many companies the threat is already inside the walls - they just refuse to accept it.
So I don't foresee the network firewall going away, but it will continue to be less effective as we are required by the business to continue to create more permissive rules and see more channels that bypass it completely. We do need to create ways to put the protections closer to the stuff we are trying to protect.
I didn't touch on home networks, but this is an area I strongly advocate the use of simple and cheap hardware firewalls for most people. This is not just because home users have notoriously vulnerable systems and generally don't need to allow inbound connections but also for any system that has to deal with the noise coming from the Internet and all of the wasted processor interrupts th