What Is the Future of Firewalls?

jlmale0 writes "When I mess with my WAP/router at home or coordinate with the network team at work, it seems like I'm stuck in 1995. We're still manually listing IP address/port combinations for our firewall rules. There's a certain simplicity to this when dealing with a single system, but there are firewalls everywhere these days. What's available for managing complex firewall arrangements? What's being developed? Can I take a Visio diagram, run it through a script, and get a list of firewall rules? What about a GUI that illustrates the current system configuration and then lets me drag and drop systems across firewalls, and have the individual firewall ports automatically configured? What about tying a firewall into an authentication system so that when jdoe logs in, only then are the firewalls opened to pass her traffic? What about managing distributed firewalls so that one repository of rules opens up your system's firewalls, the DMZ firewall, and the public firewall all at once? Let's get a conversation started. What cool projects do I need to know about? What cool management features would you like to see? What's next for firewall management?"

When you finish your MBA- it'll all become clear.

[bsane]

When you finish your MBA- it'll all become clear.

Leave the networking stuff to the networking team

Sounds like someone wants to get rid of the network team by implementing a few DIY tools...

Re:When you finish your MBA- it'll all become clea

[RobDollar]

Do you get a free Belkin 54g with your MBA?

The answer to your question is...

[zonker]

No. Which makes me a sad panda.

Digital Mongolians

[cosm]

Damn you spam Mongolians!

Honestly?

[pyite]

All the tools suck. Firewalls cause more harm than good. The platforms are all mediocre. In my world (low latency trading), pulling firewalls out is one of the highest priorities if it can be done (legally and reputationally).

Re:Honestly?

low latency trading makes me sad.

Re:Honestly?

[Flere+Imsaho]

Have you tried Palo Alto? They have the lowest latency among the current crop of UTM firewalls.

Standardized Firewall Config Scripts

[Hadlock]

Did anyone play Borderlands for the PC? Remember what a nightmare it was to get multiplayer working on that thing? uPnP sorts out some bits, but having a file that you can upload to the firewall to configure that would be nice. There are scores of profitable websites out there that will walk you through how to configure your router for bit torrent -- clearly there's a need for Something Better. If not config scripts/files, then something else.
 
I still can't host Borderlands multiplayer games.

Re:Standardized Firewall Config Scripts

[Kizeh]

And how much of this had to do with NAT rules rather than firewalls?

Re:Standardized Firewall Config Scripts

Just stop being such a whiner.

Re:Standardized Firewall Config Scripts

[afidel]

Yeah really, it's like a salami attack against the entire investment community (economy) but for some reason it's legal (at least for now, I'm hoping the SEC comes out with something substantive from their current call for comments).

Re:Standardized Firewall Config Scripts

[elronxenu]

NAT or no NAT - any protocol which requires connections be accepted on varying port numbers is going to cause problems. Examples - SIP, BT, most IM protocols for file send.

Best is if there's a netfilter module for the protocol; it can watch the traffic and open up holes dynamically for related connections.

Re:Standardized Firewall Config Scripts

Firewalls has nothing to do with NAT. It's two different concepts put into same box to solve two different problems.

Firewall - Allow and deny access between internal and external computers. It's about security and protection.
NAT - Solves a shortcomming of IPv4, not enough IP numbers. Share same real IP number through some private IP-numbers, because you don't have enouugh real IP-numbers.

NAT is solved by IPv6, so go for it now and you get easy P2P without messing with Internet sharing devices.
Firewall is still needed in your router with IPv6, as it has to do with security.

Re:Standardized Firewall Config Scripts

[Aranykai]

Try hamachi. Free, incredibly easy VPN software. Me and friends host borderlands all the time and never have any trouble at all.

Re:Standardized Firewall Config Scripts

[PitaBred]

What, you mean NAT isn't a firewall?

There are a ton of people who don't know enough to know what the actual problems are. Hosting a Borderlands server would be trivial on IPv6, removing NAT, and you would still be able to have a firewall.

Re:Standardized Firewall Config Scripts

[Lockblade]

Hamachi has a 15 user per network limit unless you pay for it though, so you might want to also look into OpenVPN. It's much harder to initially set up, but it's much more flexible.

Re:Standardized Firewall Config Scripts

[Osty]

I played Borderlands on Xbox 360 and it Just Worked®. Of course I have a UPnP daemon running on my linux gateway, which makes it work.

Re:Standardized Firewall Config Scripts

[Hadlock]

I wasn't aware Borderlands was released on anything other than Steam.
 
No tv/no console krew represent
 
The PC implementation of borderlands used some sort of gamespy matchmaking service that was somehow worse than windows live for games, plus Gearbox/Gamespy never published a "ports you need open" guide, at least not for the first month, after which nobody played it out of frustration/diablo2 style weapons hacks
 
It was a terrible PC port of a console game and the cracks really showed through when it came to the god-awful network code. Rumor has it some of that was patched in a later DLC but I don't care enough to confirm :P but yes i think the subtle point you were making is that perhaps consoles really are easier sometimes.

Re:Standardized Firewall Config Scripts

[TheLink]

> Hosting a Borderlands server would be trivial on IPv6

Does it really support IPv6? If it doesn't it's not so trivial :).

Re:Standardized Firewall Config Scripts

A NAT patch was released that solved all these problems. See the 1.21 update or the more recent 1.30 update.

Re:Standardized Firewall Config Scripts

[TheThiefMaster]

I still can't host Borderlands multiplayer games.

That's odd, as one of the recent patches uses NAT hole-punching to avoid the need to forward ports yourself. I know I haven't, and don't have upnp enabled, but have still hosted borderlands games.

Re:Standardized Firewall Config Scripts

Google Gameranger. Give that a try (if you're on Windows)

Re:Standardized Firewall Config Scripts

[BoredAtWorkWhatElse]

Another solution is to create multiple Hamachi networks and make the host join all of them. Works great.

Re:Standardized Firewall Config Scripts

NAT - Solves a shortcomming of IPv4, not enough IP numbers. Share same real IP number through some private IP-numbers, because you don't have enouugh real IP-numbers.

NAT is solved by IPv6, so go for it now and you get easy P2P without messing with Internet sharing devices.

Actually, NAT really solved a problem with greedy money-grubbing telco's and ISP's, who blandly stated they did not want you to have more than one computer per line. At crippled speeds.

In other words, they wanted you to rent or install one phone line for every computer you wanted to connect to the internet. Anything like a network, or a faster connection, was supposed (by them alone) to require an "Enterprise-Level Contract". Meaning you had to be a company, or just pay like one.

The charges per line were quite daunting (and still are, in my opinion). Linux commons to the rescue, and NAT blossomed. The microserf folk followed... eventually, by-and-by - as is their way.

Some of them still claim, in small print, your obligation to connect only one computer per line - right next to the firstborn, and soul-derivative-proprietary-reflux clauses. But most telco's and ISP's have decided to ignore NAT, for the time being.

There was some talk of some of them monitoring, detecting, and sueing or charging for NAT / network use. But client backlash - and exodus - kind of settled that.

Re:Standardized Firewall Config Scripts

[uncledrax]

There are scores of profitable websites out there that will walk you through how to configure your router for bit torrent -- clearly there's a need for Something Better.

[Citation Needed]

I can agree with the overall point..many non-net-tech users could prob use something like that.. but that's why they invented PnP.. the problem will arise if there's a file that people don't ever look at, I could inject something malicious. (like opening 135/tcp on into your network).

Perhaps a plain-text format mechanism where you can just copy-and-paste it into a box in your Soho router instead of filling out text form fields. I'm sure one of the open-WRT guys can do that.

Re:Standardized Firewall Config Scripts

[ckaminski]

This is why the content companies need to get out of the bandwidth business.

Re:Standardized Firewall Config Scripts

[Hadlock]

It would have been nice if they'd released that patch at launch, when my friends were still interested in playing the game. Everyone I know is going to weigh their purchase very carefully if they see the multiplayer is handled via gamespy ever again.

The future is now

[miggyb]

Everything you said sounds like it can just be scripted, not some sort of fundamental shift in the way we think about firewalls. The beauty of the Unix philosophy (do one thing and do it well) is that it works at an almost intuitive level. The more complexity you layer on at the base level, the less clear things become for someone trying to understand it.

Re:The future is now

[blackraven14250]

I love how you *nix guys don't ever take end users into consideration. You think "Oh, just learn how to script the stuff together with some shell and you'll be good!".

All the while, the end users are saying "We don't care about having to learn to write a script; just include one with your damned program, and have a standard that routers can accept this file and it will just work and be simple."

Re:The future is now

[bmo]

The "Simple Way" is usually the wrong way when dealing with complex systems.

There are tools that make things easier for "roughing out" what you want, but fine tuning is always breaking out a text editor and making adjustments.

What about the users? Fuck them. They don't even know what an operating system is and don't care what it is, don't care what a firewall is outside of "it keeps the bad guys out," don't care what a router or switch is, and mostly don't care how a network works or even bother to learn how to navigate a file system. Most of all, they cannot be trusted to reliably run a script without somehow screwing it up, even if it's one click of a mouse.

This is why your system administrator treats you like someone who just got off the short bus.

--
BMOs

Re:The future is now

[biryokumaru]

It's kind of funny how this comment thread comes up immediately following this article...

Re:The future is now

[miggyb]

You mean like defaults?

Re:The future is now

[MightyMartian]

Your average end user is going to likely be quite satisfied with a basic web-based firewall GUI sitting over top of iptables. However, your average end user is highly unlikely going to need to an in-depth understanding of complex routing tables, queue rules, etc. I mean, why aren't you bitching about Cisco, which is every bit as difficult to work with for complex networks?

For most users, a basic web-based configuration set up is great. For another subset something like Webmin or the Cisco GUI tools will probably do the trick. But there will always been some subset that need to do very complex firewall and routing jobs.

In other words, what the fuck is your problem?

Re:The future is now

[Fred+Ferrigno]

If we're talking about average home users, UPnP works well enough, if they even need it which many don't. On the other hand, if your "end users" are system admins managing large, complex networks, then there just isn't going to be a one-size-fits-all solution. The more complex and specialized your demands on the system are, the more effort you're going to have to put into configuring it.

Re:The future is now

[blackraven14250]

"Yeah, fuck those end users! We'll make it a bitch and a half to use our product even though the fixes are simple!"

Honestly now, I'm talking about home users, the other people who use firewalls, even though they don't know it. Make it a standard on routers where on the router's config page, it can accept a small text file with ports to be routed to the current connection. Even better, have the program send that information when the game starts, and have the ports un-routed when the game ends. It's a relatively simple, easy fix for the headache that is "finding out the proper ports for XBox Live to work" and entering them manually.

I know how to do it, but let me tell you, I don't know many other people that can install a router to begin with, let alone get their port forwarding to work for Gears of War; and they don't care to learn. Ease of use and the user interfaces on routers haven't improved one bit for consumers from the Belkin I had in 2002; why the should a market completely stagnate in user friendliness for that long?

Oh, that's right. It's because every *nix head doesn't think about the real end user, just what's "most powerful" in terms of features. Design solely for the power users and administrators, and you miss 95% of the market - what Linux has excelled at for many, many years.

Re:The future is now

[phantomfive]

We don't care about having to learn to write a script; just include one with your damned program

Which reminds me, one of the reasons developers stop doing open source is because end users can be really demanding, and really annoying in the way they demand.

Re:The future is now

[Xipher]

The only time I want an end user managing a firewall is in their own home, and I think most consumer devices have a decent enough web interface to get by. If you're talking about a business environment that needs something more then a consumer appliance then you should probably hire a network admin to help manage it. Security is often a trade off for ease of use, and I'm not saying unnecessarily convoluted configuration methods are secure, but if you want to be able to secure your network it's something I see as being more complex then the average end user is going to understand. I don't expect the average executive assistant at a company to understand the implications of allowing any thing through the filter, but I wouldn't doubt they would do that so they can use a little application just got installed by this email from an African prince.

Re:The future is now

Who gives a shit about 15 year old Xbox kiddies?

Re:The future is now

[Crackez]

You may not be worth this reply, however, I will try to overcome my Unixism.

"It can scarcely be denied that the supreme goal of all theory is to make the irreducible basic elements as simple and as few as possible without having to surrender the adequate representation of a single datum of experience." - Albert Einstein

I don't mean to quote and sound all guru-ish, however, this particular quote has a deep meaning with regard to this discussion.

"Shits tough, you have to be tough too." - I think I invented that one.

Basically, if you can't swim then get out of the water, or learn to swim; those are your only choices.

Stuff like networking is zen, it's just bits on a wire. On the other hand, it can be hard. Waah.

Re:The future is now

Isn't this a lot of what UPnP is was designed to do?

Re:The future is now

[Fred+Ferrigno]

Make it a standard on routers where on the router's config page, it can accept a small text file with ports to be routed to the current connection. Even better, have the program send that information when the game starts, and have the ports un-routed when the game ends. It's a relatively simple, easy fix for the headache that is "finding out the proper ports for XBox Live to work" and entering them manually.

That already exists. It's called UPnP. Xbox Live even supports it.

Re:The future is now

[bmo]

have the program send that information when the game starts, and have the ports un-routed when the game ends.

This is insane. This really is an insane concept. If you think that the home user is the black-hat botnet operator's bitch, this will only exacerbate the situation. You are removing what little human interaction there is in configuring a router and turning it over to software completely. You really need to examine what you just asked for, because it's stupid.

Why not just supply the user with a pail of K-Y Jelly?

--
BMO

Re:The future is now

[bmo]

Isn't this an incredible security risk?

--
BMO

Re:The future is now

[DeadboltX]

End user devices have easy to use menus already. If you're configuring something that requires use of a cli then you're either: a hobbyist who enjoys learning, a professional who knows what you're doing, or an end user who is in over your head.

Re:The future is now

[Fred+Ferrigno]

It's a trade-off of security for convenience, sure. It's not something you would enable on anything other than a private home network.

Re:The future is now

[zippthorne]

Huh? Just look for "UPnP" on the router's box...

Re:The future is now

[Bastardchyld]

Ease of use and the user interfaces on routers haven't improved one bit for consumers from the Belkin I had in 2002; why the should a market completely stagnate in user friendliness for that long?

Not that I completely disagree with your point of routers needing to be simpler, however I think we are dealing with another issue here. Game companies stopped writing games to be firewall friendly, and documenting the ports that are needed for connections. Then the move from dedicated servers to peer-to-peer matchmaking has made that even more difficult. I remember playing many games online around 2000 that had well defined ports which needed to be opened or NAT'd. Now-a-days good luck, the companies just defer to UPnP (which is not used by anyone who understands the inherent risk in having a program open ports on your firewall without any sort of authentication).

Also it is important to note that the majority of the open-source community is contributed by hobbyists, hobbyists do not care about market share. Also to be honest most don't care about designing software for the masses, they care about designing software which does what it does and does it well (most likely the function it performs is something that the contributor needs or finds neat). Then if users have a need to do what your software does then they can use it... Users need to learn to use software, software doesn't need to learn how to use people (sounds a bit Matrix-like).

-matt

Re:The future is now

[Jimmy+King]

Computers are complex. Something that can do many things in many different ways is always going to be complex to work with. One of the biggest disservices we've done for people in terms of computer and Internet use is telling them that they are simple and anyone can use one without any training. It's not true, it's not likely to ever be true, at least not while staying what we think of as a PC. When it becomes true you've got a WebTV (There might be a few people here who are too young to remember those... crazy) or a video game console.

As to firewalls and routers specifically? I believe UPnP does what you would like for the most part if app developers would make use of it (I haven't ever made use of it that I can think of, so I'm not 100% certain), although I believe having app developers include something that just goes in and modifies firewall rules as a black box to the end user is a risky idea. The app developer has no idea what else the user has on their system and how their changes to the firewall might affect that. This is the sort of thing end users should know about at a basic level, akin to changing a tire, checking coolant, etc. on a car. Many probably don't know and get by just fine, but they should know, it's definitely in their best interest.

I've said this before on here and I'm sure I'll say it many more times. While the internet has provided a lot of good and a lot of knowledge and I wouldn't ever support taking it away from people, you have to wonder what the hell the first guy who thought it would be a good idea to make normal users system adminstrators (that is what a home user is) on the largest, most complex network in the world was thinking.

Re:The future is now

And uPnP is a huge security risk, as you don't even have to identify yourself to the uPnP. It is easy for bad guys to send you a script and open up your firewall for attacks on you. Just for them to "phone home" and then they know how to take over your machine.

Re:The future is now

[Bastardchyld]

If we're talking about average home users, UPnP works well enough, if they even need it which many don't. On the other hand, if your "end users" are system admins managing large, complex networks, then there just isn't going to be a one-size-fits-all solution. The more complex and specialized your demands on the system are, the more effort you're going to have to put into configuring it.

Reason number 1,456,930 why not to use UPnP.
The whole idea behind UPnP is that you can have any program dynamically change configuration on your router/firewall (read: open/close ports, create NAT entries). Do you see any problem with this? If not perhaps searching for "Problems with UPnP" will make things more clear.

-matt

Re:The future is now

[Qzukk]

let alone get their port forwarding to work for Gears of War

Did the Gears of War developers at least bother to tell you what ports you needed, or did they leave that to be discovered in the forums by a bunch of people guessing random numbers until it kind-of works for some people?

Re:The future is now

[bell.colin]

If a game can send a "text" file to open up port automagically, so can any malware or malicious site. You could implement a list of "approved" games but then who maintains a list, rejects/accepts entries, etc...?

Re:The future is now

[GaryOlson]

Ther are tools that make things easier for "quickly maintaining" what you want, but fine tuning is always breaking out a real set of tools and making adjustments.

What about the drivers? Fuck them. They don't even know what a fuel system is and don't care what it is, don't care what fuel injector is outside of "it makes the car go," don't care what a master cylinder or caliper is, and mostly don't care how an ignition system works or even bother to learn how to navigate with a stick shift. Most of all, they cannot be trusted to reliably drive in reverse without somehow screwing up, even if the do it every day.

This is why your auto mechanic treats you like someone who just got off the short bus.

Re:The future is now

I love how you user guys know exactly what needs to be done but don't want to waste your precious time doing anything.

Not everything can be dumbed down to a user level. Not everything should be dumbed down to a user level.
Computers are complicated systems. Despite the best efforts of generations of skilled programmers pioneering this new field (you're welcome, by the way) sometimes things are just kind of hard to do. Either pay a professional to do these things for you, or learn to do them yourself, or STFU.

Re:The future is now

[dudpixel]

We certainly dont want the end users changing firewall configurations. I'd suggest you need to start back at the top of the thread again...you know, somewhere near the summary...

Re:The future is now

[dudpixel]

yeah yeah I know - depends how you think of "end users". I was thinking of a corporate environment, where dragging pc's across firewalls might be useful.
I realise now that for home users, a GUI may be useful, but there's only a select few home users who need to do anything beyond turning the firewall on their modem on...and they have a "GUI" for that.

Re:The future is now

[blackraven14250]

How is it insane if you require that it comes from a wired, internal connection from the unit...?

Re:The future is now

[Bigjeff5]

For home routers, pretty much all of them have simple router config software that walks a user through setting up their network and configuring all devices.

For enterprise grade network equipment, Cisco at least already has everything the OP is asking for. You still need to know what you are doing, since there is a hell of a lot more that a Cisco router can do than a Linksys can do (oddly enough Linksys home routers come with cisco branding, don't be fooled, it's the same old shitty linksys), but if you want to go that rout you can use a GUI to manage each router and a management software package to manage the whole kit - network diagram and all.

Frankly, if the OP wants to operate in the here and now, he should stop using equipment from the 90's and try some modern hardware.

Re:The future is now

Home router manufacturers, if they have any sense.

Re:The future is now

[blackraven14250]

Also it is important to note that the majority of the open-source community is contributed by hobbyists, hobbyists do not care about market share.

My point in that regard was that Linux serves its own market, then the fanboybase complains that "ZOMG teh sheeplez don't use our superior OS and choose the easier M$ Windoze instead!". It's the elitism without seeing the other perspectives, like the guy above suggesting everyone "just script it out", that makes me cringe when it comes to these discussions.

Re:The future is now

[LodCrappo]

"Yeah, fuck those end users! We'll make it a bitch and a half to use our product even though the fixes are simple!"

No, the fixes are not simple. I don't know why you feel qualified to proclaim that they are, but you are mistaken.
I'm also not sure where you got the idea that anyone intentionally makes their products difficult to use. It is far more likely that the device you struggle to use is "difficult" due to lack of any effort, not because of a specific effort to make it difficult.

Honestly now, I'm talking about home users, the other people who use firewalls, even though they don't know it. Make it a standard on routers where on the router's config page, it can accept a small text file with ports to be routed to the current connection. Even better, have the program send that information when the game starts, and have the ports un-routed when the game ends. It's a relatively simple, easy fix for the headache that is "finding out the proper ports for XBox Live to work" and entering them manually.

Once again, your simplistic "solution" reveals how little you understand about the problem. Ignoring the technical issues (and the fact that all of this has been possible via uPnP which works much more simply than your proposal), why would a user know what a "router config page" or a "text file" is? Why would a home user know how to acquire this text file or how to submit it to a router config page? You've defined "typical user" in terms of what *you* know how to do, which is just as foolish as a unix admin defining the typical user in terms of what they understand.

I know how to do it, but let me tell you, I don't know many other people that can install a router to begin with, let alone get their port forwarding to work for Gears of War; and they don't care to learn. Ease of use and the user interfaces on routers haven't improved one bit for consumers from the Belkin I had in 2002; why the should a market completely stagnate in user friendliness for that long?

Oh, that's right. It's because every *nix head doesn't think about the real end user, just what's "most powerful" in terms of features. Design solely for the power users and administrators, and you miss 95% of the market - what Linux has excelled at for many, many years.

So much misunderstanding.. so little time. What do "*nix heads" have to do with routers? Very few routers run unix, and home router user interfaces certainly have nothing to do with unix. Why haven't you seen changes in these devices since 2002? Basically because they work well enough for that 95% of the market you mention. You know what has changed? They cost a lot less. This is really all that same 95% give a shit about.

And finally.. what gives you the idea that Linux wants anything to do with this 95%? Linux is made by skilled folks who were nice enough to share so that other skilled folks can use it and hopefully add something back to the pool. That 95% has very little to offer us.

Comments like "linux will never 'win' until it's easy to use" are silly.. Linux already won, it just isn't playing with you.

Re:The future is now

[Sir_Lewk]

Because the average home computer is already 97 different flavors of pwned. We're not talking about people jumping on your wifi and fucking with your router, we are talking about malware already present on damned near every windows machine in the wild suddenly being able to easily blow whatever firewall might be present wide fucking open.

Re:The future is now

[bmo]

You're asking for the client side computer to execute a program that will configure the ports on the router and do it in the background. This program may be good or evil. If it's good, that's convenient. But if the program (say you got drive-by-installed) is evil, then it also configures your router's ports in the background.

But not only that, say you buy a CD or DVD from Sony and as part of the DRM rootkit they've used against you, they have also blasted a bunch of holes in your router which you don't notice for months because it was all done without user interaction.

All for the sake of "user friendliness"

I don't know about you, but that seems like a horrible idea to me. Not everyone has your best interests in mind.

--
BMO

Re:The future is now

[Sir_Lewk]

Ease of use and the user interfaces on routers haven't improved one bit for consumers from the Belkin I had in 2002; why the should a market completely stagnate in user friendliness for that long?

Oh, that's right. It's because every *nix head doesn't think about the real end user, just what's "most powerful" in terms of features. Design solely for the power users and administrators, and you miss 95% of the market - what Linux has excelled at for many, many years.

This statement makes absolutely no sense. You blame the issues of an entire market on a single group of people, and then claim this is why that group of people will never be influential.

You are a troll piece of shit who brings nothing of value to this conversation. You've been modded up because you're complaining, but you don't actually know enough to really know what you're complaining about.

Re:The future is now

[femtoguy]

I have to agree with this. I have been using linux long enough that I remember the time before slashdot, before Redhat, and ran a pre 1.0 kernel for a while. I have been trying to wrap my brain around linux firewall rules, and I still get it wrong more than I get it right. Right now, most of my firewalls are copied from some site that I found on google. I suppose that somebody will (or has) made the argument the if you cannot understand iptables then you aren't worth having in the linux community, but that seems short sighted. Most people (including this 15-year linux veteran) cannot understand the current system well enough to make things work well, and I believe that we need to expand our community. I believe that the current system is powerful, and well constructed. What I think we need is an explicit tie between firewall and VPN, and then a useful abstraction to help unsophisticated users easily do the simple tasks that are most common in network configurations.

Re:The future is now

[clang_jangle]

I can see your point, but OTOH there's the reality that most people are going to put their banking details and personal secrets in a machine they have no clue how to secure. They seem to be in denial that this is like burying all your money in a public park and expecting it to be there safe and waiting for them when they need it.

So yeah, most users are stupid, arrogant, lazy, and unrealistic. It's not like there's a lack of information on the subject or anything. And let's face it, scripting a firewall or even just properly configuring a router isn't exactly brain surgery.

Re:The future is now

[LodCrappo]

I won't say "if you cannot understand iptables then you aren't worth having in the linux community". I will say that if you don't understand iptables, you probably aren't trying very hard. it can be understood at a functional, surface level in a couple hours and mastered in a few months of serious use. I'm honestly interested to know... what part of iptables is it that a 15 year linux veteran cannot understand?

Re:The future is now

[Gr8Apes]

I was under the impression that until Cisco bought Linksys, Linksys was pretty decent hardware. Since they bought it, it's gone seriously downhill.

I'd love a $100 or so wireless router that will actually function for more than 12 months. Heck, for 3+ years of trouble free operation I'd even spend more, although like any bargain hunter here I'd love to pay $10 instead. If you have any decent suggestions, I'm all ears.

Re:The future is now

Much of this comes (IMHO) from people who don't have a clue about what kind of system they are talking about. It sounds easy, until you get to the little details, which they never get to because they don't know anything about them. These are the people depicted in the recent Windows 7 ads ("I told them to make it easy, you can thank me now" crap). If this sort of work was easy then someone would have done it by now. There is a reason it hasn't been done. There are some things you still need experts for in this world. Taking out an appendix doesn't sound all that hard, but you wouldn't expect a home user to do it, would you? And why is that? Could it be because so much could go horribly wrong?

Re:The future is now

[MightyMartian]

So your objection is with some *nix guys sense of superiority, rather than with the actual issues. Your problem can likely be fixed by one form of anti-psychotic or anti-depressant or another. I mean, you come to what amounts to a forum for tech geeks, most of which aren't just MCSEs, but who deal with all sorts of OSs, and with firewalls, with pretty complicated systems based on iptables and other firewall solutions, and complain because they suggest scripting your solution.

Live with it. GUIs have inherent limitations. Draw a non-trivial network diagram and you'll see why it's so difficult to build automated tools for the job, and why some of the uber-simplified tools like uPNP in fact introduce serious security issues. Unfortunately routing, firewalls, VPNs and the like can grow in complexity very quickly even in home user situations. Solutions to these issues are often non-trivial and require a degree of expertise, and that means going beyond simplistic point-and-clicks and drop down menus, and means, one way or the other, some kind of scripting.

Re:The future is now

[SeNtM]

Do you blame the manufacturer when you leave the car unlocked and come back to find your iPod missing? No, you learned how to operate the door locking mechanism because you are aware of the dangers of leaving your valuables out in the open.

IPV4 has been around for 30-years...If you gave someone a [insert any 30-year-old technology or device], came back 30 years later and they hadn't figured out how to use it, maintain it, and secure it, you are well within your rights to beat them over the head with it.

Ok, so maybe that is a bit harsh. But anyone that uses a plug-and-play firewall and thinks their network will still be secure 6-12 months from now, would likely of opened that Nigerian email containing the trojan that opened their network up to every botnet on the planet.

It is in the best interest of every person to learn and understand the underlying technology of the devices they use...in most cases the documentation is there and is free.

Re:The future is now

Yes, some people like needless complexity because it gives them more power within a given context (like those who think every child should learn 8 languages for the sake of community cohesion). That is not the case here. the reason routers, home and enterprise, haven't changed in 15 years is because the underlying infrastructure hasn't changed either. We're still using IPv4, 802.2/3 and various other layer 2/3 standards which all define how these devices have to work. You're welcome to attempt simpler solutions to these protocols but it is unlikely you'll succeed. The problems they solve are intrinsic to the basic concepts that define a computer network logically. You'll just end up reinventing the wheel.

The best thing for security (and most other societal problems, real and politician created) would be to kill off this dumb it down culture that you're promoting. Yes, people have to learn things they don't want to.. too bad. Not everything can be simplified further than it is just because the majority has trouble comprehending it. The best thing to do is offer sane defaults that cover most cases, leaving the corners to figure their own shit out. The really scary part is when people who think as you do get to take charge because then needed flexibility is removed from products to make them 'simpler.'

Re:The future is now

Again, I give you ...UPnP NAT Traversal (part of the UPnP IGD 1.0 standard thats been around for more than 10 years..)

If the client application/software supports it, and the NAT gateway supports it, the entire connectivity experience becomes seamless.

What you should be asking is "why isnt all consumer-intended software coded for UPnP NAT traversal?" and/or "why dont all consumer-level NAT gateways ("routers") come with UPnP IGD support (and enabled by default)?"

10 years? and most consumer connectivity software STILL doesnt support it?

Crazy...

Re:The future is now

[LodCrappo]

I haven't seen any improvement or decline in the quality of Linksys equipment since they were aquired/purchased/whatever happened with Cisco. some models at least appear to be identical except for the cisco logo printed on it. I've used and recommended linksys stuff for many years, not because it works that well or lasts that long, but because it's cheap, easy to find and fairly well documented.

if you want a router that works great and lasts several years, buy a Cisco (the stuff you find at cisco.com, not at best buy). with a few infamous exceptions, cisco gear works *very* well and lasts forever. thing is, these cost several times what a linksys does. in the end its tough to say which is a better deal, but given the pace of advances in networking I think the cheap stuff makes more sense for a home network. the real cisco stuff makes more sense in a business where downtime can be a bigger expense than the equipment.

if you are willing to tinker but on a budget, used cisco gear can be an interesting way to go. you're not going to get the latest models for a good price, but a generation behind can be cheap and still plenty powerful for home use. i don't know if any 802.11G models have become cheap in the used market, but the 350 series/802.11b stuff was dirt cheap last I checked. Those work wonderfully well.

Re:The future is now

[DeadboltX]

I'd rather have a powerful cli firewall than an "apple app store" firewall that only lets me pick certain predefined block/allow rules.

Re:The future is now

[MartinSchou]

The "Simple Way" is usually the wrong way when dealing with complex systems.

As it happens a car is a fairly complex system. Once you take turbo chargers, super chargers, fuel injectors, gearing, ESP, ABS, traction control etc into account, it's extremely complex and does stuff you cannot possibly achieve on your own. But they still have a very simple interface. Gear lever (unless it's an automatic), steering wheel, gas pedal, brake pedal, clutch (unless it's an automatic), and each of them serve a very simple purpose.

Yet, we don't have to punch in a number every time we want to change gear, enter the exact angle for the steering wheel, set the gas or brake at certain percentages etc.

Mostly the reason the 'simple way' fails to work properly with complex systems is not because they're simple interfaces, but because the designer of the interface didn't do a good job.

Re:The future is now

[Flaming+Foobar]

Honestly now, I'm talking about home users, the other people who use firewalls, even though they don't know it. Make it a standard on routers where on the router's config page, it can accept a small text file with ports to be routed to the current connection.

Or better yet, disable it by default. A firewall in most home environments does exactly nothing. It's snake oil. It's blocking ports where there aren't any services running anyway. The user is still able to open any email attachment or surf any web page with her IE6...

In fact, in most corporate environments a firewall doesn't do much, either. Funny how sysadmins agonize over which IPs can ssh to an up-to-date Linux box, but then they have VPN, a bunch of IIS, Exchange and a whole host of other stuff open to the whole wide world. I just recently made some development work for a company which required me to open a VPN connection before I could ssh into their Linux/PostgreSQL/Apache server. The sysadmin didn't believe me when I told him that it's less secure that way. He saw the break-in attempts in the sshd log so he didn't want the port open...

Re:The future is now

The problem is you want something that will work for *you*, without considering there are a millions *yous* with equally simple yet snowflake-unique needs.

Also, the comment about missing 95% of the market? Porsche has done that as well.

Re:The future is now

[firstnevyn]

I've met many many individuals in my life who are not capable of changing a tyre on a car let alone checking fluids on a car (oil, radiator, winscreen)

Re:The future is now

[Again]

Honestly now, I'm talking about home users, the other people who use firewalls, even though they don't know it. Make it a standard on routers where on the router's config page, it can accept a small text file with ports to be routed to the current connection. Even better, have the program send that information when the game starts, and have the ports un-routed when the game ends. It's a relatively simple, easy fix for the headache that is "finding out the proper ports for XBox Live to work" and entering them manually.

How is that different from not using a firewall? I don't mean that to sound rhetorical, I'm genuinely wondering. If a firewall opens ports whenever is requested to do so, why have a firewall at all?

Re:The future is now

[BikeHelmet]

Sounds like you're talking about UPnP.

I wonder why I still see new routers that can only open up 10 port combinations, though?

I have a ridiculous amount of port forwarding rules for my Tomato router. Now I'm waiting for QOS to advance. I want to limit speeds and prioritize connections per IP, per port, and per connection. Not just per-connection.

Re:The future is now

[westlake]

Linux is made by skilled folks who were nice enough to share so that other skilled folks can use it and hopefully add something back to the pool. That 95% has very little to offer us.

Serving the user pays the light bill and the rent.

Comments like "linux will never 'win' until it's easy to use" are silly.. Linux already won, it just isn't playing with you.

I'll remember that the next time I'm shopping for a video game console, a tablet or a cell phone. The walled garden the geek so dislikes when he is on the outside looking in.

Re:The future is now

[LodCrappo]

Linux is made by skilled folks who were nice enough to share so that other skilled folks can use it and hopefully add something back to the pool. That 95% has very little to offer us.

Serving the user pays the light bill and the rent.

believe it or not, some of us do things for reasons other than financial gain. that's not to say there isn't money to be made in open source if that's your thing, there are quite a few financially successful FOSS entities and individuals. if you're genuinely interested in this subject, you may want to do a bit of research before making similar statements in the future.

Comments like "linux will never 'win' until it's easy to use" are silly.. Linux already won, it just isn't playing with you.

I'll remember that the next time I'm shopping for a video game console, a tablet or a cell phone. The walled garden the geek so dislikes when he is on the outside looking in.

i'm not sure what this means, but i'm pretty sure i disagree somehow. really not interested enough to try and decipher that one.

Re:The future is now

Some trojans support it too.

Re:The future is now

[Bastardchyld]

My point in that regard was that Linux serves its own market, then the fanboybase complains that "ZOMG teh sheeplez don't use our superior OS and choose the easier M$ Windoze instead!". It's the elitism without seeing the other perspectives, like the guy above suggesting everyone "just script it out", that makes me cringe when it comes to these discussions.

I think you are missing a minor but very important detail. Fanboys don't contribute, people who actually contribute to Open Source (not just download the latest copy of Ubuntu) really don't care if you use their code. A contributor has to have the realistic expectation that you cannot write software that will do everything for everyone, and if you try, you will fail (either that or you just created skynet and we are all going to die). Nobody likes fanboys, but we are talking about contributors here, not fanboys.

-matt

Re:The future is now

Hile taking out an appendix requires a licensed appendix extractor, managing firewalls does not, so your average mba will look for any way to skip the costs of a proper network admin.

That's what gui management tools are for, nothing else. If you think that windows small businnes was made easy to accomodate network administratir, you're dead wrong. It was built that way to give the impression to mba of having control and not requiring pricey script kiddies, and while their server will be pwned without everione noticing they'll be happy of their half running solution, congratulating over themselves about how they got their server running on the cheap.

Remember that management types are the one that won't never admit to be outsmarted. They thinl to know it all, dictating stupid timelines and requirements, without any recourse from the expert they hired to do the job, just because with their superficial view of the technology they know enough to see solutions but not enough to anticipate problems

Re:The future is now

"That 95% has very little to offer us."

That one comment woke me up. While in recent years I had been wondering how to get that 95% to get involved in Linux it just dawned on me (thanks to your email) that 95% of users are selfish and ignorant. Let them use Windows.

It is true, they have nothing to offer. Fuck em. Go out of our way to get them involved in Linux and they will force so many changes that Linux will end up being Windows.

Re:The future is now

[icebraining]

If they can convince you to run that script in your machine, to send UPNP commands, why wouldn't they simply include a payload in that script to spawn a reverse shell or whatever?

If your machines run malicious code, your already doomed. Disabling UPNP won't save you from that.

Re:The future is now

[gshegosh]

Just thinking out loud, but... If I don't know a thing about electricity and don't want to learn it, I pay a specialist that will put wires in my walls and install switches and devices for my convenience. Nobody thinks about making DIY wiring that would be easy enough for an average American Housewife to install. Why are computers always treated differently than other necessary stuff people have at home? Why is it OK to pay thousands of dollars for water or electric installations at your home, but it would be wrong to pay a few hundred for a proper computer network installation? If you can't do it alone, don't do it. And, it's fine by the way, because noone is able to learn everything and be good at it.

Re:The future is now

[tehcyder]

What about the users? Fuck them.

I wish I was as clever as you, it must be full of awesomeness to wake up in the morning and know that everyone you meet that day is going to be just so much dumber than you. All those mindless drones just out there earning money for their employers, while you sit around and do the really important job of feeling smug and making sure their fucking computers work.

Re:The future is now

[tehcyder]

And finally.. what gives you the idea that Linux wants anything to do with this 95%? Linux is made by skilled folks who were nice enough to share so that other skilled folks can use it and hopefully add something back to the pool. That 95% has very little to offer us.

So you're fine with linux remaining a small niche player? How sad.

Re:The future is now

[supercrisp]

My wife is in tech support at a largish university (~30K students). Her work experience suggests that a significant proportion of the population, doesn't give a damn, wouldn't give one if it were provided free, and boggle at tasks like locating a thumb drive in the file manager. I think the idea that we can educate willful dolts is utopian at best.

Re:The future is now

[Flentil]

The users have it right though. Why should anyone want to care what a router switch is, or how a network works? Why should anyone care about ports and protocols? Remember figuring out modem initialization strings? Putting together a dozen abbreviated codes in a string to make your modem work with your hardware. It was a real pain in the ass, and one day it simply disappeared, becoming fully plug and play. I like to think that all the complicated things about computers will become automatic in time. It's what we should all be working towards. But you are one of the elitists who make us all look bad, continuing the stereotype of the obnoxious computer nerd who thinks he's better than the average user because you know the minutia of how computers work. I do too, but I'd be happy to see it all just work automatically. I resent having wasted time learning about modem init strings, and see virtually everything connected with network administration as more of that. A problem of overcomplexity waiting to be fixed. It's just a matter of time, really.

Re:The future is now

[Jimmy+King]

I agree that we can't educate anyone who doesn't want to be. I think maybe we would have been better off if we always said "These things are complex. You will either need to learn about them or pay people to do stuff for you if you want to own one."

Treat them like a car. Even in the days where engines were "easy" to work on, you couldn't just quickly drop in a new rod and piston if you spun a bearing. I tend to think of networks in the same way, there are certain parts of it where it's just not going to be within the capabilities of someone without the time or inclination to learn about it.

Re:The future is now

Yep. Lots of people cry "elitism", but in fact most of them are just morons who feel threatened by competent people demanding competence from others. And the "diggification" of slashdot continues...

Obviously the submitter wants something like what he saw in the movies. Sorry to break it to you pal, but real life network security isn't all glossy and zoomy. And even if it were, there'd still be no substitute for knowing WTF you're doing.

--
HTH,
poodletop jehosaphatt

Re:The future is now

[Laurence0]

Isn't that the wrong way round? I'd say changing a tyre is significantly harder than checking oil/screenwash/rad fluid levels!

Granted, that could be because I haven't needed to change a tyre yet (although I do know how...), but I can't see it actually being /easier/ than checking fluid levels!

I agree in principle though - there are a lot of people using complicated equipment with no idea how it works or how to maintain it.

Re:The future is now

[Some+Bitch]

This is insane.

This is already in every consumer router out there.

Re:The future is now

[hesiod]

Changing a tire requires operating a jack and removing a couple nuts. It's a very obvious process.

Checking fluid levels means opening the hood which, by itself, is a terrifying prospect for many of the idiots with cars out there. Then you have to know which fluids are in translucent tanks with fill lines (usually just wiper fluid, but not always) and you have to locate dipsticks for the others, know that you first have to wipe them off, knowing whether the car should be off or on, cold or warmed up, etc.

Then all bets are off if one of the fluids are low: where does each liquid go? Sure, you might assume the average person can figure out the screw-off cap that says "Oil" is where the oil goes in. But have you ever worked helpdesk? People will call, frantically asking what to do when a dialog box comes up with just an "OK" button. I will never again assume that people can understand the obvious when it isn't on something with which they are already very familiar.

Re:The future is now

What a silly response.

Water aids include armbands, rubber rings, floats, and boats.

You may not want to see floats in your local swimming pool, but that's just fascism.

Re:The future is now

uPnP, are you serious? You must be one of the people that thinks snmp prior to v3(2004) is "safe" and a good way to monitor network devices.

Re:The future is now

[SCHecklerX]

I wouldn't even enable it on that. Upnp has no place on a firewall. If you have an app that needs to act as a server, port triggering is a better approach. Yup, users need to know how to do that. That's the tradeoff. If you automate allowing access, then access will be automated (by evil things).

Re:The future is now

[Gr8Apes]

While reliability is definitely at the top of the list, speed is number 2. 802.11B just doesn't cut it, and 802.11G prices are, well, let's say I didn't see one anywhere near the $100 mark in a quick initial search.

Re:The future is now

[Sir_Lewk]

I want to limit speeds and prioritize connections per IP, per port, and per connection. Not just per-connection.

Look into HTB.init. If you can get iptables to mark packets as you wish (should be trivial to mark packets by ip and port), then you can QoS them different. The documentation could be a little better but if you look around a bit it shouldn't be that hard.

I've used it to knock certain people back to dialup speeds on my router (I get my DHCP server to give them specific IP addresses (based on MAC), mark their packets with iptables, then QoS those marked packets).

Re:The future is now

[RedWizzard]

It is far more likely that the device you struggle to use is "difficult" due to lack of any effort, not because of a specific effort to make it difficult.

Oh, well that's so much better then. http://ask.slashdot.org/article.pl?sid=10/04/19/2339252#

Re:The future is now

[greenbird]

It's a relatively simple, easy fix for the headache that is "finding out the proper ports for XBox Live to work" and entering them manually.

And it's simpletons like you who end up designing trivial to hack systems like MS Windows. It, by no means, is simple problem. There's conflicts, routers that don't implement the standards perfectly, idiots writing the configs or scripts...all which end up opening security holes in your system.

Oh, that's right. It's because every *nix head doesn't think about the real end user, just what's "most powerful" in terms of features. Design solely for the power users and administrators, and you miss 95% of the market - what Linux has excelled at for many, many years.

No, us *nix heads actually think through complex problems rather than implement some half ass solution that leaves users worse off while giving them a false sense of security. And, at least with Linux, every aspect of installation and configuration is simpler, easier and more intuitive than it is with any Microsoft product. The only problem is that it's different and you may have to spend 5 minutes figuring it out.

Re:The future is now

Because the majority of computer users aren't on a VAX anymore. They're using computers to be productive and even for entertainment, and don't need to waste their time with a complex firewall script so they can play Halo.

Re:The future is now

[owlstead]

In that case you are already in trouble. Firewalls are good at keeping things out. If the malware is already in, you're too late. Besides, on what PC are you proposing to view the firewall settings? On the already pwned PC? And what do you think the end-user will understand when he views the firewall settings page?

Re:The future is now

[Bert64]

Which is why such people either pay someone else to do it for them, or run the risk of an unreliable vehicle.

Re:The future is now

[Bert64]

On a home environment it does a lot - it blocks the default windows ports which are not easy for the user to disable...
On a unix environment you're right, it's easier to simply turn the unnecessary services off and a firewall simply adds an additional attack vector, latency or failure point.

Some VPN setups are horrendous, especially these "ssl vpn" things, which require you to run a browser as a privileged user and allow it to arbitrary privileged code on your machine - modifying kernel settings or loading modules in some cases.

Re:The future is now

I don't think it is good practice to set up home networks behind a single router and then configure them to allow certain incoming traffic (via port forwarding). For example the Xbox game console can be (in my opinion) connected directly to public Internet. Assuming that you have not setup media sharing between your PC and the console, just use a simple network switch to allow for the console to fetch a public IP address from your ISP. Then connect your favorite home SPI router box behind the same switch.

Now you have two public IP addresses, one for the console, one for the router (assuming you've configured NAT). Most of these routers run on Linux and the firewall is based on iptables. It should be enough for the basic user. The PC is now secured behind the router and console games work without a glitch. No port forwarding necessary. As for why it is so hard to find a single device that can do this, I would not know.

Those fortunate enough to have network cabling in their homes manage to save a few bucks, since there's no need for a separate switch at all.

Re:The future is now

[webnut77]

Why not just supply the user with a pail of K-Y Jelly?

LOL. That's a nice way of saying it.

Re:The future is now

[Flaming+Foobar]

On a home environment it does a lot - it blocks the default windows ports which are not easy for the user to disable...

Windows has shipped with an adequate firewall for that since XP SP3. If you aren't keeping your Windows system up to date, you are pretty much s-o-l anyways.

Re:The future is now

Honestly now, I'm talking about home users, the other people who use firewalls, even though they don't know it. Make it a standard on routers where on the router's config page, it can accept a small text file with ports to be routed to the current connection. Even better, have the program send that information when the game starts, and have the ports un-routed when the game ends. It's a relatively simple, easy fix for the headache that is "finding out the proper ports for XBox Live to work" and entering them manually.

Yikes, I don't want random programs punching holes in my firewall at will. How about vendors providing better support for RFC 322 from _1972_? It's real simple: software providers register their ports with IANA, OS providers keep their port lists updated, and routers/firewalls provide a nice GUI making it easy to choose ports by product name.

Re:The future is now

[Bert64]

What's the point of keeping services running and listening on the network, but firewalled so nothing can reach them? Does that not strike anyone else as stupid?
Surely it makes more sense to simply not have those services running at all...
Firewalls are for when you need to keep a service running, but you want to limit where you can connect to it from.

Future of Internet and firewalls

[seawall]

A wise wise network engineer at UW once showed me the following diagram several years ago:

INTERNET -> PORT80, PORT443

His point being more and more is routed through ports 80 and 443 in an effort to avoid firewall restrictions. I often think he was right. Consequences for firewalls left up to reader.

Re:Future of Internet and firewalls

[bersl2]

Shouldn't it be INTERNET <- PORT80, PORT443? You're talking about outbound traffic firewalling, right? Inbound is explainable by the limitations imposed by NAT.

Re:Future of Internet and firewalls

[BitterOak]

A wise wise network engineer at UW once showed me the following diagram several years ago:

INTERNET -> PORT80, PORT443

Actually, it's more like: INTERNET -> PORT22, since just about anything can be sent through an ssh tunnel. And the encryption makes most types of deep packet inspection impossible.

Re:Future of Internet and firewalls

your wise engineer is not so wise... i get the point, but its taken out of context. port 80 is NOT internet traffic nor 443. its a port, thus you can run any program via it if its written to do so. you can web pages through 6969 if you wanted - if your web-server is configured to do so. same goes for port 443, this is just HTTP (80) tunneled through the SSL protocol. once again, you can do whatever you want with whatever port you choose - depends on how the program is written.

Re:Future of Internet and firewalls

[Crackez]

IP != TCP

Man, I cannot wait for IPv6 already. I'm ready for the pain. It'll be worth it.

Re:Future of Internet and firewalls

[Crackez]

BitterOak's Sig:
"If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?"

No, You can be modded up for being a Unix Sysadmin, Unix Developer, or M$ hater. All of the others you mention are downward.

Re:Future of Internet and firewalls

[Stray7Xi]

Actually, it's more like: INTERNET -> PORT22, since just about anything can be sent through an ssh tunnel. And the encryption makes most types of deep packet inspection impossible.

You missed his point which wasn't about the protocol, but the port being used. If you use port 22, it'll be blocked many places because they don't want to allow you to ssh. If you use port 443 it'll be allowed since https is "necessary", even if you're using 443 to carry your ssh traffic. What's sad is seeing other services move to 443 to be more accessible. Most usenet providers offer SSL encrypted NNTP on port 443 (despite having an RFC port specifically for nntps).

But it is much harder to block if they actually use legitimate looking packets for protocols that get out rather then just it's port. So people have encapsulated IP within real HTTP traffic. Better yet they'll use ICMP or even DNS to carry your traffic. I find the DNS one particularly amusing because it uses your nameserver to redirect the traffic even if the host isn't given any outside access.

Re:Future of Internet and firewalls

[yup2000]

even inbound it's true, but in a different way. My ISP blocks port 80, but not 443 :) So I run my webserver on 443 with a self signed cert which is quite hard to spoof ;) Luckily they don't block 22... though maybe they should given how much work my DenyHosts is doing for me......

At work, I use a tunnel to bypass the special filtering they do, 443 (cgi-proxy) and 22 (ssh) are my friends...

In the end they haven't prevented anything, just made me go through a couple of extra hops - both at work and at home.

Re:Future of Internet and firewalls

[rubi]

True, I think, in the end, firewalls will have to evolve to check a lot of traffic across using just a handful of ports tunneling many other protocols and applications. More like current application firewalls or IPS/IDS systemas, maybe much more evolved. If not, then firewalls are destined to vanish.

Re:Future of Internet and firewalls

[agristin]

You should check out the Palo Alto Networks firewall. It does some interesting things, and came to that obvious conclusion a while ago.

And it deals with Port 80 and Port 443 really well.

My other favorite thing is applications- ever try to let ftp through a firewall (or stop skype?)- port hopping, neither a client nor a server, very interesting. Well the PAN stuff has that nailed down- you can't depend on port and protocol anymore, you need multiple ways to identify an app- and it has them.

Re:Future of Internet and firewalls

[endus]

If only we could find a way to make windows file sharing run over port 80 instead of 139/445!!! Then infosec wouldn't make us connect to the VPN to get our files and life would be perfect!!!!

Re:Future of Internet and firewalls

[Gr8Apes]

and the funny thing is - if they allow anything through, ssh tunneling proxy pretty much nixes anything they're trying to block.

Re:Future of Internet and firewalls

[JWSmythe]

    People who care about security still keep SSH on the standard port? Stick it on something like 585, and let them think it's IMAP traffic. ... or 554 or 8554 and they'll think it's streaming media, and take advantage of the QOS rules.

Re:Future of Internet and firewalls

A wise wise network engineer at UW once showed me the following diagram several years ago:

INTERNET -> PORT80, PORT443

Actually, it's more like: INTERNET -> PORT22, since just about anything can be sent through an ssh tunnel. And the encryption makes most types of deep packet inspection impossible.

That is why port 22 is closed on most corporate firewalls...

Re:Future of Internet and firewalls

[AlXtreme]

Security through obscurity?

It doesn't matter what port SSH is on. If an attacker is even remotely interested he'll run a port scan and find your SSH port soon enough.

Better to invest your time into properly configuring/locking-down SSH. Good luck to any attacker trying to gain access if you only allow authkey access. Putting SSH on a different port is only giving you a false sense of security.

Re:Future of Internet and firewalls

I'd very much agree but I'd be tempted to add port 25 to the abused list. Port 53 is always there but never noticed.

I've been terrified by the string of SSL interception device we've been installing. When a client asks for this I always ask if they've run it by their lawyers.... Can it be intercepted? YES. Should it be? Maybe but I feel dirty doing it. Let legal make the dirty decisions.

Historically the firewall people have been to good/strict at enforcing policy. HTTP is allowed so the app people tunnel over it so their app works. FW people have to look deeper into the protocol. App people add encryption. FW people intercept encryption and continue to look further into the traffic... I'm waiting for the day when this excessively layered mess gets unraveled back to straight tcp connections without so many application layers.

In answer to the original question. Firewalls have had the distributed management for years. Checkpoint have had the one policy manages multiple firewalls for ever. Even down to one policy for multiple Internet connected offices and DMZ firewalls and having the VPN between them just work.

I haven't seen something that can turn a vision drawing into rules (why would you want to?) but you can turn rules into drawings. Checkpoint do their drawing and I believe there are other bolt on products for other firewalls if you want to spend the money.

I don't know whats meant by dragging and dropping systems across firewalls but you can drag and drop objects into firewall rules on many policy editors.

Many firewalls have been integrating with directories for a long time. Old style was telneting to the firewall and logging in to enable rules. New style is http with more transparent authentication depending on the situation.

In terms of integrating multiple vendors firewalls into a single view of the policy I don't think it can happen. There are so many different design models for firewalls that this doesn't make sense. examples are:

FW1 has a single policy that is shared between all interfaces on all installed firewalls. You then configure topology on those interfaces to protect against spoofing attacks. Very easy to configure but leads to dangerous situations if you aren't careful. i.e. proxy --> any for http can override the intention of mgmt --> sensitiveserver for http.

ASA can have a policy per direction per interface.. Makes it easy to express the above example since sensitiveservers policy is enforced on its interface and the proxy policy is enforced on the outside interface.

Some of the proxy firewalls have a sort of hybrid model. Services are bound to interfaces then the service enforces the rules.

Most modern firewalls look a bit deeper than x to y on port z. You rules would specify x to y for http on port z with many parameters on what counts as valid http. Every product has different ways of enforcing this.

Re:Future of Internet and firewalls

[IBBoard]

Putting SSH on a different port is only giving you a false sense of security.

Or no change in your sense of security, but a much smaller log file because of the lack of script-kiddy brute force attacks on the service. It depends on who you are and what you know.

Re:Future of Internet and firewalls

[debrain]

Security through obscurity?

It doesn't matter what port SSH is on. If an attacker is even remotely interested he'll run a port scan and find your SSH port soon enough.

Better to invest your time into properly configuring/locking-down SSH. Good luck to any attacker trying to gain access if you only allow authkey access. Putting SSH on a different port is only giving you a false sense of security.

Sir –

There are valid reasons to move the SSH port around, including:

1. It decreases the number of "script kiddie" attempts that do not look beyond the standard port for a known exploit (i.e. your server is no longer "low hanging fruit"); and

2. You can react to a port-scan from a single host - e.g. by blacklisting the IP the portscan came from.

Sophisticated, dedicated attackers can get around these. However, the vast majority of attempts will be made by people who are neither sophisticated nor dedicated (depending on what you're securing, of course).

All to say, moving the port around isn't just security through obscurity. It decreases the statistical phenomenon of unwanted access by a measurable degree by slightly raising the difficulty of detecting and exploiting a given service. I completely agree, though, that this ought not give a heightened sense of security - the SSH server ought to be appropriately hardened. Nevertheless, where there is an exploit of the SSH server (of which there are examples) in the wild, you may reduce your chances of your server beng exploited before the exploit is fixed by operating on a nonstandard port.

A better alternative to a non-standard port, for those so inclined, is port knocking.

Re:Future of Internet and firewalls

[Jainith]

Have you tried WebDAV?

Re:Future of Internet and firewalls

[Petaris]

You can also use something like DenyHosts. It seems to work pretty well for blocking ssh hacking attempts. :)

http://denyhosts.sourceforge.net/

Re:Future of Internet and firewalls

Security through obscurity isn't sufficient in and of itself, but it can be a valid part of a comprehensive security system. It's certainly true that someone looking to attack YOU (that is, your IP) will be able to quickly locate SSH running on an alternate port. But there are lots of script kiddies out there that simply scan well known ports on a huge range of IPs. They're not looking to attack YOU, they're just looking for a target of opportunity. Shifting SSH can prevent you from being that target.

I run Denyhosts on my server. If I leave SSH on the default port, the number of blocked IPs in my hosts.deny file is huge. Move SSH to a different port and the number drops to a handful.

Re:Future of Internet and firewalls

[JWSmythe]

    You hit my reasons perfectly.

    On port 22, I usually see all kinds of kids trying to get in. On some other port, I see very few, but I know they're actually interested in causing harm. It's not an excuse to have weakened security. When they see it, it's a good sign that they're fighting against a harder target than normal. Is it worth trying to get into this target, or moving on to any number of easier targets?

    Most script kiddies like the easy targets. They like the fame of defacing lots of web sites, or rooting boxes to add to their set of drones to do bad things from. If it takes them hours to get into my box, they could likely have gotten into hundreds of other boxes in the same amount of time.

    Typically, that's used in conjunction with local firewall rules, so even though you know my know my SSH is on port 1234 (an example), you probably won't even connect unless you're on an authorized network. I prefer to drop access to any unauthorized port which slows their scans down to a crawl. I used to love scanning my network from work (an authorized network) and from home (an unauthorized network). From work, I'd see what ports are possibly open and can attempt penetration attacks. From home, I'd have to leave the scans running for days, just to find a few machines with port 80 open. That was on "my baby" network. It was a network that I nurtured and grew from nothing, to be a large robust distributed network. Now I just manage a few boxes here and there as a hobby. Many things still apply though, so script kiddies don't bother me. :)

Re:Future of Internet and firewalls

[owlstead]

No, you don't understand. The problem is that there are many products, especially application services, that use port 80 or 443 for something that has little or nothing to do with web pages. E.g. port 80 is used for server to server communications using SOAP. SOAP is basically calling remote procedures on the other side.

Now you've got to understand that many companies leave port 80 and 443 open because people can use those for connecting to outside web-pages. Nowadays, this means that you can connect to almost any web-service out there as well. So this is a security hole from client to server so to speak.

Of course it is worse if you configure each and every service on port 80 on the server side. Normally you open port 80 for just web-pages. You can for instance configure a state-full firewall to catch anything that is not web related. You cannot distinguish between your services anymore using the port.

This is all mitigated by the fact that just having security using ports is a terribly bad idea anyway. And you still block ports to that SSH port you mistakenly opened on the server. But it still weakens the overall security.

My provider (xs4all.nl) has SSH running on port 443. Most proxies forget to look if 443 is really used for SSL instead of SSH. Together with their web-proxy it is very very easy to break out of company firewall rules as long as you are allowed to run (port forwarding) applications. This is a huge convenience if you've got an IT dept that tries to block porn by disallowing the word "sex" in URL's (processexplorer.com). It certainly took me a moment to figure out why zallmanusa.com was blocked.

Re:Future of Internet and firewalls

[WuphonsReach]

It doesn't matter what port SSH is on. If an attacker is even remotely interested he'll run a port scan and find your SSH port soon enough.

Moving the port takes you off the attack lists of the attackers who are only going after the low-hanging fruit.

The difference in log file volume between leaving it on a default port and simply moving it elsewhere in the lower 1024 pots is easily 100:1 if not more. There are very few determined hackers, but hundreds or thousands more opportunistic hackers who are going after the easy targets.

It lets you spot the more serious threats more easily as they no longer blend in with the constant noise coming from port 22/tcp attempts.

Google's capirca

"Developed internally at Google, this system is designed to utilize common definitions of networks and services and high-level policy files to facilitate the development and manipulation of network access control filters (ACLs) for various platforms." http://code.google.com/p/capirca/

Re:Google's capirca

[jlmale0]

Thank you, AC. This is exactly the kind of project/ideas was looking for.

Re:When you finish your MBA- it'll all become clea

[NemosomeN]

Yes sir, couldn't get it working properly at first, but I dragged and dropped it outside the red box, and it seems to be working. Problem solved!

If only everyone followed this spec...

[CoffeeDog]

... firewalls would be so much simpler:

The Security Flag in the IPv4 Header

(I saw some other Slashdot comment with this link in it, but it just fits so well here!)

Re:If only everyone followed this spec...

[hduff]

TFF

Re:If only everyone followed this spec...

The problem with this should be obvious - anyone who is sending out "malicious" packets would just set the "evil" bit to be 0.

it depends on what you're doing.

[indrora]

Some firewalls are shit: see, anything relating to SonicWALL or PepLINK (trust me, its a combination that *sucks*

Others are useful once you have the basic idea. Anything is good when configured nicely; even iptables has a reasonable idea of how to do firewall stuff.

Either way, firewalls *are* pretty much entirely shit. There is no "drop-in" security

Re:it depends on what you're doing.

[cHiphead]

I'm slowly moving everything to pfSense, tired of dealing with shit firewalls or over-the-top bullshit to configure simple rules on a firewall (Sonicwall, Cisco, im looking at you and your goddamn requirement for Java to use the web interface on a PIX if the client doesn't have a competent onsite tech that can handle ssh/console commands safely).

Checkpoint wasn't too terrible but its GUI had a certain learning curve.

I am, of course, looking at it from a small business support standpoint. Tell me if I'm off base (not that I really mind the job security of confusing firewall configurations for clients).

Cheers.

Re:it depends on what you're doing.

[Thundersnatch]

We use Sonicwall's enterprise gear (a pair of 4500s at each site) and they're quite stable, and have an assload of features (VPN, IPS, QoS, HA, web filtering, you name it). Way better than the Checkpoints they replaced. The opaque config file is the only major drawback I've run into (all we can do is version it and roll back, no merging, search-and-replace, etc.)

Re:it depends on what you're doing.

[Finallyjoined!!!]

Way better than the Checkpoints they replaced.

Only if you're talking about CheckPoint FW1 (v4.0), which was EOL'ed almost a decade ago. Current Sonicwall devices are only just catching up with R55, you should see the new stuff..

Re:it depends on what you're doing.

[Thundersnatch]

I'm talking about the CheckPoint/Nokia IP350, which wasn't even introduced until late 2002. Not fair comparing old and new, I suppose, but we had lots of trouble with those little bastards over the years.

Re:it depends on what you're doing.

[Finallyjoined!!!]

Hmm, actually I agree, we had a batch of about 50 Nokia 350's, and they were nothing but trouble, Dick Turpin alone knows how many TACs we opened & how many replacements were shipped. Not one of them lasted more than 3 years before the lot were replaced with commodity Compaqs.

I recall someone took a 12 bore (12 gauge) to a 350 & posted the pics as the correct way to fix a Nokia, can't find them now, but we had a print out pinned to our trouble board for a goodly while.

Re:it depends on what you're doing.

[mvdwege]

Let me guess: you got hit by the 'dying disks' issue (I can't remember the Nokia Tech Note number anymore)?

Previous employer had a bunch of 3xx series Nokias (mostly 380s, IIRC), and almost all of them got hit by that particular issue. Not nice. Especially since Nokia kept refusing to admit that the disks in our firewalls were ones that got hit by the issue. Funny though, every revision of that Tech Note, they kept adding manufacturers and serial number ranges that soon covered almost all our firewalls.

Mart

Re:it depends on what you're doing.

[Thundersnatch]

We actually had a lot of software problems as well. State management for NAT was a mess for a while, and the "reboot" solution was often the only thing that helped. We also had our site-to-site VPNs drop randomly every 4-6 hours, even though other devices (Sonciwalls and Ciscos) worked fine in parallel over the exact same infrastructure. Neither issue was ever resolved to our satisfaction.

Re:it depends on what you're doing.

[Bert64]

The Cisco GUI should run anywhere that has java (which is most platforms these days), whereas the checkpoint gui used to run only on solaris/sparc and now runs only on windows/x86.
I try to avoid anything that has a proprietary client, doubly so if that client is required and there is no standardised fallback. I want to be able to admin every device using platform agnostic tools - ssh, serial, http(s), maybe vnc at a push, and there should always be a cli available so you can script and automate things (eg backups of configs with tools such as rancid).

Firewall Builder

[jamincollins]

Firewall Builder does most of what the submitter is looking for already.

Re:Firewall Builder

[mydots]

fwbuilder also does a great job of managing multiple firewalls even if they are different platforms and will even manage your home router if it has openwrt installed. It will manage everything over ssh, so its definitely secure for remote firewall management over public ip addresses. I have been alpha/beta testing version 4.0 for many months now and there have been a lot of great improvements including cluster support.

Re:Firewall Builder

[smpoole7]

Firewall Builder does most of what the submitter is looking for already.

.

Just browsing through here, but I'm surprised (and then again, I'm NOT surprised) at the answers thus far. I get the same replies when I ask a similar question.

What the submitter is talking about is a 21st Century Firewall (capitalized out of reverence). Why not have automatic host discovery? Why should I have to painstakingly come up with a list of all target machines with IP addresses? Is this not 2010? :)

Did everyone miss the question about "jdoe's" computer being connected, and then (and ONLY then) her needed ports being enabled in some other PC on the network? That would actually be a VERY nice capability.

For the record, I've looked at IPCop; Shorewall; SuSEFirewall2; the firewall tools built into Webmin; (and years ago) Mandrake's firewall package; you name it (this is just a partial list off the top of my head). All of them follow the same paradigm: YOU must come up with the list of IPs and ports. If anything moves or changes, YOU have to painstakingly re-enter all of the port/IP info (and hope you didn't miss something!).

So-called GUI interfaces and/or firewall "builder" tools still follow this same basic config paradigm. Just adding automatic discovery would be a HUGE help ... simply put, someone connects a machine, the firewall says, "new PC added at 192.168.1.100, DHCP, it's exposing ports 100, 200 and 500."

Everything I've tried thus far can't even reliably list all PCs on the network! I have to run an NMAP discovery or (under Windoze) something like the Angry IP Scanner. It doesn't make sense.

Some of what the submitter is asking would most properly be done in a really smart firewall/network switch combination. You would probably have to install a small software package on each network machine, too, that could "talk" to the firewall. But the question remains, why isn't this kind of thing available? It *IS* a little surprising (and frustrating) the someone hasn't developed a point-and-click, self-discovering, self-cataloging firewall system by now.

I think the real problem is that true propeller-headed geeks actually *enjoy* poking in stuff with iptables rules at a prompt. They're the most likely to have the skills to develop something like a true GUI firewall, but they're the least likely to want to.

Re:Firewall Builder

Just adding automatic discovery would be a HUGE help ... simply put, someone connects a machine, the firewall says, "new PC added at 192.168.1.100, DHCP, it's exposing ports 100, 200 and 500."

So the firewall should automatically allow access to any ports that a newly connected system says it has open? Right.....

Re:Firewall Builder

[DarkOx]

They all follow that paradigm because they "correctly" assume that you cannot enumerate badness. Sense you cannot create a comprehensive list of all possible attacks and exploits to block you must instead enumerate all the know flows you want to permit.

Most firewalls are WAY TO PERMISSIVE to be of much practical benefit. They typical home firewall to this day assumes that traffic from the internal network should be trusted. THIS IS DEEPLY FALSE. Look its bad if you get botnet software installed on your box, but its only really bad if it can actually call home and participate in the botnet. Auto configure like UPNP means the firewall might as well not even be there; once something bad gets in UPNP will certainly let it out.

Most people think about firewalls from the wrong direction; sure you want to close off the ports to certain services which you might run for use internally on your network; these are few and should be easy to take care of. Its also not hard to get any major OS to tell you what listening sockets exists; no listener no risk firewall or not. The typical single home PC probably should have very few thins listening expect on lo; and the expeptions should be easy to find. Its the calling out that is real concern that most home systems don't address at all.

IRC should be block out ecept to the networks you use; http/https probably blocked except to a few major corporate networks and your home country, same for ftp, ssh, you name it. Yea its a pain but its what you need to do. THe things you know about good or bad are not the threat its the things you don't know about that are; and the only safe way to address that is default deny; there is not changing that.

Re:Firewall Builder

[Bigjeff5]

What the submitter is talking about is a 21st Century Firewall (capitalized out of reverence). Why not have automatic host discovery? Why should I have to painstakingly come up with a list of all target machines with IP addresses? Is this not 2010? :)

Firewall Builder does this. What part of "try firewall builder" do you not understand?

Did everyone miss the question about "jdoe's" computer being connected, and then (and ONLY then) her needed ports being enabled in some other PC on the network? That would actually be a VERY nice capability.

It also completely defeats the purpose of a firewall. UPnP does this already anyway, at the cost of reduced security. I'm not sure if Linux distros come with UPnP by default, but it is certainly available. Windows has had it since XP.

You don't get to have it all. It is almost universally true regarding computer security that anything that increases convenience reduces security, and vice versa. The whole purpose of a firewall is to block unknown traffic. If you have it set up to automatically allow new hosts to access resources across the firewall without direct administrative intervention then you might as well replace your firewall with a repeater, because that is all it is doing.

It's not that you couldn't do some sort of auto-discovery for firewalls - that's extremely easy (it already gets the IP address at the very least). However, if every time a new IP connected to your firewall it asked if you wanted to add new firewall rules for it, you'd never do anything except decline such requests. Firewalls are flooded with new host IP's constantly which makes what you describe at the very least extremely impractical.

The only practical way to handle firewalls after they have been configured initially is to manually enter each new host as they are connected to the network. Just take a look at chatty software firewalls to see just how annoying this can be. That on a hardware firewall would be ridiculous.

Re:Firewall Builder

[smpoole7]

So the firewall should automatically allow access to any ports that a newly connected system says it has open? Right.....

.

Of course not. I never said that, and neither did the submitter. What I'm talking about is automatic discovery. Connect a machine, the firewall comes up and says, "here's a new machine, it wants to do this, this and that." I can then decide where to proceed from there. The default would be to permit nothing until *I* say so. :)

Don't see why this is so hard to understand, but maybe that's just me.

Again, don't miss the keys (and yeah, I probably used a bad example): automatic discovery. Point and click. Or, as the submitter said, even if it's a rigidly-defined network, why can't I just feed in a Visio (or equivalent) diagram and have a happy firewall, ready to go?

If nothing else, it's unbelievable to me that in 2010, I still have trouble identifying users on my internal network who've connected via DHCP.

Re:Firewall Builder

[smpoole7]

The issue isn't firewall philosophy. You can bang out a very simple, or very complex (and secure), firewall at a prompt with iptables. Configuration should be firewall agnostic and my complaint is that it could be made a GREAT deal simpler.

I'm speaking of configuration tools, not philosophy. (A very critical distinction, I think.)

Again, the answers in this thread show me that there's some sort of mental block on the part of firewall administrators. I guess they think that firewall configuration *should* be arcane, that this somehow makes it more secure.

Off topic, but as an interesting aside (and warning to others!): the default firewall tool in CentOS 5 (and probably in RHEL, though I've never tried it) opens several ports (in particular, the mDNS crap) without even asking. I always do an NMAP scan on any publicly-exposed server once I'm finished setting it up. Imagine my joy when I discovered THAT one.

So ... yes, ease in configuration can lead to unanticipated holes in your firewall. But I say it doesn't have to be this way. Configuration can (and should) be firewall/philosophy agnostic.

Re:Firewall Builder

"Everything I've tried thus far can't even reliably list all PCs on the network!"

Networking newbie here, but why is it the firewall's job to tell you what's on the network, and not, say, the domain controller?

Re:Firewall Builder

[DarkOx]

Well you mostly just restated the TFA. I don't care what the tool is. I am simply saying you can't possibly as a user know what all is bad, so you must instead identify what is good. The current tools are geared toward that end, at least partly, but in an effort to make things less archane they already have severly compromised the strength of most firewalls in general because they steer the user away from listing out every detail and use blanket policy like "trust any internal".

There is the very fundamental problem here that the computer can't know what is or is not malicous. Oh sure there are patterns it can watch for but there will be exceptions to those. While I agree that inputing the information should be as simple as possible; I think determining what the rules should be in the first place will always require some careful thought. I am not sure you can make that part of the job easier with a machine. At some point YOU have to be the one deciding: who you are going to communicate with, using what protocol, when you are going to do it, for how long, which side is going to start communication, etc. These are not simple decisions, even if the data entry for them could be.

Re:Firewall Builder

[vhfer]

Yes! FWBuilder is all we use for the enterprise. We have basic servers with multiple NICs (three on the edge firewalls- inside, outside, and DMZ) all managed by FWBuilder. Access to the one machine running FWBuilder is controlled carefully. That's all we need.

Re:Firewall Builder

[vhfer]

On our network, which is located In The Real World, users bring in rogue access points from home, horribly infected laptops (again, from home) and even IP phones. They try to plug in devices with DHCP servers built into them. Any solution that automatically adds a machine, without one of us "propeller heads" reviewing it, is likely to (and actually has) disable whole buildings full of users. Angry users. I'm talking about stuff that can happen, but also about the stuff that has already happened in our less vigilant days. Some sort of autodiscovery would be fine, if it put newly discovered objects into a "hey I found this" list that we'd have to manually move to a "access allowed" group of some kind as appropriate for that object's location and purpose.

Re:Firewall Builder

Wow, just wow. You really haven't studied networking before have you?

Any "automagic" discovery of systems requires keeping a log of what IP addresses are communicating through you, and potentially trying to coordinate that with the DHCP server to find out if there are clients that haven't talked in a while, or if it is re-assigning IPs to different systems.

Then how do you know if the traffic is desired or not? Because the computer said so? That is one of the reasons you WANT a firewall, so that when a virus gets on your system it doesn't go out and say hello to all its buddies, or get remote controlled by them.

Ok, so then how will we know how to find things, well send packets over the network..... so now you are congesting the network to find out if there are clients there... this is commonly a hacking maneuver and is a non-trivial amount of traffic on your network, slowing everyone down.

What it boils down to is that the home user with 3 or 4 systems and a router is easy, hense the web interface on the router and support of upnp. However enterprise is hard, as you have hundreds of devices, switches, etc and you can't use these ineffecient methods in those environments as they effect other things.

Re:Firewall Builder

[starfishsystems]

Discovery is a useful, but provably insufficient, way of modelling a network topology. Here's a short explanation of why.

• By design, some host interfaces are invisible to discovery.
• By accident, some host interfaces are invisible to discovery.
• Network devices may or not fully report their configuration.

If you think that a graphical equivalent of nmap will somehow make up for this situation, you're deeply misinformed about how nmap works.

Re:Firewall Builder

[Bungie]

You're right that it's not the firewall's job to do that kind of thing. I think he's saying he would like to see that kind of functionality integrated into the firewall, where it's aware of new hosts which have been added to DHCP, and shows them on the firewall's configuration interface.

Re:Firewall Builder

[Bert64]

If not automatic discovery, perhaps a log parser so that you can see what was denied and selectively open it up...
Or run it in allow all but log mode and build a profile of the legit traffic before you enable filtering to block anything else.

Complex often means hand tweak. No way around it

[syousef]

I don't have a lot of trouble with firewalls at home. I'm running a WRT54GL with Tomato (previously was using DD-WRT but I like the graphing in Tomato, and didn't need anything available in DD-WRT but not Tomato so I switched). This setup has given me no trouble (baring one stupid r/c game/simulator with networking that is a total mess and doesn't work properly with or without a router - and even that works intermittently). However I'm not doing anything too advanced with it.

Once you do get to enterprise networking the picture quickly changes. Bear in mind this isn't my area of expertise but I do need to understand the firewalls I work with for trouble shooting. Each architecture is unique. The design decisions aren't well represented in something like Visio and the rules couldn't possibly be generated from that. I would be suspicious of any tool that claimed to be a one click solution from diagram to ready to implement firewall rules. I'm happy to be proven wrong but I've not seen such a tool. Complex means complex, and that often requires those hand rules are tweaked.

I, For one,

[cadeon]

I hope firewalls (well, specifically, NAT routers, DMZs, port forwarding, etc- which all seem to get grouped in 'firewalls') in general will become much LESS of an issue in the future thanks to IPv6. In that world, everything's got a unique address so there's really no need for NAT, private subnets, or the routing issues associated with those.

IMHO, the task of firewalling has been (somewhat incorrectly) pushed on the device doing the routing, when it should be handled on the device itself. Hosts, actual end points, should be able to decided what they will do with the traffic that gets to them, not something in the middle. It's been placed on the router because in our current IPv4 / NAT world, it has to be put there, so the traffic can even *make it to* said end point host. That's not the case with the worldwide-unique addresses of IPv6.

As such, in the IPv6 world of the eventual future, firewalls will exist more due to policy than security (i.e. access to certain services will be disallowed if you're on a corporate network). The security firewalling will need to be done on the device itself, which makes good sense- don't want people ssh hammering your laptop? Well, don't run that service, or restrict it to only devices you trust.

Re:I, For one,

[sgbett]

I agree NAT and port forwarding aspects will(should) be out the window but I still think firewalls that, say, ringfence subnets will still be of value.

Particularly if its a choice between that and letting machines (more specifically a particular OS) handle their own security. That would be a terrifying thought.

Re:I, For one,

You are an idiot. Do you really think corporations are going to open up their firewalls because somehow IPv6 magically makes them secure?

Re:I, For one,

[cadeon]

Particularly if its a choice between that and letting machines (more specifically a particular OS) handle their own security. That would be a terrifying thought.

Accountability will be where it needs to be.

Security is the Host's Problem, not a problem that should be seen as solvable by using an external device.

Re:I, For one,

[cadeon]

No, I'm saying the task of security is misplaced and IPv6 will enable it to be placed properly.

I also said that corporations can still use firewalls to enforce policy, quite often those policies are going to disallow services which could pose a security risk.

Firewalls still have a place in the world. They are still of good use, I'm just saying that there will be much more flexibility as the rules can be placed On The Host Itself as opposed to on an external device that has to be configured to do the firewalling, since it's already doing the routing.

Thanks for the input though.

Re:I, For one,

[scdeimos]

Firewalls have been put on the routers (or some intermediate device) instead of the hosts precisely because the hosts can't be trusted. Certain hosts will always be subject to variations of the Ping-of-Death theme and tainted payloads and will never be safe with host-based firewalls.

Re:I, For one,

[bsDaemon]

IPv6 isn't going to eliminate the need for DMZs and stuff like that. Sure, NAT can be don away with, but NAT isn't "firewalling". Really, what we should be talking about is packet filtering, and in this sense, dedicated packet filtering boxes are key. There is no reason that network hosts should be wasting cycles on packet filtering if putting a box out in front a network segment, say, behind a boarder router or in front of an aggregation switch, can dedicate cycles to the task -- especially if the box doing the packet filtering doesn't introduce latency beyond an acceptable level.

Re:I, For one,

There is absolutely no reason to put firewall type processes on every server in a data center when you can simply install a firewall. What a waste of money.

Re:I, For one,

[afidel]

Nope, centralized management and reporting mean it's valuable to have a single device doing the decision making. It also makes it much easier to do IDS/IPS if 99% of the attacks are stopped at the perimeter because it makes the remaining single:noise much easier to deal with. I can't imagine what trying to sort through our SNORT logs would look like if I had to account for all of the failed attacks that are dropped by the firewall.

Additional device based firewalls are often a good idea, but at least for shared servers the rules can become so complex as to be either unwieldy or useless.

Re:I, For one,

If a host / OS is vulnerable to a Ping-of-Death variant or any other attack, WHY is it assumed the way to fix it is to drop in ANOTHER box in front of it?

I mean yes, that's the easy way to go about it, and we were forced here due to old, insecure OS models suddenly gaining public internet access. But it's a patch to the real problem, not a fix.

Security should be a host-level concern.

Re:I, For one,

[digitalnoise615]

I hope firewalls (well, specifically, NAT routers, DMZs, port forwarding, etc- which all seem to get grouped in 'firewalls') in general will become much LESS of an issue in the future thanks to IPv6. In that world, everything's got a unique address so there's really no need for NAT, private subnets, or the routing issues associated with those.

IMHO, the task of firewalling has been (somewhat incorrectly) pushed on the device doing the routing, when it should be handled on the device itself. Hosts, actual end points, should be able to decided what they will do with the traffic that gets to them, not something in the middle. It's been placed on the router because in our current IPv4 / NAT world, it has to be put there, so the traffic can even *make it to* said end point host.

No. It was not moved to a router because of the current IPv4/NAT - after all, there is a thing called a software firewall. The problem is that unless NIC manufacturers place hardware firewalls on their NICs, software is inadequate, and subject to being compromised - and yes, I know hardware firewalls can be as well. But I'm looking at a certain OS in this instance.

Even with IPv6, network overhead will continue to be an issue - and if I'm not mistaken, IPv6 uses larger headers, and thus more overhead, than IPv4. On older networks, if you remove the routers that intelligently direct traffic, because "they're no longer necessary" you are almost guaranteed to run into a situation where the available bandwidth is now entirely saturated - thanks to broadcast traffic.

Personally, I don't care if I have a world-wide unique IP address - I want a device that sits on peering point of my network and goes "Oh hell no!" and drops packets for me - without placing that overhead on each individual machine downstream, and hoping/praying that some rogue user/software/etc. hasn't decided to open a port it/they think is necessary.

Re:I, For one,

[CAIMLAS]

The need for firewalls in the first place would be negated if every operating system out there didn't ship with a substantial set of outside-facing services enabled. A network connection should always be considered to be a hostile, unsafe environment: you enable what you need, when you need it. Make the UI easy to do so, sure; but don't make it the default.

Re:I, For one,

As soon as you get your perfect host based firewall setup that doesn't adversely affect the performance of the host let me know. Til then, defense in depth and actually getting stuff done will always come before utopian perfection moves in.

Re:I, For one,

[cadeon]

Thanks, well stated. Very constructive and kind.

I still believe that host level security is lacking and should be addressed, because problems can arise from the outside world or within the firewalled subnet.

The assumptions that the outside world is 'big, bad, and evil' and 'my subnet is cookies and cream' is a very bad one and very detrimental to security IMHO. That's why I say security is primarily a host-level concern, because the *real* mindset should be 'everything off my machine is potentially big, bad and evil.'

I don't want to discount the niceties of centralized rules and reporting, or as you point out, potential performance impact. I'm just trying to point out that the security model we've settled into is a result of the hosts being insecure (mostly due to legacy OS's suddenly getting worldwide internet access). Adding a new piece of hardware doesn't fix the core problem, it just patches it- and it still leaves you open to attacks from within your subnet.

Accountability for security should be at the host level.

Re:I, For one,

[eyrieowl]

If I have systems, and I do, which require the utmost in performance, and which also have to connect to the outside world, the last thing I want is for those systems to IN ANY way be impacted b/c some bozo wants to flood me with packets. I want that cut off somewhere else, not at my box. I have a well-known, small set of external systems I want to connect to, and I only want to see traffic from them. It's not about my host being poorly designed, it's simply that I want to have my system focus only on the task it's doing, not some other b.s. I'll be using my network devices very heavily, high traffic rates (by no means all external), and I'll be often saturating my CPUs with actual work. Tell me again why I don't want another box acting as a firewall to help protect my systems?

Re:I, For one,

[bsDaemon]

Well, you're right that not all threats are external. That is why proper egress ACLs are necessary as well as ingress filtering. Egress filtering is often neglected. Having security at the host level shouldn't be foregone entirely, but having dedicated hardware packet filtering solutions cleaning up network traffic off-host, you can reduce the number of rules you need to enforce host-level, and thus free up more cycles for actual work... which is allegedly why we have computers in the first place -- to do other things than use them to use other computers.

Re:I, For one,

[Firethorn]

Actually on our network we've ended up installing personal firewalls AND boundary ones.

They end up protecting from different attacks, really.

It's all about the defense in depth. We also have intrusion detection and other stuff(I'm not going to get real specific).

If nothing else, a set of hardware firewalls are quicker to update against a new attack than umpteen clients.

What's next for firewall management?

[Centurix]

I haven't looked, but I'm sure there's and iPhone app for that.

Re:What's next for firewall management?

[mswhippingboy]

There ya go...
And I thought I was finally get to read through the comments without an iPhad post.
Oh well, maybe tomorrow.

Re:What's next for firewall management?

[trashcanman]

Pretty close: http://www.paloaltonetworks.com/researchcenter/2009/08/applipedia-on-the-iphone/

Re:What's next for firewall management?

[BitZtream]

I'm surprised Checkpoint didn't write a front end for their stuff as a gimmick

Re:What's next for firewall management?

There was, but Apple pulled it.

Re:What's next for firewall management?

There was, but it has been rejected because of using third party dev tools

Feature, not bug

[RightwingNutjob]

Anything that lets you automagically configure a firewall from outside of it is a potential exploit waiting to happen. Things that are stupid, slow, and require physical access are that much more secure.

Re:Feature, not bug

[fuzzyfuzzyfungus]

Only partially true. Physical access is, indeed, generally a security plus(though not a cure-all: if the inconvenience causes somebody to jury-rig their own remote access solution, you now almost certainly have a much less secure system than one that was designed for remote access in the first place. Also, just because the janitor earns 6 bucks an hour and no hablo ingles doesn't mean he can't connect a serial cable...)

Slow and stupid, though, are dangerous. Humans have a tendency to make stupid, sloppy errors. Anything that requires them to keep hundreds or thousands of complex details in mind brings out the worst in them, and causes stupid misconfigurations. Of course, any tool that allows an MBA to achieve stupid misconfigurations just by dragging objects around in a drool-proof GUI also causes stupid misconfigurations...

Re:Feature, not bug

[clintonmonk]

Things that are stupid, slow, and require physical access are that much more secure... in bed.

Re:Feature, not bug

And keeps folks like us employed.

Re:Feature, not bug

[greg1104]

Exactly, take a look at the list of potential exploits just from the limited access the crappy UPnP port forwarding configuration has exposed. If there were an easy to use tool for making larger firewall changes introduced to the world, it's guaranteed that there will be hundreds if not many thousands of exploited machines using it for every person who benefits from the feature. The limited stealthiness provided by the standard hardware NAT firewall most people have for their always on DSL/Cable/Fiber installs is the only thing saving them from being hacked within minutes of hooking a new PC up. This is why the idea of easier firewall configuration is dead in the water--the fact that it's hard keeps people who aren't qualified to make these changes from destroying their own security any worse than they already do.

It's about demand –or lack thereof

[dn15]

I think that firewall administration has been allowed to remain shoddy because most people who aren't gamers or server admins don't need to change the settings at all. Gamers are usually obsessed enough with playing that they will take the time to figure it out. And sysadmins, well it's their job to know how to do that stuff.

This isn't an excuse for things being the way they are, but an explanation. Most people just vaguely understand that a firewall protects their computer, but they don't know any more than that and will probably never have to configure one. If the archetypal grandmother or joe six pack ever has a reason to manage firewall settings (unlikely) then an easy configuration tool will appear over night. Unless a widespread need arises, limited demand will translate to limited effort spent developing user-friendly tools.

Re:It's about demand –or lack thereof

On the flip side, they have really simplified the firewall on my 2WIRE device that is used by my AT&T Uverse service. You log in, enter a password to go to advanced mode, then look at the firewall properties. It has a list of PCs/devices by NetBIOS names and a list of services/applications that you want to allow. You select the device, then select the service/app, and it automatically creates a hole for you for that particular device/port combo.

Of course, if you want to do something "crazy" like have a device with a static IP and open a port for it you're screwed, since it generates your device list from it's DHCP server. My entire test lab environment is essentially invisible to Uverse and not remotely accessible or able to host external services. If I want to get in remotely I have to create a VM in the lab, set it to DHCP, let it pull an IP from the 2WIRE and then enable RDP into it. Then from there I can hop to the rest of my internal network. It's a real pain in the ass.

Personally, I love it if I had the ability to just specify port/IP pairs and be done with it like we did in the "old days." But companies have some mandate to make technology easier for idiots to use, which usually only ends up handicapping experienced users.

Re:It's about demand –or lack thereof

[Custard+Horse]

...an easy configuration tool will appear over night

If only - my grandmother might feel inclined to complete her beowulf cluster and run folding...

I've said it before, and I'll say it again.

[LibertineR]

99% of what anyone needs in a firewall can be accomplished by an ISA2006 Server (reverse proxy and AD authentication) fronted by a Cisco Pix for port management.

If you can get past that, then you deserve the goodies, IMHO.

Re:I've said it before, and I'll say it again.

[dwarfsoft]

Are you saying that Windows Firewall wont protect me?!

</sarcasm>

Re:I've said it before, and I'll say it again.

[DavidRawling]

A man after my own heart, and I think the lack of exploits for ISA is good verification of this approach. Of course, there are also the customers who deploy ISA 2006 (well 2004 back then) and "because Microsoft isn't secure" front-end that Windows+ISA server with ... a Windows+CheckPoint server. Yeah good effort guys :-/

DD-WRT

[guabah]

When in doubt use port triggering instead of forwarding, and enable uPnP.

when jdoe logs in...

Check out junipers UAC system. It does this quite well when paired with netscreen firewalls.

UML Deployment Diagram to Firewall Cfg Generator

[idsfa]

Just wish I had one ...

Re:When you finish your MBA- it'll all become clea

[Peach+Rings]

How many times did you reboot it?

Just run it through a Chinese server

[countertrolling]

They'll firewall it for you..

Re:Just run it through a Chinese server

In Soviet China
The firewall blocks you...

?

Standardization is EXTREMELY difficult

[CodePwned]

In a star trek world people would work well together but the money is made coming up with the next biggest and best product meaning you beat our the competitors. Working together often eliminates that huge profit margin one gets when they have the "best" tech for "this need". Open Source solutions are often (not always) designed from this viewpoint that "A collaborative effort will result in an ideal product with the motivation being profit profit profit".

Add on top of that is that there are many things that drive technology. Some needs are speed, others are security, etc etc etc.

In my work for the our "data" is our life blood. If it's hacked, destroyed etc... we're screwed. We sell our information so while speed is often important... security is #1. If I was working for the stock exchange, security would come in second merely because time is ESSENTIAL. Security comes immediately after. Get the gist?

Now, when you're talking high level networking where you're dealing with thousands or even hundreds of thousands of connections simultaneously then you have to combine a mix of things.

This is where it makes it extremely difficult to make a program that does everything in simple man terms. That's why there are network administrators and architects. There are far too many variables to turn into a windows like gui where "Are you sure?" will cover it. Here's a small list of the variables you're going to encounter

- Size of network
- Location of all users (remote and local)
- Security requirements (government contracts often require certain levels)
- Company polices (do you need to have site filters for porn sites)
- What kind of filters will you use
- What kind of hardware is this all operating under
- Many routers run different flavors of linux where some commands are different (Cisco *cough*).

It pretty much comes down to... networking in the home is easy because it is simple. You're going to have X number of boxes connected wired or wirelessly to a single incoming connection. Easy.

However, in the real environment you may have 20+ connections coming in with complex equipment that routes and load balances those incoming and outgoing connections. If someone were create a piece of software for this it would need every single manufacturer of routing equipment to work together. That's just not going to happen.

So... the only common things that can happen are learning to write script once you've thought out your network and that's the easy part.

Re:Standardization is EXTREMELY difficult

[blackraven14250]

You have a great point about "networking in the home being simple". Now let me remind you:

There's problems connecting to nearly every game server through a router when a non-technical person is doing the connecting, because there's no standard way for the creators of the games to open up the correct ports; this is a simple thing the question asks, yet is still completely unaddressed by the guys making home routers. They could easily come up with a method to accept a small text file with the proper information for the game's connections, but they aren't innovating the user experience whatsoever.

Re:Standardization is EXTREMELY difficult

because there's no standard way for the creators of the games to open up the correct ports

UPnP works just fine, developers are just fucking retards, and router vendors won't implement it on all of their routers because they're also retards.

Re:Standardization is EXTREMELY difficult

[Kaboom13]

There is, it's called uPnP. It sucks, terribly. It was made by a pack of gibbering idiots. Different vendors having dick sizing competitions managed to implement it in ways that are completely incompatible and broken. The home users stupid enough to really need it own cheap, shitty routers (often provided by their ISP) that implement it in a broken manner if it all. The users with better routers that implement it correctly all disable it, because the creators did not bother to include any sort of authentication, making it a security hole (also the fact that even in the best of conditions it only works to sporadically). If you want the router to just accept a text file, which presumably means logging into the router, and manually uploading it, how is that any easier then setting the port forwards? How do you handle it when it wants to forward a port that is already forwarded to a different ip? How do you handle it when a lazy game dev (and it will happen) just says fuck and sets all the ports open? Look at any support forum for a modern multiplayer game. There will be people with NAT issues, and the support staffs first (and often only) suggestion is to either remove the firewall completely of forward everything to the PC.

Setting port forwards is simple on any decent router. If your router makes it complicated, blame the vendor. You don't need anything special, you don't need an external server to do NAT traversal, you just need a screen to come up when you host the game telling you to forward port X (you only need one per game, more then that is bad design) to ip Y, where Y is the IP of the system you are on. If you feel generous, put a link to portforward.com or something to help them find documentation. If they can't figure that out, they probably should not be opening ports to begin with. Point them at the nearest gamestop and tell them to purchase an xbox 360 and an xbox live subscription they aren't ready for the real internet.

Re:Standardization is EXTREMELY difficult

[Todd+Knarr]

For outbound connections, what's so complicated? My Linux gateway box, not to mention every NATting router I've seen, does it automatically.

For inbound connections, again what's so complicated? I set up a firewall specifically so the outside world could not make inbound connections to my machines without my intervention to allow it. If I wanted it to be otherwise, I wouldn't've installed the firewall. You aren't asking for innovation, you're asking for the ability to completely circumvent my security. And news flash: if your game can do this, then any piece of malware out there can do it too. That's exactly why I want this to require my manual intervention.

There's always UPnP, of course. Most modern home routers with firewall capability support it. But again, many sensible users turn it off to prevent malware from opening up holes in the firewall and exposing their machines to the outside world.

Re:Standardization is EXTREMELY difficult

See: UPNP

Re:Standardization is EXTREMELY difficult

[Firethorn]

There's problems connecting to nearly every game server through a router when a non-technical person is doing the connecting, because there's no standard way for the creators of the games to open up the correct ports;

Isn't that what UPnP is supposed to do?

NAT traversal

One solution for NAT (Network Address Translation) traversal, called the Internet Gateway Device (IGD) Protocol, is implemented via UPnP. Many routers and firewalls expose themselves as Internet Gateway Devices, allowing any local UPnP controller to perform a variety of actions, including retrieving the external IP address of the device, enumerate existing port mappings, and adding and removing port mappings. By adding a port mapping, a UPnP controller behind the IGD can enable traversal of the IGD from an external address to an internal client.

Now, I know this isn't universal - not all games or routers support it, but UPnP was enabled on my home router by default, and modern games should take advantage of it.

Re:Standardization is EXTREMELY difficult

This (home networking) is precisely what UPnP is for..

( you can check out the full standards list here: http://www.upnp.org/standardizeddcps/default.asp ) ..and...for opening/forwarding ports in NATs/Firewalls..UPnP NAT Traversal (via the UPnP IGD standard).

Pretty much every consumer NAT gateway/router in the last 10 years or so comes with UPnP NAT Traversal support (whether its enabled by default or not is another issue). So, that problem has been solved - (a decade ago) - issues arise when software/applications/devices arent UPnP NAT Traversal aware/programmed and/or the NAT gateway has its UPnP IGD support disabled.

Almost all of the devices (PCs/gaming consoles/TVs/receivers/DVRs/etc) that share/serve see/playback pictures/songs/videos with each other, use another UPnP standard known as UPnP MediaServer/MediaRenderer, though, often, the manufacturers use their own marketing terms such as "DLNA" to mask/hide/avoid using the term "UPnP" (this goes back to the fact that UPnP was essentially pioneered and invented by Microsoft, and this fact bothered/bothers many..such as their direct competitors (like Sony)..).

There are even other standards for port forwarding/mapping, including Apples "NAT-PMP", or even "STUN", etc.

The issue isnt a lack of standards, but (perhaps) rather the lack of implementation/configuration.

Again, if your devices support UPnP/DLNA (one standard or another), but it comes disabled, this clearly makes for an inferior/broken consumer experience. Obviously, if your device doesnt support UPnP/DLNA to begin with, then it cant work with others devices that do..(resulting in an inferior/broken consumer experience)

Clearly, the issue isnt a lack of standards (most of these standards have been around for 5-10 years), but rather, implementation/configuration of the standards.

Theres no point reinventing the wheel - what needs to happen is that all the wagons need to have them, and have them enabled by default, and all the roads need to be designed for wheels, etc etc.

In other words, if every consumer/home NAT gateway came with UPnP IGD support that was enabled, and every console/PC/other game application supported UPnP IGD in the client, this would greatly reduce the issue of manually configuring port forwarding for consumer gamers (not that this doesnt apply to ALL types of connectivity apps).

Re:Standardization is EXTREMELY difficult

[DarwinSurvivor]

Ok, seriously, what games actually require firewall modification when running as a client? I have played probably close to a hundred computer games on my machine from behind a firewall protected router and the only time I've EVER had to open ports for a game was when I was running the server that somebody else wanted to connect to.

This doesn't even bring up the risks of OPENING those ports in the first place. Even if you trust 100% the game that wants the port open, that port remains open when the game isn't running, leave a possibly now-exploitable port open. Of course the likely hood of this with high-number ports is slim, it still kind of defeats the purpose of the firewall in the first place if you start poking holes in it for every game you install.

Re:Standardization is EXTREMELY difficult

[Kaboom13]

The UPnP standard lacks any authentication mechanism. Turning it on means anything in your network can open any ports to anywhere it wants. According to this site https://www.kb.cert.org/vuls/id/347812 and here http://www.gnucitizen.org/blog/flash-upnp-attack-faq/ there is even a flash exploit that can be used with uPnP to reconfigure your router. UPnP was dead on arrival. Any router vendor that doesn't ship with it off by default is a retard.

Stateful Firewalls

[Redlazer]

Unless I'm missing something, our Aruba controllers do firewalling on the fly, for OUTBOUND.

If you're talking about Inbound, then, sorry. I just can't trust you guys.

Certs?

[nine-times]

I feel like things might be able to be simplified a little better if there were better use of certificates for authentication and encryption. Of course, that requires a better (free) method of managing and authenticating the certificates themselves.

It might not have a lot of improvements in the realm of firewalls, but it might enable better/easier VPN and control over routing rules. Instead of dealing with IPs and MAC addresses, you could allow specific users and machines. Of course, I'm not sure how much you want to deal with the overhead of all that. Current IP-based routing is doing well enough, and speed matters.

Otherwise, I don't know... IPv6 and ditching NAT? As far as the feeding a Visio diagram in, I'm not sure how much I want my firewall interpreting diagrams for intent. Some firewalls already have GUIs of some kind or another, with varying degrees of helpfulness.

For my purposes, I wouldn't mind seeing cheap, standard, dead-simple VPN that's supported across all clients without additional software installs. Firewalls are only one part of that problem. I imagine a better system of distributing/verifying certs might help.

I like PF, try PFSense

[bsDaemon]

The BSD 'pf' packet filter is pretty good. There is even a FreeBSD-based project known as pfsense which you might want to take a look at, as it offers a pretty-much drop-in solution for packet filtering, as well as NAT, load balancing, VPN connectivity, etc. There is a web-based administration GUI as well. It looks pretty sweet, but I haven't played with it much in any serious deployment personally.

Re:I like PF, try PFSense

[adairw]

pfSense is the best thing I ever stumbled across on the internet.

Re:I like PF, try PFSense

[pdxp]

I use pfSense seriously and it's great; however, all it does in regard's to OPs concerns is make the manual configuration easier/prettier. Although you'd be able to use SSH & shell scripts to change config files, that might make a lot of sysadmins (like me) nervous.

Re:I like PF, try PFSense

[gollito]

pfsense is legit. I've got it deployed a few places and it is great. the load balancer just works, VPN works great, creating rules on it are really similar to creating rules on a pix/asa. Throw untangle behind it and you've got a great 1-2 defense layer for your network. I've even got this running in a virtual environment (which you'll either need a bunch of NIC's or managed switches and VLAN's for). Free HA firewall anyone?

Re:I like PF, try PFSense

I would even go as far to say that pf is the next best thing in firewalls. By far the most descriptive and scriptable syntax I've seen. Put your configs in a revision control system.

pfSense just dumbs this down into a GUI that really could have any firewall back-end. pf is much more powerful than pfSense lets on.

Re:I like PF, try PFSense

I use it as well for my home/small biz network and I like it a lot. About a year ago, I picked up a mini itx system with a VIA C7 processor from http://www.logicsupply.com. The motherboard has one 10Mb port, then I added an expansion card that has 3 more 1gig ports on it. Fairly oddball hardware, but it only draws something like 12W. pfSense works just fine on it. OpenVPN works just fine as well. I'm finally running a real DMZ again, and the wireless devices are on their own subnet with their own DMZish restrictions.

Cisco Security Manager

[Shane]

Cisco Security Manager does all that and more. The key features being Interface roles and ACL/device hierarchy.

Obviously this is not opensource.

Re:Cisco Security Manager

[sampas]

pfSense is great, but it does not scale to the level of Cisco Security Manager, which is enterprise ($$$) software to manage all the devices you already bought ($$$) from Cisco and paid more to support ($$$). CSM tracks changes and does workflow, too. I use both pfSense and Cisco almost every day. While CSM saves a lot of time, knowing how to configure which policies to share and how to share them is still complex and requires some thought. Cisco has a checkbox that will either limit all your user VPN tunnels to 256 kbps (e.g.) total or 256 kbps per tunnel. The wording isn't clear and I can never remember which one it is. If your users start complaining that VPN is really slow, it's probably the wrong setting.

Basic firewalling is not complex. Defense-in-depth and creating compartmentalized networks for each layer in each application in your worldwide network gets complex no matter what tools you use. The trouble with unified threat management is that no single vendor is going to catch everything.

The single most effective thing you can do to secure your networks is to start by denying all ports inbound AND outbound. Then open up only those ports required for your business. Use an authenticated proxy for client web traffic, and your users don't have to connect the Internet directly any more.

Look into more serious UTM firewalls

[Rene+S.+Hollan]

UTM: unified threat management.

Disclaimer: I work for a manufacturer of such devices.

The better ones integrate with Active Directory and/or Kerberos to authenticate sessions, and do spam and virus scanning (using a quarantine server, if available).

Some will even decrypt and reencrypt HTTPS traffic to check what's in it. (They resign the server's cert with their own CA cert that the user's browser has to trust -- in some environments, an intermediate CA cert can be imported signed by a CA cert that has already been pushed to the desktops.)

Some will even set up VPNs via a PC-based admin app in a step as simply as drag and drop.

That said, they don't come cheap: figure $500 and up for a home/SOHO office version (3 lan ports, DMZ, and one or two WAN ports (for WAN failover), along with licensing for virus and SPAM scoring server access.

Re:Look into more serious UTM firewalls

[rbphilip]

What do you suggest? Sonicwall seems to offer what you suggested, but a previous poster had bad things to say about Sonicwall. I've got mixed feelings about Sonicwall, but their new SOHO stuff looks interesting (TZ100 or TZ200)..

Re:Look into more serious UTM firewalls

[trashcanman]

UTM? That's soooo 2002! Though at the low end, that is probably the best solution today. Next Generation firewalls work at Layer 7 and inspect the packet once (instead of once for each way you want to look at it: stateful inspection, authentication, antivirus, IPS, etc.). I know of several UTM manufacturers at your price point whereas a Next Generation firewall starts at about $5000.00.

Re:Look into more serious UTM firewalls

[Rene+S.+Hollan]

Er, what's the difference between inspecting the whole packet once and inspecting each layer of it once? kernel/user and process context-switching overhead? I guess, but the layer isolation reduces inter-layer bug interactions, and the overhead can be overcome with "more horsepower".

You get fast and unstable or slower and more reliable. Take your pick.

The upside to UTM is that "one appliance does it all". The downside, of course, is that "one appliance does it all", and therefore runs out of horsepower quickly if doing a lot.

You can either use a heterogenous solution, or a clustered homogenous one: the latter less efficient than the former (since, though you can tune individual elements= to focus on particular layers and protocols, you still are looking at everything on each node. However, the benefits of clustering are physical homogeneity: you don't have a separate firewall, anti-spam, anti-virus, etc. device.

For home/SOHO use, the UTM approach is likely the best one in terms of simplicity, price, and adequate performance.

Playbook (by Matasano)

It's not quite as nifty as what the post mentions, but Playbook by Matasano "syncs your firewall configurations with a secure web-based console"

http://runplaybook.com/

(note: my only relationship with Matasano is that I like their blog)

Yep! That's why the future is in smarter devices

[King_TJ]

I've been contacted by several Internet security product vendors recently (after I attended a free network security conference in town). The "in" thing right now seems to be selling "security appliances" that can intelligently sniff traffic on port 80 or 443 and discern what's actually going through. Of course, right now, they seem to be trying to sell these as additions to your environment, rather than replacements for existing traditional firewalls ... but it's only a matter of time before it all gets rolled together into one product.

Re:When you finish your MBA- it'll all become clea

[x2A]

I don't have a one-of-those, I just have my scripts call iptables :-/ it's not as flash as drag 'n drop, but I tried programming a virtual usb mouse to automate clicking things on the screen when things happen, but while trying to write the detection software that tells it to click certain rules when somebody plugs their computer into the network, which was detected by pointing a webcam at the network switch to watch when lights came on/off, my head fell off. Turns out, I needed my head on.

SOHO mindset in an Enterprise world

[adosch]

Characteristically, firewalls are simply just that: a barrier to entry into a restricted, trusted area unless you're a loud to do so. So I'm confused why I would, first of all, want something 'automagically' configured for me in an enterprise setting? There's a very good reason your network admins at your workplace highly scrutinise over a single IP address: because it's important your infrastructure, IT/perimeter security standards and business, and it's their job to. If they aren't at least, on a high-level, asking you the 5-W's about why you need the rule(s) and you don't have answers, why should they even allow it?

What about tying a firewall into an authentication system so that when jdoe logs in, only then are the firewalls opened to pass her traffic?

That's what tiered firewall-VPN solutions are for.

What about managing distributed firewalls so that one repository of rules opens up your system's firewalls, the DMZ firewall, and the public firewall all at once?

Port knocking is pretty helpful in this, but can also bite your security-through-stealthy-obscurity right in the ass as well.

Can I take a Visio diagram, run it through a script, and get a list of firewall rules?

Visio diagrams are for documentation and suits. I couldn't hold any merit to that because firewall rules aren't just something you slap together (unless you're doing it for fun or at home or want Johnny Cracker hosting pr0n on an anonymous FTP on your computer at home). Flow-based solutions process rules in a top-down fashion, so it takes very good sets of eyes to develop rules that aren't going to be a liability, cause backdoors, trump existing rules and break security or flat out cause things to not work anymore in your production environment.

Re:SOHO mindset in an Enterprise world

Can I please be A LOUD?!!!

Protocol awareness

Not simply port numbering but actual protocol identification. That's what all the major players are doing for "next generation" firewalling.

Three Words

PALO ALTO NETWORKS

They don't scale well.

[sr8outtalotech]

Standardization among endpoints is the only real way to lessen the headache. If you know that workstations need to use port X and protocol Y it's much easier to setup. Without it you have some goofball configuring RDP to listen on 32322 not 3389 like most everyone else.

I smell marketing

[JoeBuck]

OK, jlmale0, are you working on requirements or marketing for a product in this space? You can tell us, it's OK.

Windows generation

[jamesh]

I blame Microsoft for making complex problems appear simple. They put a simple and limited layer over the top of a complex background to hide it and suddenly everyone thinks they can be a sysadmin without having a clue about how it works underneath, and without that clue the user gets it wrong once they try and do anything vaguely complicated.

Firewalls are the the same, only more so. You _need_ to understand what is happening to the packets as they move through your networks if you want to admin anything beyond a simple 'internet on one side, intranet on the other, nat in between' firewall. A point and click interface might be fine for home use (although it almost certainly won't have sufficient egress filtering) but for something with more than a single internal network requiring complex separation rules between them you need to know what you are doing.

So to answer the OP, the future of firewalls is network admins understanding their jobs, same as it's always been. Text representation of firewall rules with sufficient comments is just fine.

Re:Leave the networking stuff to the networking te

[Ximok]

Yes, find someone who knows something about networking and more importantly about firewalls Try someone who has a CCSP or CCIE:Security as part of their title. Some of the things you are talking about have existed for years on Cisco Pix and ASAs like downloadable ACLs (Where based on your credentials you get firewalled differently) which can be applied across a whole enterprise of firewalls. Dynamic inspection of traffic, like h.323 traffic, so you don't have to open a whole range of ports other than the signalling port.

Dear lord, gui based management of a fleet of firewalls? You want to drag and drop things and make magic happen when you do that? Sounds pretty reckless and dangerous to me. That's like saying because you can ride a bicycle, you should be allowed to drive a hazmat semi at top speed through downtown LA. If you don't understand what the rules are and how they will be applied in the first place, you are likely just going to cause problems (like accidentally shutting off your company's ability to sell their trinkets online because you locked it down on accident.)

By the way, I don't care what the kid from the nerd herd tells you, Belkin and Linksys do not sell firewalls. They sell quasi-routers with nat and some limited form of access control. Finally, UPnP is not the answer to your problem, that just makes it easy for people to put devices on your network to open security holes up in your firewall, which is why it's not supported on most enterprise grade firewalls (and wouldn't work anyway if you looked at the way most enterprises build their networks)

I've got the fix for you

[RJHelms]

Create a GUI interface using Visual Basic. See if you can track an IP address

Re:When you finish your MBA- it'll all become clea

[Kjella]

When you finish your MBA- it'll all become clear.

After some cost/benefit analysis on the ideas above, I think yes. It's not going anywhere.

Re:Complex often means hand tweak. No way around i

[CAIMLAS]

Yes, there are those outside cases. However, consider how many scenarios can be easily covered with an "exceptioned template".

Take IP tables, for instance. It typically goes something like this: Deny all, do NAT/masq from the inside, do traffic shaping/QoS, and finally allow specific ports/do specific port forwarding. It's formalistic and not all that complex, once you understand it - and it's largely linear, with most of the scripts following the same basics.

For 90%+ of scenarios, it would be easy to instigate a framework for transparent transport of rules between systems (homogeneous and maybe even heterogeneous ones) or automatically setting rules based on inside services. The problem with doing it, however, is that it would provide a negligible benefit over what's out there now (as firewall rules tend to rarely change).

The security ramifications of such an application seem like they'd be hit and miss, internally. Yes. you want to prevent hosts from talking to each other when they've got no reason to - though there are other methods for doing this in a cleaner, less granular/more centralized fashion (802.1q VLANs). It works better because, again, it covers 90%+ of conceivable scenarios with less configuration.

It all comes down to KISS. Sometimes firewall restrictions are appropriate; sometimes something else is. More often than not, though, people use what they know and misapply it for fear of not being able to grasp a new technology in time to properly implement it, and we end up with a gongshow.

Firewalls suck basically...

Its funny TFA makes it sound like Firewalls havn't changed at all in years. I was just commenting the other day how firewalls are now able to log not only what machine sent or received what packet but the process name and id and user context of the host computer responsibile for initiating or receiving the request. What is possible and the level of integration throughout the technology stacks is incredible and scary.

Coupled with ipsec you can now strongly authenticate individual ip/tcp sessions between any system on the network. What is available to those who are willing to move beyond a soho device and the absurd notion that ports are somehow related to service is actually quite significant in modern operating environments.

Firewalls are just as importantly about logging and monitoring access as they are about implementing access controls but very few administrators take this seriously and fail to review their logs.

Firewalls for ad-hoc access control in my view set a dangerous precident by shifting the responsibility from the end systems where the most amount of information is available to provide authentication and authorization to the network which is quite stupid and easily fooled. Internal machines must not be assumed safe just because they are on an internal leg of a firewall... PPL who make these assumptions are idiots and it happens everywhere.

I seriously think the world would have been better off had firewalls never existed and authentication/authorization of acesss to network resources were not treated as second class citizens.

Trusted host or trusted user.

Some firewalls can be configured to allow based on user auth instead of source IP, which is a bit more useful for some situations. Restricted layer 7 proxies generally work this way, with the classic example being Gauntlet.

As a modern example, OpenBSD PF has the integrated pfauth mechanism where you authenticate with system as a user. When you login with ssh to the firewall, it dynamically loads a pre-configured ruleset appropriate to your profile, then drops them when the session is terminated.

This doesn't make configuration any simpler from your point of view, but PF overall makes configuration much simpler for those who understand firewalls.

the one with a cat pat

Errr what ? may be GUI might not have future.

dentists reading

You are confusing security with complexity...

Firewall management is difficult when a lot of holes and special rules are created. This happens when firewalls are used for things that god never intended such as enterprise wide point to point specialized rules. The trick is to go from security requirements and policies and design a network and gating solution that meets those needs without creating a lot of complexity.

In a dynamic organization, this means that the policies, rules and design have to be revamped on a regular basis to keep things simple and to prevent spaghetti connections and firewall sieves from developing.

You are specifying solutions and rules instead of stating the problem to be solved.

systematic

[TheSHAD0W]

I always forward a block of 100 ports to each active intranet IP on my network, with the first digits being the last octet of the IP.

eg: 192.168.x.101 gets ports 10100-10199.

Using this system, along with a domain server that will assign each machine a predictable IP, makes things a lot easier.

If you're using Visio, you're doing it wrong

[morphage]

There are two problems with your question.

The first is you may believe tools and diagrams will take the pain out of implementing and enforcing security policy. Network design is systems design. Diagrams are essential in communicating that a system meets the requirements to stakeholders and management who make budgets and can't visualize how improved security adds value. But firewalls and their associated diagrams are just one element of security. What about OS patches, authentication and physical security? You know that firewalls run software and software needs maintenance. Pointing to a well executed diagram won't save you from applying vendor software updates. Are your policies sane? Security tools are only as good as the policies they implement and the people who use them. You're tool may show you that you have correctly hidden an important asset from the outside world, but are all your assets protected? Does your organization give out VPN logins to unqualified users? Are you using a VPN? Can your services run over a tunnel? If your servers or services can be secured do you really need to block all ports and selectively open a few? Can any of your services take advantage of TCP Wrappers?

"When you finish your MBA- it'll all become clear." is spot on. Perform a cost benefit analysis. Figure out how many hours at your rate it will take to to cobble together some scripts or pay a developer for a custom tool. Then figure out how much it would cost to hire a qualified network engineer. Then figure out the cost of loosing business due to denial of service or network intrusions. Then realize that you still probably a network engineer to correct your diagrams and security policies after you use a custom tool. You can always do your own taxes and defend yourself in court, but can you afford to be wrong? Complex problems need people with specialized knowledge.

The second problem is no tool programmer in their right mind would want to write a program to generate scripts from Visio. I'm a programmer, not a network guy, but like many programmers I've run Linux and OpenBSD development and webservers and done my best to keep them secure. I've also used Viso, and Visual Paradigm and some other very expensive commercial tools for creating UML diagrams. In less time than it would take me to figure out how to correctly draw something in Visio, I could have skimmed the man pages and the internet for the correct syntax required to write a rule in iptables or pf. Viso is not an intuitive tool for working in most domains. Adobe Illustrator with all its quirks makes more sense in comparison. If you want a neat toy or project, take a look at GNU DIA, or Argo UML and write patches to generate configuration files. Even if you are successful there is no standard operating system or vendor independent language for defining firewall rules. Don't ever expect to drag and drop a policy to migrate rules from a Linux based appliance to a Cisco router to a Juniper switch to a BSD based appliance. Cisco has made billions by locking in customers to their own standards. Linux and BSD are integrated into many firewall appliances but they also have their own version dependent quirks and special sauce from vendors.

Re:If you're using Visio, you're doing it wrong

Wow, amen to that. I'm so sick of visual representations of workflows it makes me sick. There are just too many cases where a minor change in a visual diagram can affect the underlying workings in a major way. Because most visual tools for workflows I've seen use proprietary formats, the visual representations remove the ability use a diff tool on them to determine what has changed from one version to the next. Add in complications for deploying across multiple systems that may have one or two lines change. Take away the ability to do a full audit without clicking the damn mouse 600 times so you can look at each piece of the diagram, drill into it, look at what it does, drill into sub-parts, make sure you didn't change something vital, heaven forbid you move one of those pieces a little bit when opening it, now you have differences in you file again. Ahh, SSIS is my own little piece of hell. Yes, it is stored in XML, but add in a third party component and the commercial diff tools build specifically for it choke. For minor changes in formatting it moves whole blocks of the file around. Even with tools that clean up the xml enough to determine what has changed, the information that tells the program *how* to display the file gets in the way of the information that tells it what to do.

Re:If you're using Visio, you're doing it wrong

You're tool may show you that you have correctly hidden an important asset from the outside world

Wrong.

Re:When you finish your MBA- it'll all become clea

[lsolano]

:D :D

and fo sure, he/she will be a very qualified professional: an MBA that knows a lot of terms about firewalls, learnt from a sysadmin's tech magazine dated Feb 1997.

Re:When you finish your MBA- it'll all become clea

[bds1986]

when somebody plugs their computer into the network, which was detected by pointing a webcam at the network switch to watch when lights came on/off

You seem to be going to a lot of trouble to avoid using SNMP ;) .

Re:Leave the networking stuff to the networking te

[drsmithy]

Dear lord, gui based management of a fleet of firewalls? You want to drag and drop things and make magic happen when you do that? Sounds pretty reckless and dangerous to me. That's like saying because you can ride a bicycle, you should be allowed to drive a hazmat semi at top speed through downtown LA. If you don't understand what the rules are and how they will be applied in the first place, you are likely just going to cause problems (like accidentally shutting off your company's ability to sell their trinkets online because you locked it down on accident.)

I can't think of a single reason why knowing what the rules do precludes using a GUI tool to simplify and automate management.

Manually editing text is time-consuming, fatiguing and error prone. Have a tool to automate that sort of thing is one of the fundamental reasons for having computers in the first place.

If you need a GUI...

[xianthax]

you should not be configuring a mission critical firewall.

Re:If you need a GUI...

[kisanth88]

Bullshit, you obviously have never worked in a service provider network where you are protecting application DMZs for a couple score applications that can inter-work between each other and other pieces of your network. GUIs increase productivity, if we were managing all our firewall policies via command line we would need at least 30 more people on our staff. Even for me who can get upwards of 80 words per minute on a good day. It's a damn sight quicker to drag TCP-443 into a policy line than to log into a box, define TCP-443 with a name in syntax, then find the policy line via a crazy show command, and finally add that object to the policy line. Get real. GUIs despite being "lame" are useful for speeding up common tasks. -K

Re:Leave the networking stuff to the networking te

[postbigbang]

Secure perimeters are illusions. Every machine needs its own defense. Firewalls are good for NAT, which foils a few, and stateful inspection, which fools a few more. Otherwise, internal firewalling and boundary checks are the only answer, coupled to download security hashing checks-- and those get bitten, too.

Belief in firewalls and secure perimeters are the reason that some 30% of all machines in a domain are bot'd somehow..... along with Checkpoint, Norton, Microsoft, and so on. A CCIE or CCSP gives you someone that can help, but there's no guarantee that someone won't click on a site that will give your browsers a headache, then the infection, and so on.

The MuSystems guys can tell you about fuzzing attacks that will leave most equipment in a state of mush. With enough pounding, you can break about anything. Sorry to be dour, but you have to use best practices, and protect each indivdual device, not just the perimeter.

Ev

This guy has never had to clean up a virus outbreak, in which our firewall stopped it from being able to connect directly out and download it's payload.

I'm a network security engineer, and we use Juniper, and we can make a rule across all firewalls with their NSM product. You have to be a place with money to have that ability though.

The biggest issue is viruses, and trying to control data leakage from a company. People who are trying to send/receive data see it is a problem; network security guys are here to save you from yourselves.

Matasano Playbook

http://runplaybook.com/

Palo Alto (or other layer7 "gigabit grade" tech)

The future of firewalls (at least on the enterprise) seems to be layer 7 rules. Look at what Palo Alto gear does using FPGAs and custom rules for each application... its kind of an "antivirus on the wire", with all the bad implications (easy to circumvent on targetted attacks, etc) that has.

Re:Yep! That's why the future is in smarter device

[trashcanman]

This is the future of firewalls. It's expensive now because it's new. But soon, you'll be able to do this on your SOHO (or SMB) firewalls: http://www.paloaltonetworks.com/

To sum up

[Barny]

"When I mess with my WAP/router at home or coordinate with the network team at work, it seems like I'm stuck in 1995. We're still manually listing IP address/port combinations for our firewall rules. There's a certain simplicity to this when dealing with a single system, but there are firewalls everywhere these days. Now, I don't like my job, and want to get paid in the short term to setup a system that will ultimately make my position redundant. My question to slashdot is: How do I make myself no longer required?"

Sounds like you got a good comfortable job configuring firewalls, why the fuck would you give that up?

Re:When you finish your MBA- it'll all become clea

Been done. www.linesider.net. Set up some groups, IP addresses, ports, etc. and have it configure both IPTables and secure tunnels for all networks involved. The core networks involved need a network appliance plugged in to listen to the provisioning signals.

Keynote trust management system

There was some good work done 10 years back on "trust management" via a system called Keynote. The basic idea was that you set global policies and the system deals with the details of translating them to iptables rules, Cisco router stuff, et cetera -- sort of a high-level language for network management, with at least some prototype compilers. Credible people were involved and the papers were plausible.

One link is http://www.crypto.com/trustmgt/kn.html

I have not looked at this stuff in years. Anyone know where it went?

Re:When you finish your MBA- it'll all become clea

[dudpixel]

how was the resulting game of Marco-Polo? fun?

Firewalls are overrated

The only thing a firewall is good at is limiting which side can initiate connections (I am using the word connection loosely). Everything else is a futile effort because servers can and do use arbitrary ports and in the future protocols will be encrypted to avoid all sorts of attacks, thereby also making deep packet inspection obsolete. On the server side, firewalls are unnecessary and at best an added layer of stuff to manage. If you don't want anyone to connect, don't bind the port. The concept of a "trusted network" is fundamentally flawed.

Re:Leave the networking stuff to the networking te

[Ximok]

I can't think of a single reason why knowing what the rules do precludes using a GUI tool to simplify and automate management.

Manually editing text is time-consuming, fatiguing and error prone. Have a tool to automate that sort of thing is one of the fundamental reasons for having computers in the first place.

Fair enough. It might have been presumptuous of me to assume that a gui based "drag 'n drop" system would lead to someone creating policies and applying them before checking to see how they are applied and what the end-effect would be. A lot of time when someone is looking for a GUI system of that nature, they are looking for a way to not spend money on a security professional, but instead let a person with minimal training manage these devices.

Any tool is only as useful as the person using it. If you have your janitor programming your firewall because it happens to sit in his closet, then you probably have bigger problems on your hands anyway.

I'll admit, in my office, we script the heck out of a lot of configurations, but that doesn't mean we fire and forget. We still have to look at the end result and see how this stuff is going to fly before we apply it.

Re:Leave the networking stuff to the networking te

[Ximok]

Yes, firewalls are only a first-line-of-defense tool. Making the assumption that a firewall is an end-all-be-all solution is not a good practice. You do need to have a network perimeter to filter out a large factor of attacks, internal borders to mitigate internal problems, and desktop/server security to protect you from your users.

That is why we have firewalls, content filters, network access control devices, intrusion prevention systems, and desktop products (like Cisco Security Agent).

You can't get your whole network security from a single solution and not necessarily a single vendor.

Firewalls of the Future

I am in a virtual reality and have been contacted by the future: Firewalls are smart devices using ACL's, behavior-based algorithms that grow, and are necessary. resistance is futile.

New advances in firewall technology

[bl8n8r]

There are currently a number of applications being developed by DORKA which will allow PHBs to manage their own corporate firewalls from an Excel spreadsheet or Microsoft JET database. The applications are being developed from a usability standpoint rather than a security standpoint which allows all traffic to be allowed by default (IPv6 is ignored for simplicity because nobody understands it anyway). When the software detects a DDoS, Intrusion, or Security Breach in progress, it will send an email to the managing PHB and trigger a rule to route BLAME packets through Layer 8 instead. All there is to the interface is a red button marked "Easy" a Yellow button marked "Out To Lunch", and a red button marked "WTF?". You should find it very exciting.

Re:New advances in firewall technology

[Sidius01]

I'm still waiting on my wall made out of actual fire

Re:Yep! That's why the future is in smarter device

Governments/Agencies are already doing this on a large scale.

Those huge cables that connect your country to the internet? They're all monitored with super-sized versions of these: Packet Forensics MITM devices

Get rid of firewalls

[dhammabum]

Yes, I can theoretically envision (and I think you were hinting at) an overriding system/application, combining:

    1. iptables / tcpd / selinux, etc at the host level
    2. tcpdump to get an idea of "normal" traffic
    3. nmap for checking
    4. expect for logging into text-based systems for config changes
    5. secure comms between systems
    etc, etc.

However, I don't think it will be practical to have a canned GUI thing - too many variables, too many things to go wrong.

A better approach is just have a secure system: no firewalls, strip out unrequired services, configure required services securely, user account sandboxing, etc. Have a linux/Unix distribution setup for security and usability *on installation* and have automatic, secured updating. Obviously this will not work with Windows, but I think modern distributions are potentially good enough for this provided they are setup correctly for the critical installation stage and initial update.

Sure, users can't be trusted, but they can't be trusted with firewalls or whatever security measures.

Re:Leave the networking stuff to the networking te

[Profane+MuthaFucka]

That brings back some good memories.

Balderdash, poppycock..

[Niobe]

..and rubbish. I manage over 90 firewalls as a fraction of my full-time duties and it's a cakewalk. Why? I'm competent with unix (and a bunch of scripting languages). GUI's are for the command-line challenged..

Re:Balderdash, poppycock..

[drsmithy]

..and rubbish. I manage over 90 firewalls as a fraction of my full-time duties and it's a cakewalk. Why? I'm competent with unix (and a bunch of scripting languages). GUI's are for the command-line challenged..

Perhaps you can elaborate on the functional difference between automation via GUI and automation via scripting.

Re:Balderdash, poppycock..

[geekprime]

I'll take a shot,
With automation via scripting you have to know BOTH he scripting language AND firewall management.

With a GUI you don't _need_ to know either.

Re:Balderdash, poppycock..

[maevius]

I know both and I am sure a (well built) GUI tool would make my life easier. Just because CLI has a steeper learning curve doesn't mean that it is better or more 31337.

Re:Balderdash, poppycock..

[geekprime]

It DOES insure you have a better idea of what you are doing and exactly how it was done.

With a GUI you are assuming that the person that wrote the GUI has done everything in exactly the right way but you can't prove it. Nor can you prove that it's entirely correct for your application, the gui HIDES the important details in favor of simplicity.

Further, you cannot automate a gui to do the same thing to 62 different routers on 11 subnets without having to do those exact same seventeen clicks on each one. Nor can I read through the (non-existent) script at a later date to remind me what the heck it was I did. Yes it should be all documented but I can't tell you how many times I have spent an hour determining that someone skipped a single click or check box in a windows setup that makes one machine act differently from the others.

Re:Balderdash, poppycock..

[maevius]

If the GUI tool acts as a frontend which accepts plugins to generate and apply rules to specific router implementations, then you could have access to the scripts that were generated (we are after all talking about something non-existent). Also, with a GUI you can have workstation/server/router/user groups that you can use to apply common rules. Also you could use inheritance among the groups to apply additional rules to certain subgroups. With a GUI you have everything on a single interface so you don't need to keep a handwritten network map so you can troubleshoot simple network errors, or explain to someone else the network

I am not arguing that CLI is the best solution available right now but I am pretty sure that a good GUI management app is not impossible

Re:Balderdash, poppycock..

[silas_moeckel]

Cisco all ready makes a decent GUI app that's pretty well suited to large enterprises. The design assumes large enterprise where your T2 guys suggest changes, and a T3 guy reviewing them (along with the CLI that will actually do the work) and approve them and the system implements them during a work window. It works pretty well for Cisco bits. It's also god awful compared to the speed and flexibility of a script based system, big bubble GUI junk makes MBA's happy.

Re:Balderdash, poppycock..

I'll take a shot,
With automation via scripting you have to know BOTH he scripting language AND firewall management.

With a GUI you don't _need_ to know either.

Instead, you have to master BOTH the GUI tool AND firewall management. This is only useful if the GUI tool can abstract the underlying scripting language and can manage multiple brands/models of firewalls with a single interface. However, a cross-firewall scripting language could do that too.

So, this is just a matter of visualization: a picture is a thousand of words .

Re:Balderdash, poppycock..

[Churla]

I know this is opening a can of worms, but I got kharma to burn so why the heck not...

Disclaimer : I work for a company which deals exclusively with firewalls and internet security including integration of both Cisco and Check Point products.

If you have a few firewalls, knock yourself out with the CLI. If you have a massive enterprise setup where not only do you have tiers of individuals who control what rules do and don't get put on the firewalls, but you also have S/Ox compliance to think about then get yourself a GUI driven system with proper workflow management. I know you're proud of your Unix mastery and your CLI Jedi powers and all. But the only thing really accomplished by doing everything via CLI is that you make yourself the one guy who the company is screwed without. Great for your job security, horrible for the company.

The number of times I've had to spend hours, sometimes days, troubleshooting network integration issues with someone only to find that "Oh, when I was manually editing the config for one of our Ciscos I forgot to put this particular IP/port combo in an allow for the ACL" was the root of the problem is all I need to know to verify that a well written GUI, and well written graphical log/event tracker are essential to the large enterprise.

Re:Balderdash, poppycock..

[silas_moeckel]

Yea been there done that, Cisco's GUI fits the model well. I do resent the SPOF issue been there done that as well (we were all young and green once). You seem to imply that you can not implemented a tiered, documented work flow without a GUI sorry to tell you but a few standard tools for source control, rancid and a script that's less than a page long and most of that comments works pretty well. It scales out to 40-50 (the entire support and systems departments) people pretty well. Less than a man day invested in putting it together/troubleshooting and it's run for 11 years now with a couple hundred firewalls. Cant say that it would stand up to sox but the PCI auditors don't have a problem with it. Would I implement that same system in a large enterprise today probably not. There are outside company's that make these things now and building things internally that are not for core competency does not make sense. The fact they they are GUI's is part of life the deal with it. But a GUI is not required to make something a good working system or auditable, please do not confuse CLI with a bunch of cowboys fiddling with bits and not documenting.

Re:Balderdash, poppycock..

I think that the OP was proposing that someone write a smart enough GUI where you CAN do the same thing to 62 diff routers on 11 subnets WITHOUT having to do those same seventeen clicks each time. An intelligent GUI to make automation of command-line / config oriented devices much quicker. If a malware writer can do things like this invisibly exploiting security holes on windows pcs at the same time making botnets of zombie pcs, its not rocket surgery, and obviously could be done. It's a interesting thought for the future, I would not doubt that Cisco is already working on something like this for enterprise level security auditing etc. Although Cisco is not known for trying to make automation of their equipment easier... Exactly the complete opposite sometimes it seems. But TBH, OP, security is one of those things that still doesnt need to be 'automation' friendly, its one of the most important aspects of network computing to keep enterprises/end users safe from malware/hackers, and making it look pretty is the least of their worries. Maybe for more home-based routers it would be a way for Joe Schmoe to understand whats going on a little bit better, but mostly will just be eye candy to real geeks..

Re:Balderdash, poppycock..

It doesn't insure anything. Staring at a 100 firewall rules in a script or from a command output is no more advantageous than staring at them in a listview. You can just as easily add a rule in a script that doesn't work the way you expect, and you don't have any more insight as to where the fuck packets are going when they don't arrive.

A GUI interface can be designed intuitively and allow all of the things you seem to think would be so hard for them to implement. If you've ever used Active Directory you would probably be shocked to find that you can see that a single setting in the GUI interface and easily propagate it to thousands of machines.

Re:Balderdash, poppycock..

[DuckDodgers]

That's a solid point, but in terms of cost GUI network management apps that do everything you describe are pretty rare. Most of your cheaper firewalls with GUI management tools offer a limited subset of those options and little or no access to the underlying scripts they create and execute.

So with plenty of time and unlimited funds, I would purchase an off-the-shelf GUI solution or hire a group to write one. In the real world, in many circumstances doing things via the command line is far more practical in the long run.

Re:Balderdash, poppycock..

[t0rkm3]

An excellent example is Dynamic Source NATing based on the both the source and Dest. GUi's have alternated between screwing it up and making magic. In some cases, if you didn't know how to CLI you were led to believe that it was impossible.

Re:When you finish your MBA- it'll all become clea

[orasio]

whooooshhhh!!!

I have the answer!

[endus]

It's called CSM and it's amazing! It does everything for you and never fucks up!!! :D

Seriously though, we're so far from this I couldn't even begin to tell you. Half the time the application vendor can't even tell you what ports are required and they wrote the software that's making the connections. It's pathetic. I get requests from clueless lusers who obviously don't even know what they're requesting, then the question ("No you can't have an IP any. No, ugh, never mind what that means...just ask the vendor what you need.") goes to the vendor and half the time they can't answer it.

Truthfully there is really no great way of doing this. Even if you can profile the software running on the machine, you're not going to know if it's making all the connections it needs to make during the time you profile it. You also need to have some kind of idea what you're doing so you don't wind up exposing 139/445 to the internet or something dumb like that. They pay us infosec people a salary to do this stuff for a reason: we can't always tell you what you want, but we can usually tell you what you don't want. Making these kinds of changes requires thought, risk analysis, and planning. It's not something that should be a drag and drop routine that any user can do...at least not at this point in history.

Maybe at smaller companies sys admins have the knowledge necessary to make these sort of decisions responsibly but I can tell you from experience that being a sys admin does not automatically confer on you the ability to make smart decisions about what firewall exceptions to request. We've had users escalate requests WAY up the chain after being denied by us, only to have them sending 911 pages to us literally 20 minutes after it's implemented to have it shut off. Just because your sshd is up to date and you use strong passwords doesn't mean you want the entire internet beating down your door 24/7/365...sometimes it really is better for you to have your users connect to the VPN first. That's the knowledge that infosec brings to the table, and that's why we don't want you making your own exceptions.

Re:I have the answer!

[wealthychef]

See my post on Apple's method -- it actually addresses your issues pretty well, maybe.

Re:Leave the networking stuff to the networking te

[orasio]

I can't think of a single reason why knowing what the rules do precludes using a GUI tool to simplify and automate management.

Manually editing text is time-consuming, fatiguing and error prone. Have a tool to automate that sort of thing is one of the fundamental reasons for having computers in the first place.

The thing is the GUI design is very difficult. You need to know your users and their tasks in advance.
They are good for things that are easy to specify in a high level language, and difficult in a low level language. Of course, the domain of problems to be solved needs to be small for a GUI to succeed in that task.
The tool is not going to be simpler than the problem, so I think the best you could get would be some sort of iptables IDE, and that is not what came to my mind when I read "a GUI tool". Of course, all text editing can be "augmented" by a good tool, but I don't think it can be replaced. Text editing is _the_ way to configure complex stuff, maybe a good IDE can help you edit it better, or easier, but that's as far at it goes, in my opinion.

Re:When you finish your MBA- it'll all become clea

[SeNtM]

Three, always reboot it three times before posting.

Re:Leave the networking stuff to the networking te

[Gr8Apes]

I can't think of a single reason why knowing what the rules do precludes using a GUI tool to simplify and automate management.

I can think of lots of reasons. The only reason I can think of having a GUI automated management tool is so some dumbass that doesn't know what he's doing can appear to manage firewalls.

Now, I can see the purpose of a GUI inspection tool for independent verification. But even then, I believe automated scripts are better.

Manually editing text is time-consuming, fatiguing and error prone. Have a tool to automate that sort of thing is one of the fundamental reasons for having computers in the first place.

This is why we have scripts. I would never manually configure the thing more than once, and that's only during the initial discovery phase. After that, it's script and test, script and test, then deploy when the scripts are spotless. This way I can always recreate anything at any time, without having to go dig up the guy that configured firewall xya 3 years ago and moved on to another division or even external job.

Scripts are repeatable. Scripts and their results can be objectively validated and verified.

GUI tools cannot. They're a nicety for inspection for those that cannot read or understand the scripts, however.

Apple's firewall system

[wealthychef]

Apple has taken an interesting approach that at first I hated but have come to like. It's actually simpler once you get used to it. The OS keeps a database of all applications that have ever asked to open a port to listen on. If an application asks to open a port to listen on and it's not on the list, the OS prompts you to allow it. This is a more intuitive way to manage security. Definitely does not solve all issues but is an interesting approach that works pretty well.

Re:Apple's firewall system

[mlts]

That is interesting, but how does a user know if the port is part of some update versus a program that got compromised by a code injection, and is dropping stuff off at a compromised machine?

Ideally, programs should have a manifest that is included with their installation or updates. On installation, they prompt the user where they are going to be talking to (either IP address or hostnames), and if a program attempts to get out of those boundaries, the OS puts the kibosh on it. Of course, an update with an updated manifest list (even something like any host/any port) would fix this. Android does this quite well, although it isn't as granular as I wish it would be.

Re:Apple's firewall system

[wealthychef]

The prompts actually show up at logical times. If you go to a website and 30 seconds later you are prompted that "hx4life" wants to connect to the internet, you tell it "no" because why is a random program that I did not launch suddenly asking to connect to the internet? But if I launch a new version of X11.app and it wants to connect, then I say yes because I know I just updated it. In the case of random parts of some update that want to connect without my asking, I'm going to guess they aren't doing me any favors, so if I don't know what it is, I say "no."

Re:Leave the networking stuff to the networking te

Taco Bell again?

Re:Leave the networking stuff to the networking te

[Gr8Apes]

Secure perimeters are illusions. Every machine needs its own defense. Firewalls are good for NAT, which foils a few, and stateful inspection, which fools a few more. Otherwise, internal firewalling and boundary checks are the only answer, coupled to download security hashing checks-- and those get bitten, too.

Secure perimeters are real, if done correctly. I know of one personally that has not been breached in a decade. :)

Every machine needs to be properly configured (I guess that can be stated as having its own defense, but I doubt you meant it this way)

Firewalls are not good for NAT. They have nothing to do with NAT.

Firewalls are not good for stateful inspection, they have nothing to do with that either.

What firewalls do is allow connections inbound and outbound. The better ones allow for more rich rules like which protocols on which ports, which machines/macs can connect or even force a user authentication before they can connect to an IP/port. There are also the on the desktop firewalls that allow an application IP/port designation. But that's all a Firewall does.

You do have one point though - if you're running MS desktops yes, they can be owned if they're allowed to connect to external entities at all, and that includes USB drives.

SPAN

What about an idea like the SPAN framework presented at the USENIX HOTSEC '09 conference:

http://www.eecs.umich.edu/~aprakash/span.pdf

Seems like a promising direction for R&D.

Re:Leave the networking stuff to the networking te

Informative?! WTF?!

Frack the Firewall

[d'baba]

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1191993,00.html
A couple of years old but does anyone have an update? Or a better idea?
---
Duh.

Re:Complex often means hand tweak. No way around i

[ajlisows]

I agree with you. I would be very wary of using a simple solution for firewall management. Yeah, putting in tons of rules for firewalls can be a time consuming pain in the ass but I really think it is better that way. More than not trusting the interface/firmware/device/software I wouldn't trust MYSELF. I have to put more thought into typing/manually selecting than I do with a drag and drop type setup. That helps me avoid making mistakes.....and at any level of business a mistake on the firewall can turn out to be a big, big disaster.

features currently available

I work with Check Point and Juniper firewalls. Most of the stuff you are asking about exists.

> What about a GUI that illustrates the current system configuration and then lets me drag and drop systems across firewalls, and have the individual firewall ports automatically configured?
> What about managing distributed firewalls so that one repository of rules opens up your system's firewalls, the DMZ firewall, and the public firewall all at once?

Check Point's SmartCenter Server and Juniper's NSM allow dragging and dropping policy elements among multiple rule bases and devices. If you wish, you can have one rule base applied to multiple firewalls.

> What about tying a firewall into an authentication system so that when jdoe logs in, only then are the firewalls opened to pass her traffic?

I'm sure every major manufacturer supports firewall authentication. Usually through http, telnet, ftp, etc.

In my opinion, "ease of use" should not be a feature of an enterprise firewall. Don't get me wrong, it has to be intuitive enough to complete the necessary tasks. However, firewalls today are becoming more and more complex, and if inexperienced people feel they can manage them, the likelihood of problems and downtime rises. Firewall admins should take the time to really understand the product. When that is the case, the more granular policies (setting the IP addresses and ports) are usually more secure and favorable.

Re:Leave the networking stuff to the networking te

[drsmithy]

The thing is the GUI design is very difficult. You need to know your users and their tasks in advance.

Which shouldn't be a significant problem for a domain as narrow as firewall management. Particularly given that the majority of firewalls are going to have large proportions of their configurations be very similar, if not completely identical.

The tool is not going to be simpler than the problem, so I think the best you could get would be some sort of iptables IDE, and that is not what came to my mind when I read "a GUI tool".

Consider something simple like adding a host to a standard ACL list for webservers. Why should it be any harder than dragging an icon for the server into a "Webservers" group, ticking a "webserver" box next to the hostname, or attaching a "webserver" profile ?

Why should any of these things require manual, slow, error-prone meddling into a text configuration interface ?

Re:Leave the networking stuff to the networking te

[drsmithy]

I can think of lots of reasons. The only reason I can think of having a GUI automated management tool is so some dumbass that doesn't know what he's doing can appear to manage firewalls.

That is a criticism of the user, not the tool. A criticism that applies equally to a collection of automated scripts.

Now, I can see the purpose of a GUI inspection tool for independent verification. But even then, I believe automated scripts are better.

Why ? Graphical representations of complex systems are nearly always easier and quicker to understand than lines of text describing same.

GUI tools cannot. They're a nicety for inspection for those that cannot read or understand the scripts, however.

GUIs are most certainly repeatable and their results can absolutely be inspected and verified.

FWBuilder

[slashflood]

Check out FWBuilder. Anything beyond that concept would be overkill and extremely error-prone.

Re:FWBuilder

[juosukai]

Yeah, I thought of this as well. I went with PFSense for our network, but this seems to be what the original post meant. /jussi

StoneGate

[magi]

Check out StoneGate, it offers a GUI where you can drag&drop all kinds of stuff with a very powerful management system. The learning curve is a bit steep, but it's really meant for network admins who use it as a central part of their jobs. I think it has most of the features you're thinking about.

It's really ideal for large enterprise-level installations with multi-homing network connections, but works in smaller installations just as well (I used it also at home). It requires two servers: at least one firewall node (you can build clusters), and a management server (can be your desktop machine). You can do logging on yet another server, etc. They also offer IPS (intrusion prevention system) for detecting nasty behaviour.

Re:StoneGate

[Mister+J]

I second this recommendation. Whilst it's pretty much overkill for a single firewall, once you start looking after a bunch of them the management centre really shines. You need to invest a bit of work in setting up your components (hosts, networks, non-standard services, groups, etc), but then the drag-and-drop firewall rules and VPN's are a breeze, and templating and shared/inherited rulesets can save a lot of duplicated effort. Centralised logging can be a real time-saver if you've got traffic that's passing through multiple firewalls and need to track exactly which rule on one of them is blocking it...

Visio is the best idea

Being able to import visio files as configuration into our firewall is a great idea, it means now management can help design firewall rules and get them set up without any interaction from a system admin.

It's all ONE net anyway.

[Linnerd]

I really agree with Firethorn:

- Keep the firewall simple. Its job is to keep the rough bulk of attacks from an extranet outside.

- Protect your data where it resides (always!), even against intranet abuse (strong(!) authentication, working access control).

- Monitor use (intrusion detection, normal use / abuse patterns, traffic anomalities, logs)

In todays environment there are plenty of attack vectors that circumvent elaborate firewall constructs (like: USB sticks being used for data exchange, laptops being connected to arbitrary networks while on the road and then brought back into the company network, Blackberrys or iPhones being used to create additional (non-firewalled) connections to the Net, ...) so the distinction between inside and outside has mostly become moot, except (as stated above) for a rough triage.

Far too many company networks today follow the clam model: Strong (and inflexible) shell, mushy interior.

Commercial solutions

[ghighi]

Some commercial solutions handle this as well. I used to have a set of hardware FW that would all share a central repository of rules, each box applying the rule as they need it. It also came with intrusion detection and prevention, and auto vpn tunel meshing between box, so all was neatly availlable in the same configuration tool; wich was not so good looking, but was still significantly faster than manual edition. At the end of the day, one could revert to full text based administration and find oneself in a familiar unix-like environment.

Unfortunately, it ended up being a lot less reliable than what was previously thought.

Re:Leave the networking stuff to the networking te

[mlts]

I have seen people consider their firewall a bulletproof way to keep the baddies out... well, until the next Web browser exploit shows this isn't a workable strategy.

In reality, a decent sized company not just needs an external firewall, but in addition, a router separating the DMZ from the internal network, an IDS to detect incoming and outgoing packets, find the source if there is a known exploit and shut it down, a content filter (to keep Joe Sixpack in Receiving from ogling at boobs, then Jane Nubile from HR sees it and then promptly files a sexual harassment lawsuit when she sees it), NAC devices (to enforce presence of antivirus utilities likely forced per agreements), equipment to log packets (ACTA will force all ISPs and carriers to log *every* packet across their network for 7 years. Not headers. Entire packets).

Even with all this network functionality, this doesn't mean the hosts are secure. They need some protection just in case there was an open wireless segment. So, if a Windows system admin is smart, they would have policies pushed out to all the Windows 7 boxes with rulesets for the inbound/outbound communication, such as no port 25 out unless it is to a dedicated machine, blocking unneeded ports to internal machines, and so on. By having this configured on the boxes themselves, a compromised process wanting to phone home would have to get admin rights on the box and turn off the firewall to do its dirty deeds.

Of course, the more complex the configurations to keep items secure, the more problems arise, especially with app troubleshooting. So having a tangled web of allow/deny ACLs on machines may result in some unexpected interactions.

Juniper Firewalls with Juniper NSM to manage them

Juniper, who is right up there at the top with Cisco has a management platform called NSM.. You can copy and past rules between devices, have configuration inheritance via templates, O and it does version control with rollback for configurations and policies. It also manages firmware updates and holds common objects (hosts, subnets, application ports) that are shared among all devices.. The devices them selves can be managed purely by command-line, a complete web GUI, or NSM.. Newer JunOS devices use XML to pass configuration information instead of trying to interpret a list of commands like Cisco devices still do.

JunOS is also very consistent across devices, which makes scripting against it much easier.

Re:Yep! That's why the future is in smarter device

[EvlG]

How does sniffing 443 work? I thought the point of HTTPS/SSL was to give security to the connection?

Re:Leave the networking stuff to the networking te

[Bert64]

Unfortunately, 90% of corporate networks seem to treat the external firewalls as the *only* line of defence... Once you get behind it, however you do that, the inside is pretty trivial to compromise very thoroughly.

Quite often you see content filters on email/web traffic (another perimeter only defence), but these systems typically work on a blacklisting approach so there are always ways around...

I work as a security tester and incident response (ie identifying what happened after something got compromised), and every network i test is based on the egg model - hard outside, squishy inside... And every machine i encounter which has been compromised has some kind of av installed, and usually gets infected *through* some kind of content filtering device. The most amusing part is that every single piece of malware i've found on client machines was detectable by some av products, just not by the specific one in use - and companies typically use the same av on both their content filters and the individual workstations.

authpf

[nuckfuts]

What about tying a firewall into an authentication system so that when jdoe logs in, only then are the firewalls opened to pass her traffic?

OpenBSD has had this for a while now. It's called authpf, and it can dynamically load NAT or redirection rules in addition to simply opening ports.

You won't find a better firewall than pf. It's secure, extremely capable, and has a logical and refined syntax for defining rulesets.

Re:authpf

It also fails to carry any EAL or FIPS accreditation which means that most public sector and/or government organisations are forbidden from using it.

Re:authpf

That explains the great security and cost-effectiveness of public-sector and government installations.

Firewall builder 3.0

[process]

I am in no way associated with the Firewall Builder project. It's an application I came across it in the January issue of Linux Journal that sounds like it could solve some of the original poster's issues.

The article is available online, as is of course the project homepage.

I have not used it yet, but it looks promising and sounds like one of the "cool projects" the submitter needs to know about. It gives you a graphical representation, it can deploy configurations via SSH to various machines or to Linksys, D-Link, DD-WRT or OpenWRT devices, Cisco routers and Cisco ASA (PIX) firewalls. It supports IPV4 and IPV6 and the client is available for Windows, OSX, Linux (ubuntu, fedora, debian repositories at least), OpenBSD and FreeBSD.

At least that's what they promise, but it has been in development for some time (1999) so I expect it to be pretty good.

Re:When you finish your MBA- it'll all become clea

[Z00L00K]

One issue that I have seen with firewalls - I call it an issue because it can be a problem - is that some firewalls today uses Universal Plug and Play that allows items behind the firewall to control the firewall - often without the owner knowing it.

And on some routers/firewalls this overrides the manual firewall configuration - without notifying the user. From my point of view this is a security issue.

As an example - a friend of mine did install a NAS and he is running a web site behind the firewall, but the NAS hijacked the web site and caused a lot of confusion. This means that the UPNP functionality also can offer attack vectors for malicious people.

Re:When you finish your MBA- it'll all become clea

[reginald85]

that would be great.... chaise lounge chairs bookkeeping prude

The thing is

[elsJake]

Text config files force you to understand everything , read every detail.

GUI's are nice and shiny , but they hide details. In order to distinguish shapes you need white space around them and so you're left with little space for valuable information.<br>
Sure one or two tools out there might have a decent idea about graphically representing firewalls but in the end you're still left with understanding everything so that it works and once you're there you'll realize you had enough time to build the same config file in a text editor three times over. <br>
What gui's are good at is summarizing everything for somebody new taking over.

Must just mean linux firewalls....

If you expanded your horizons to the 'professional' market, you'd find numerous such tools. Solsoft NP does exactly as you describe (draw a network diagram, join clouds/hosts with lines, generate policy for all involved firewalls) and has been around for more than 10 years. Clearly no one wants it, as it's been bought up by Loglogic and disappeared.

Checkpoint has a hierarchical policy editor which can force templates and global policy across multiple organisations and firewalls. At the very least a single policy can easily be shared across multiple enforcement points. It also has user authentication to activate rules. No-one uses either of these very much either..

Fwbuilder is a great checkpoint-like policy manager for linux, pix, asa, bsd etc. - why don't you use that and buy some support?

I think you mean 'why do people not want to pay for or use better firewall management tools, especially on linux?'

Automated Firewall Configuration... NEAT IDEA

Good day to you, Sir,

I am writing to you under the utmost duress of financial necessity. I am the late son of King Rumumbalek the Third, ruler of the (... skipped ...)

(...skip skip...)

To get our calculating systems to commence the transfermission of the 40.000.000.000.000.000.000.000 blapohtrillions between our financial systems, please be so kind as to run the attached 419.sh file (as root) in a *nix console of your choice. Rest assured (... skipped...)

Re:Leave the networking stuff to the networking te

[nacturation]

Dear lord, gui based management of a fleet of firewalls? You want to drag and drop things and make magic happen when you do that? Sounds pretty reckless and dangerous to me. That's like saying because you can ride a bicycle, you should be allowed to drive a hazmat semi at top speed through downtown LA. If you don't understand what the rules are and how they will be applied in the first place, you are likely just going to cause problems (like accidentally shutting off your company's ability to sell their trinkets online because you locked it down on accident.)

On the flip side, just because you can operate a text editor doesn't mean you should be modifying your company's firewall either.

Solsoft.. I mean Exaprotect... I mean LogLogic...

[lavaboy]

I was looking for something like this a few years ago when I was working on a carrier-grade scalable multi-tenant CC project. Pretty much the only thing I could find was from SolSoft (which has morphed somehow into LogLogic in the meantime) called "Solsoft Security Change Manager". In the end, we decided to go with the high-paid admin approach so we didn't do any serious testing, but it might be what you are looking for. FWIW, I got the tip for Solsoft from a guy who worked on Netfilter.

http://www.loglogic.com/products/security-change-management/index.php

Re:Leave the networking stuff to the networking te

> Dear lord, gui based management of a fleet of firewalls?

I think a company called F-Secure had something like that. I don't recall what the name was but it would manage firewalls and VPN configuration. I think the focus was on the workstations. As far as I remember it was working pretty well.

Re:Leave the networking stuff to the networking te

[w0mprat]

Manually editing text is time-consuming, fatiguing and error prone. Have a tool to automate that sort of thing is one of the fundamental reasons for having computers in the first place.

Frankly I'm kind of stunned that people still manually edit text files for major firewalls in some critical networks. A robust GUI tool is an essential safeguard for something as simple a typo bringing everything down. Seen it happen. A UI can have necessary warnings and reflect the policies process so a change doesn't make the network eat itself.

Re:When you finish your MBA- it'll all become clea

[x2A]

Don't do that.

And we used to complain about Win95a...

[GuyFawkes]

... and it's broken networking.

Fact is, off the top of my head, I can't think of a single piece of application software that is written properly with the network in mind, and by that I mean that in the manual it lists *precisely* what inbound and outbound ports and protocols it uses, and *why* in each case.

In most cases port selection is pick a random number between 1024 and 50000, pick a random protocol, start pinging and fingering, and then wonder why the application doesn't play nicely with your firewall / router / ip tables / etc

For the home user Draytek / Vigor have for many years now been making fairly nice little boxed, with a browser based admin that should in theory be more than adequate for anything the home user would want, and far better than you get in a generic router / firewall.

What happens? User fires up X app or Y game and things don't work, and guess what, the firewall / router gets the blame.

I can remember spending a day as a well paid external consultant in the offices of a specialist financial company that managed investments for the privately wealthy, hello, lots of new bits of application software that I had never heard of before, and one in particular just wasn't working properly.

I did all the usual, looked at configs, sniffed, even RTFM in some depth, in the end I said balls to it and rang the published and stayed on the line until I was connected with a coder.

The result?

Sorry sir, that software is written to work on a standalone machine ONLY, it was not written to network between multiple installs on multiple machines on a network.

Too bad that the financial company, and the computer company that called me in, had just installed a new network with 12 new desktop machines running 98 and a new server running nt 3.5, and decided to have 3 or 4 of those machines run this package in question, and a couple of others.

In hindsight, the funniest thing of all was when I told the company director, and the director of the hardware company that hired me to fix the product that they had sold, what the problem was... naturally enough I got the blame.

Six months later I met the director of the financial company, he had finally parted ways with the hardware company, and would I consider coming in and sorting their network out.

Thanks, but no thanks.

Once bitten by assholes, forever shy.

Re:When you finish your MBA- it'll all become clea

[rwa2]

When you finish your MBA- it'll all become clear.

After I got my MSSE (I guess the MBA for Nerds, though I didn't realize it at the time), I figured that was because all firewalls were supposed to be rendered obsolete and unnecessary by IPv6. Which explains why we're still stuck in 1995.

So yeah, this is the answer, this is the ending. I shall drive without license, without clothing, without direction, and if I make it to Arkansas fine; if I'm running late; if I'm running a numbers game, it doesn't matter, I'll keep on running! Because a body in motion tends to stay in motion, and it's better to feel. Pain is better than emptiness. Emptiness is better than nothing; and nothing is better than this.

I got your answer right here.

[t0rkm3]

When I mess with my WAP/router at home or coordinate with the network team at work, it seems like I'm stuck in 1995. We're still manually listing IP address/port combinations for our firewall rules. There's a certain simplicity to this when dealing with a single system, but there are firewalls everywhere these days.

Yes. That's by design, believe it or not the Internet still operates around rules that were in place in 1995. Sorry 'bout that. Unfortunately, the telepathic OS and Application sense UI hasn't been developed yet.

What's available for managing complex firewall arrangements?

Every player has one. I personally like the concept of CSM(Cisco) and Juniper(NSM) both of those tools will allow for consistent portions of the policy across several devices while allowing you to change the hierarchy when necessary for a section or rule to take precedence locally. The things that I think they have over CheckPoint Provider-1 (1) Common ports and protocols, nothing new to allow for NSM, or CSM (2)The configs can include things like SNMP servers and routes.

Caveat: CSM interface stinks. CSM4.0 is looking better, but who knows when that goes GA?

What's being developed?

Look into the above. Also take a look at Palo Alto, and Cisco NSM (for uber-large deployments)

Can I take a Visio diagram, run it through a script, and get a list of firewall rules?

No. If you did, it would suck. Anybody who said they were writing such a tool would get a guffaw from me. Icky, Icky.

What about a GUI that illustrates the current system configuration and then lets me drag and drop systems across firewalls, and have the individual firewall ports automatically configured?

It would almost certainly be broken. Currently there are plenty o ways to administer your devices using objects. You can also create Objects that have multiple attributes such that you can drop an object into another object (a group) and then republish the ruleset and get the access that you desire. However, using this sort of shorthand is the kind of stuff that can get you to fail a pen test. However, if you balance it right you can get a lot of work done by a few FW admins, and still maintain a relatively high level of security. (For examples on how a template system for server types and drag and drop would be broken, please refer to just about any firewall and DNS enforcement in a Windows environment.) Also, most FW management platforms have GUI that illustrate the network as the management platform sees it. First thing that a competent FW admin does is turn the thing off for two reasons, 1. The diagram is wrong. 2. It sucks up resources on the manager and on the client (My workstation)

What about tying a firewall into an authentication system so that when jdoe logs in, only then are the firewalls opened to pass her traffic?

Cisco, and Checkpoint do this with AAA rules. The cascade through multiple firewalls is stupid because if you're dealing with something that secure that you have to go through multiple layers then hopefully you're using multiple auth factors, one of which should be time limited (SecurID). You won't be able to re-use the authorization token. Palo Alto does this but requires that you depend on an AD polling service and that you have your auth groups set up in AD properly, and know one has jacked with them. Icky.

What about managing distributed firewalls so that one repository of rules opens up your system's firewalls, the DMZ firewall, and the public firewall all at once?

Seriously? Multitasking security configuration? Umm. this is where the "MBA" moment really shines through in you post. Each config needs to be combed for optimization, conflicts, and general nonsense. You have to do this in an iterative and detail-oriented manner, or you suck.

Re:Leave the networking stuff to the networking te

[Hal_Porter]

Manually editing text is time-consuming, fatiguing and error prone. Have a tool to automate that sort of thing is one of the fundamental reasons for having computers in the first place.

There's a great tool called vi.

Re:Leave the networking stuff to the networking te

[Hal_Porter]

a content filter (to keep Joe Sixpack in Receiving from ogling at boobs, then Jane Nubile from HR sees it and then promptly files a sexual harassment lawsuit when she sees it). NAC devices (to enforce presence of antivirus utilities likely forced per agreements), equipment to log packets (ACTA will force all ISPs and carriers to log *every* packet across their network for 7 years. Not headers. Entire packets).

I always follow the Intensive Poulty Farming Best Practices. Both Joe and Jane are thus spayed, declawed, detoothed and lobotomised before entering the cubicle farm. Thus they have no interest in boobs and or of concepts like "sexual harassment".

Re:When you finish your MBA- it'll all become clea

no, that only comes with the IT degree.

Coward

Juniper IC Controller will do this for you

Re:Leave the networking stuff to the networking te

[Gr8Apes]

That is a criticism of the user, not the tool.

It's a criticism of both. GUIs by nature are ad-hoc tools that allow individual tweaking - that's their purpose in life. Granted, you could create a tool that would allow for a creation of settings that could then be applied across multiple systems, but that would be much more than a mere GUI tool.

A criticism that applies equally to a collection of automated scripts

No, it doesn't. While scripts can be run by individuals with no sense or knowledge, at least the initial creation and testing of such scripts were done by someone that knew enough to create them. (Granted, there's an assumption here that the script result is meaningful and that the script itself was written by someone with knowledge)

Why ? Graphical representations of complex systems are nearly always easier and quicker to understand than lines of text describing same.

Graphical representation of tabular data is easier and faster to understand than... tabular data?

I think the bigger problem is the presentation of the data than any difference between GUI vs Text output for the topic at hand.

GUIs are most certainly repeatable and their results can absolutely be inspected and verified.

Really? GUIs are repeatable? Have you ever done web QA? The only time it's repeatable is when the system is completely locked down and nothing changes outside of your control. And even then....

When the system behind a GUI has deep dependencies that the GUI glosses over or "flattens" for "ease of understanding", then there's plenty of openings for new unexpected behavior to crop up.

Re:Leave the networking stuff to the networking te

[silas_moeckel]

As apposed to giving the web server a name in the firewall and adding that name to the web server group? Ever admin a few hundred firewalls the GUI's are the slow and error prone not the text interface. The thing people seem to forget is you want the rules on the smallest required set of devices. That nearly universally means 2 as firewalls are required to be network choke points.

Re:Sniffing 443

[Relayman]

Anything that is not properly encrypted is suspect...

Some things should not be automated.

Open heart surgery for example.

It is doable, no question about it, but I prefer the insight of an specialist.

By dragging and dropping stuff when dealing with firewalls you are asking for trouble. Most likely somebody will miss a complex rule or will open a security hole in an unintended way.

By being textually precise you avoid these and other possible pitfalls.

Most importantly, you can document precisely what you are doing.

All the point and click lovers always fail to explain how they can document any changes to their infrastructure in an efficient, clear manner .

pay twenty grand and get checkpoint

their GUI makes configuring firewalls and routers fairly simple. it's just god-awful expensive, considering it's based off linux and OSS utilities.

sudo mod me up! http://capirca.googlecode.com

[daveb1]

sudo mod me up! http://capirca.googlecode.com/ "Developed internally at Google, this system is designed to utilize common definitions of networks and services and high-level policy files to facilitate the development and manipulation of network access control filters (ACLs) for various platforms. "

Re:Leave the networking stuff to the networking te

[Churla]

And Cisco isn't the only one who can handle an enterprise security infrastructure. The current Check Point line features much of what you're talking about, including building a graphical map of your network based on the information you give it so you can see how things are arranged and working.

As the parent poster said though, Belkin and LInksys are not firewalls. They are NAT capable home routers with limited ACL capability.
Linksys :: Corporate security
Yorkshire Terrier :: Trained Russian Bear cavalry.

Re:Leave the networking stuff to the networking te

[gx5000]

THANK YOU ! You took the words right out of my mouth.... As I finished reading TFA I just couldn't help but scream "Keep the poster away from IT Management!!" I'm so sick of unrealistic demands being put unto us. and the way things are going it's just getting worse.

Re:Leave the networking stuff to the networking te

[hesiod]

The only reason I can think of having a GUI automated management tool is so some dumbass that doesn't know what he's doing can appear to manage firewalls.

The only reason I can think of having a high level programming language is so some dumbass that doesn't know assembly can appear to write programs.

Some things are better off getting simpler over time. Yes, having a proper network engineer to manage your firewalls is best. But not everyone can afford -- or even needs to hire one. If their network can now be protected relatively well because of a GUI config tool, when it was not protected at all before, everyone on the Internet is better off as a result.

I don't mean to quote and sound all guru-ish

Don't worry, you're not.

Hes totally right

Frankly the poster is totally correct. Manually specifying which port on which firewall needs to allow which traffic from what IP to which destination is utterly antiquated and most of all insecure and completely insufficient. Everyone in the security industry knows that, and this deficiency has spawned a huge array of commercial products trying to patch the holes up - deep packet inspection, NIDS, etc...but none of these can solve the root problem.
As an ISP network admin since 15+ years, I've been waiting for a better solution for over 10 years.

Someone needs to pull an iPhone and reinvent the whole way we manage security on the network level.

Think about it: I should just be able to say: allow this app from here to communicate with that app over there. The software should manage the configuration from end to end - that includes configuring the firewalls/access controls - on the source and destination servers themselves.
There are at least two gaping holes in current firewall management and design:
- hosts are traditionally wide open to every other host on the subnet. A great many enterprises address this by using absurdly small subnets, which is idiotic from a management point of view. The only solution is local firewalls, but if the firewall management tool doesn't automatically handle these on the same policies as the central firewalls, forget it. End result: wide open subnets.
- firewalls block based simply on ports. Basically if you can send whatever crap you want through the firewall so long as it's going on the port the firewall "thinks" is reserved for, say, a database connection. Yes, deep packet inspection helps to some extent but is hardly a complete solution. The only real solution: the firewall should have an agent installed on the local servers that not only handles the first point (the subnet issue) but also can effectively authenticate based on the originating and receiving _process_ - end to end.

None of this is really complex. The firewall management just has to include an agent that basically handles something like SElinux (at best) or just the native iptables (at least). All this functionality exists already in your standard local firewall products like zonealarm and every major vendors "security suite", the only thing missing is the central management of it from one central console where you can just say let application A communicate with application Z.

For an enterprise this would be a huge step up from the current disjointed security practices. Best of all whoever develops this first has a huge advantage over the competition and gets a bunch of vendor lock-in to boot ...

Re:Hes totally right

Well, as a network administrator for 25 years, I've been waiting for this for much longer than you, so last night instead of boasting of my brilliance for 10 years I actually got off my ass and wrote one of these interfaces on my iPhone 4G so that no matter where I am in the world, with a flick of my finger I can reconfigure the whole network on a GUI. Now if only I could find my damned prototype phone.

Get FireMon

from http://www.securepassage.com

Re:Leave the networking stuff to the networking te

[silentcoder]

I feel the need to comment to your sig...
That mac pro mini you mention... wouldn't that be the Ipad ?

If so - 2 down, 2 to go.

Re:Leave the networking stuff to the networking te

[SoupIsGood+Food]

The top-tier firewalls, Checkpoint, Netscreen, Palo Alto, all have competent GUIs designed to manage large installations of firewalls, including global rules that apply across policies. Cisco is really the only firewall platform dependent on the CLI (and brother, that's one ugly CLI. I know! Let's take PIX and make it sort of like IOS! No! Let's take IOS and cram PIX in there! No, no, wait! I have it! We'll do both arbitrarily!) No pro I know of spends their time on the wall's command line or mangling policies in a text editor if they can avoid it. The problem is that all of the firewall vendors are too busy re-inventing the wheel with Java and Web app interfaces instead of finding an industry standard toolkit and sticking to it, so we don't get cool things like you'd find in a MacOS or iPad interface. Give it a couple years, and drag-and-drop of rules and address objects between policies will be easier than it is now, and the global rules will be smarter in adapting to new networks and hosts on the fly.

The Open Source world is perpetually 3-10 years behind the cutting edge in application design, and network admins (especially in all-Cisco shops) can get tunnel vision sometimes, but those of us who do have CISSP and GCFW on our business cards know that what the guy wants isn't unreasonable, and a lot of it will be arriving in the next few years, as well as some sexy stuff not brought up by the OP. (NIDS and Firewall and DLP as separate concepts is going away - too much crap being crammed through 80 and 443, you need the firewall to profile the traffic, too. Also, along the same lines: application specific firewalls - it only deals with web servers, or it only deals with database servers, or it only deals with SIP - are on their way up. )

The biggest problem is that there won't be a one-stop shop that does all this, and the different vendors would rather choke on an 8" DSDD floppy and die than work with each other, even if their businesses aren't actually competing directly.

Re:Leave the networking stuff to the networking te

[postbigbang]

The only secure perimeter is the air gap, and that inside a well-grounded Faraday cage.

I don't believe you and your citation of a secure perimeter. It's likely highly infected. Firewalls do often include NAT, so that they can watch statefull packet exchange. But I get the feeling you're new at this, so I'll leave your observations alone.

People who brag about these things, as in never's-been-breached, are usually fools.

PA Networks

[bonbonne]

Well, part of what you're describing can be bought today.
Appliances from Palo Alto Networks do just that : User awareness, L7 identification (even in SSL) so that allowing TCP 80 or 443 doesn't mean allowing everything, ...

They still lack many things from Checkpoint/Juniper/Cisco (PBR or IPSec aren't fully there yet IMHO) but they're quite impressive.
On some tests I did, it was able to see random encrypted UDP P2P packets as "Bittorrent". Not to mention that many webapps are seen as protocols (gmail, gmail chat, mail.ru, yahoo finance, etc...)

Kinda weird to define security policies by user|group/application instead of IP/port. (you can still do that if it makes you feel more comfortable: use RFC ports or self-defined ports)

Sexy HW architecture with FPGAs and dedicated CPUs for each tasks, nice web interface with reporting: it's a real gap from a typical appliance firewall, but it costs an arm and a leg...

An airplane analogy...

I love how you *nix guys don't ever take end users into consideration.

Because end users do not have the training, skills or experience required to properly and effectively manage today's sophisticated network security issues. Even most "*nix guys" do not.

Your gripe is essentially the same thing as expecting layperson passengers to be able to fly the jetliners instead of the pilots.

Re:Leave the networking stuff to the networking te

[eth1]

I don't think that having more network or firewall knowledge would really help with what the story submitter is really after. As someone who's part of a team that manages firewalls with 3k+ rule bases, I can say that it doesn't take a networking genius to configure a new rule for someone, and it really doesn't matter what interface you use (CheckPoint GUI, PIX/ASA command line, etc.). Well, sometimes it does... we have some environments that are so arcane/legacy/"hysterical reasons" that it's not funny any more.

The hardest part is managing the mess that's generated when you have 5 requests for changes per day, every day. You can't just put in new rules for every request, because then you have so many rules that the firewall can't keep up. When you start piggy-backing off of existing rules, it makes it hard to remove access when it's no longer needed (in the extremely rare case that someone even tells you they don't need it any more).

What we'd really like to see is a way that we can take a specific requests for access (Bob Smith's app server x.x.x.x needs SFTP access to to vendor Y's servers at y.y.y.y and z.z.z.z) and compile them into an optimized rule base (using traffic/usage stats to order the rules). That way, when Bob comes back and says he doesn't need SFTP (or we look at old stuff and ask if he still needs it), we can just remove his request from the source, and recompile the rule base, and know that it won't disturb anyone else's access. That way, your "source" rule base is basically an actual picture of what's needed in a business sense, rather than what the firewall is doing to implement it.

If we could integrate such a system into our process management tools, so that a firewall engineer only has to verify a request and schedule it for an appropriate change window to be automatically added, that would be even better.

Not for Consumers

[ltrand]

If you look at Palo Alto Networks, you'll see that all of those features exist...For Enterprises. The real issue is that comsumer networking is slim margins. How many people are still running their original 2003 .11g firmware? DDWRT gets you closer, but managing several "firewalls" for consumers? I don't think the average "Joe Sixpack" has more than the one at his network gateway. And they usually don't even configure that. Walk down a densly populated street and tell me how many open wifi networks you find and you'll see why a lot of these features haven't made it to the consumer market. The real question is why the networking "prosumer" market hasn't gotten bigger. And that's mostly because of price. You could look at a Checkpoint UTM-1 that has all the features you'll looking for, logging, IPS, Content Aware Firewall, but you'll pay out the nose for it. Even a Cisco ASA is ~$700 and it doesn't have all of those features. Would you drop a cool grand on a small box that "just sits there"? That's the mentality that you're facing.

Re:Yep! That's why the future is in smarter device

It gives security and privacy to some degree. But it doesn't hide how much data is going through, how often, in what kind of packgages... Those can give pretty good hints that there is something else going on than visiting a normal website through https.

Firehol

[mattr]

For a single unix server I use firehol. It is pretty easy to use its simple English-like settings file which is used to generate the iptables firewall. It's not Star Trek, not even a gui, but seems to do the simple job well. Possibly this could be run on the router.

It would be nice if you could have a program that is updated with information about how to set up various manufacturers' products, and lets you describe your setup, then programs your firewalls on the various machines.

MBAs, meet Novell BorderManager, circa 1997

[mosel-saar-ruwer]

What about tying a firewall into an authentication system so that when jdoe logs in, only then are the firewalls opened to pass her traffic?

Novell was doing much of what the OP was asking for, back circa 1997, with their BorderManager product.

Unfortunately, Novell always seemed to have the evil MBAs running the company [is there such a good MBA?], and, the last I heard, BorderManager was allowed [decreed? required?] to wither on the vine.

But BorderManager, as originally envisioned [and it was a helluva nice vision], provided a spectacular framework for dealing with these problems.

Oh well, only the good die young.

Cisco's ASDM isn't good enough GUI????

Cisco Adaptive Security Device Manager is good enough GUI for me - it even shows a small diagram of your rule just to ensure you typed in everything correctly.
Also for the fabric I often jump into Cisco's Network Assistant - cheaper (free) than Solar Winds (LAN Surveyor) for a quick interactive network topology.

It seems as though a good majority of people commenting (and the original user who asked the question) actually don't work with networks much (maybe they work via a network).

Slashdot is an interesting meme that just won't die :)

Solsoft can do this...

Solsoft NP used to have graphical mgmt of firewalls (and other policy enforcement points). You could draw flows and have the rules configured automatically. It supported FW-1, PIX, Cisco IOS, Nortel, Netscreen, and several others. They even had the ability to draw VPNs and have those configured too. They were purchased awhile back and now can be found at http://www.loglogic.com/products/security-change-management/index.php

We already have this standard

[Chemisor]

We already have the standard for configuring the firewall ports and NAT; it's called UPnP. It works just fine on a home network. On corporate networks it is usually not enabled due to security concerns. If the protocol designers could fix the perceived security problems with UPnP, the all the problems in the article would be solved.

The Future Is Just A Click Away

[jman.org]

Yes, one often can just click on the smiley face and have hordes of unknown, unattributed and unappreciated coders do all the work.

Yet, there's something to be said for RTFM.

Give it a shot, and if you do magically learn something, please try to pass it along...

What's the point ?

You don't see such tools because the most important rule for us network engineers in an enterprise environment is to know what,why and how each device is doing its job on the network. As a tutor once said you should always be in control of the network and not the other way around.

We do not spend countless hours away from family life and spend an enormous amount of money on taining and certification only to later depend on a tool to automate configuration from a diagram - this dumbs down the industry as any idiot with a mouse can point and click without understanding the reason behind the pointing and clicking.

Firewalls play only one part of the network, you need to stop and have a think about what sits on both sides of the device and how complex the designs nowadays have to be in order for users to enjoy the various network services available. Only then will you realise how ridiculously narrow minded your concept is.

Re:Leave the networking stuff to the networking te

[Bungie]

It's a criticism of both. GUIs by nature are ad-hoc tools that allow individual tweaking - that's their purpose in life. Granted, you could create a tool that would allow for a creation of settings that could then be applied across multiple systems, but that would be much more than a mere GUI tool.

A GUI is an inteface not a philosophy. There's nothing that says that they're only for individual tweaking, or that making a tool that applies settings across multiple systems would be beyond what a GUI tool can do.

No, it doesn't. While scripts can be run by individuals with no sense or knowledge, at least the initial creation and testing of such scripts were done by someone that knew enough to create them. (Granted, there's an assumption here that the script result is meaningful and that the script itself was written by someone with knowledge)

There's also nothing that says that whoever created the GUI interface won't be knowledgeable or able to encapsulate a scipt's function withing a graphical design.

Really? GUIs are repeatable? Have you ever done web QA? The only time it's repeatable is when the system is completely locked down and nothing changes outside of your control. And even then....

Again you are confusing the fact that a GUI is simply an interface. There's no additional random or uncontrollable things happening on the side. If you have a set of buttons they can only be clicked or left alone, they're not going to suddenly do anything else.

When the system behind a GUI has deep dependencies that the GUI glosses over or "flattens" for "ease of understanding", then there's plenty of openings for new unexpected behavior to crop up.

The GUI just allows you to view a problem in a different way, it doesn't make the problem more or less complex. Once a script or configuration becomes very large and complex it can be just as hard to find out what's going on and just as easy to introduce unexpected problems. You can have the data in a flat file, or you can have it in a tree view, it doesn't change the data, only how it is represented to the user.

Re:Leave the networking stuff to the networking te

[man_of_mr_e]

Dear lord, gui based management of a fleet of firewalls? You want to drag and drop things and make magic happen when you do that? Sounds pretty reckless and dangerous to me.

I don't see anything wrong with wanting to visualize your firewall rules. If done right, it could be a huge boon and might help you spot holes or weaknesses you might otherwise have missed. I don't think anyone has yet come up with such a rule visualizer, but drag and dropping seems like a great way to build rules so that the spatial part of your brain can be engaged.

If you've ever used Network Magic, it's a great tool to visualize your network. I'd love to see something similar for firewalls.

Firewall Builder

[ACorvus]

Firewall Builder

That's about as good as it gets without the risk of a PHB letting the orcs in!

Watchguard

[Yaos]

Watchguard uses a GUI.

Central Managed Firewall

The Uptime Group ( http://www.TheUptimeGroup.com ) develops their own firewall for their clients. It has a central management and any change can be pushed out to all the clients or only to the clients that need it. Rules, updates etc.

Re:Leave the networking stuff to the networking te

[AliasMarlowe]

Manually editing text is time-consuming, fatiguing and error prone. Have a tool to automate that sort of thing is one of the fundamental reasons for having computers in the first place.

There's a great tool called vi.

Blasphemer! Vi is not great. Vi is evil incarnate, a tool for infidels.
Emacs is great. Emacs smiles upon the faithful. All praise emacs in its glory!

Re:Leave the networking stuff to the networking te

[ckaminski]

No it doesn't. It means a quad-core, latest ATI video card, and 8GB RAM in a Mac Mini form factor.

That is NOT the Mac Pro.

If you mean the Mac BOOK Pro? Then that's the Mac Air.

The iPad is still a childs toy compared to any of the above.

Now an Apple Mac convertible tablet, THAT I still want to see.

Re:Leave the networking stuff to the networking te

[ckaminski]

You bring up a good point. You have no idea how many times I've been forced to tunnel SSH traffic over HTTP or SSL to get to resources I needed to use to do a job.

Nevermind the constant influx of vendors and customers, and field people or home workers on VPN.

Securing a network is tough work.

Doesn't fwbuilder do some of this for the FOSS world? Why couldn't the Poster take this and improve on it?

Re:Leave the networking stuff to the networking te

[pnutjam]

try pfsense

Re:Leave the networking stuff to the networking te

[pnutjam]

firewalls are also useful for consolidating access to internal machines, load-balancing, terminating remote access, and a host of other things.

re: Changing Port numbers

[seawall]

There is indeed a reason to change the port number for ssh: NOISE REDUCTION!

On one machine I see, say, a thousand ssh break in attempts a day. If I change the ssh port from 22 to 578 (for instance) I just cut that 1000 down to maybe 20 + legitimate users...and those 20 are the ones to be most worried about out of the 1000! That's a win.

Re:Yep! That's why the future is in smarter device

[Bert64]

And what if you tunnel traffic over SSL over port 443? Wouldn't such traffic be indistinguishable from HTTPS traffic, or do they go based on typical use - ie https traffic is usually small request followed by big reply and traffic not like that is likely to be something else.

Re:Leave the networking stuff to the networking te

[Gr8Apes]

I don't believe you and your citation of a secure perimeter. It's likely highly infected.

It actually is separated from the internet, except for a serious hodge podge dual email system. Yes, that means no web access.

Firewalls do often include NAT, so that they can watch statefull packet exchange. But I get the feeling you're new at this, so I'll leave your observations alone.

They may include it, but it certainly isn't necessary, nor has any meaning in defining a firewall. They also often include a switch. This also is totally outside the realm of firewall functionality.

People who brag about these things, as in never's-been-breached, are usually fools.

And some just flaunt their ignorance.

Note that I did not say it was invincible, just that this particular one had not been breached. I do happen to know of several others that are "unbreachable".

Re:Leave the networking stuff to the networking te

[postbigbang]

If you have no web access, you've stanched the majority of infection and cracking sources. In terms of "unbreachable", I'll cite the airgap and earthed-Faraday cage above. Nothing is foolproof, as fools are so ingenious.

NAT takes care of many problems, e.g. direct probes and their consequences. Many firewalls perform NAT, and it's needed for stateful inspection.

Only a handful of systems are uncrackable. And that's for today.

Re:Leave the networking stuff to the networking te

[Gr8Apes]

the "unbreachable" ones meet your requirements and also have no ability for external devices to be hooked up.

Re:Leave the networking stuff to the networking te

[SoupIsGood+Food]

You're not going to like this, but I know of two platforms that already do SSL intercept - they don't allow direct connection over HTTPS, but force you to accept the firewall's cert, and the firewall then handles the HTTPS traffic - essentially a MITM attack. It gets worse still, stuff like Palo Alto doesn't even need to decrypt your SSL connection - it can tell what sort of traffic is running through it encrypted. If it's SFTP or SSH, the firewall will kill the session, and block further connections.

Gigantic PITA for geeks who like to SSH across network boundaries, but the larger issue is that malware and other forms of corporate espionage are using SSH and SFTP disguised as something else, too. If you want to play Nethack on the SGI Indy you've got set up in your bedroom while at work, you're going to need to get to know your Firewall admin and ask pretty please. And then you'll need to get to know the auditors he works with, because they =will= catch that shit and whine at the CIO/CSO/(Insert boss in charge of infosec here).

Re:When you finish your MBA- it'll all become clea

Maybe it's just me, but every piece of hardware I've owned with uPnP support had an option in the bios to disable it.
Some of them took some looking around to find it, but they ALL had it.

Maybe your friend should've spent more time getting to know his hardware/software before installing it and expecting it to be secure.

User-friendly is the primary concern for consumer grade equipment, with security trailing at a distant second.

Re:Leave the networking stuff to the networking te

[drsmithy]

It's a criticism of both. GUIs by nature are ad-hoc tools that allow individual tweaking - that's their purpose in life.

Rubbish.

Granted, you could create a tool that would allow for a creation of settings that could then be applied across multiple systems, but that would be much more than a mere GUI tool.

Why ? Because anything that's useful must be "more than a mere GUI tool" ?

No, it doesn't. While scripts can be run by individuals with no sense or knowledge, at least the initial creation and testing of such scripts were done by someone that knew enough to create them.

So, just like a GUI, then ?

Graphical representation of tabular data is easier and faster to understand than... tabular data?

Almost always. The easiest and most obvious example: graphs.

Really? GUIs are repeatable? Have you ever done web QA? The only time it's repeatable is when the system is completely locked down and nothing changes outside of your control. And even then....

You seem to be using a different definition of "repeatable" than any I know. If it's "repeatable" it means the same actions produce the same results.

When the system behind a GUI has deep dependencies that the GUI glosses over or "flattens" for "ease of understanding", then there's plenty of openings for new unexpected behavior to crop up.

There is no inherent need for a GUI interface to be oversimplified, or less capable.

Re:Leave the networking stuff to the networking te

[drsmithy]

As apposed to giving the web server a name in the firewall and adding that name to the web server group?

So, two possibilities for a simple typo to cause problems from benign to catastrophic ?

Re:Leave the networking stuff to the networking te

[silentcoder]

Don't try to sell me :D
I despise apple - so whatever they do doesn't much affect me. I pretty much think of Apple's products as an etch-a-sketch with a filter so you can't draw naughty pictures. I was just wondering if your sig may be out of date. I think it's clear that the product you dream of there is not the one they are marketing so hard.

Re:Leave the networking stuff to the networking te

[Gr8Apes]

Granted, you could create a tool that would allow for a creation of settings that could then be applied across multiple systems, but that would be much more than a mere GUI tool.

Why ? Because anything that's useful must be "more than a mere GUI tool" ?

No, because in the current topic thread what someone wanted was a GUI to look at a firewall, not an enterprise application run by a well designed GUI. It would help if you followed the thread.

Graphical representation of tabular data is easier and faster to understand than... tabular data?

Almost always. The easiest and most obvious example: graphs.

Please graph a firewall configuration in a manner that is meaningful in this discussion for configuring firewalls.

Last time I checked, firewalls consisted of data best represented in tabular format.

When the system behind a GUI has deep dependencies that the GUI glosses over or "flattens" for "ease of understanding", then there's plenty of openings for new unexpected behavior to crop up.

There is no inherent need for a GUI interface to be oversimplified, or less capable.

The topic started with the whine that firewalls are too difficult, and gee, wouldn't it be nice to just drag n drop firewall configs....
Do keep up.

I'm well aware that a proper interface to a firewall could be written. It will still require almost as much understanding to use as the current effort to write scripts. If you were to make it easier, then you're dumbing it down and "flattening" the problem domain, and all above mentioned criticisms are valid.

Re:Leave the networking stuff to the networking te

[drsmithy]

No, because in the current topic thread what someone wanted was a GUI to look at a firewall, not an enterprise application run by a well designed GUI. It would help if you followed the thread.

I am following the thread. The arguments against GUIs are nearly all predicated on using them to management complex, "enterprise" environments. Therefore, either the arguments are invalid in context (because the environment is not complex or "enterprise"), or we can proceed with the assumption that any such GUI would be "an enterprise application".

Please graph a firewall configuration in a manner that is meaningful in this discussion for configuring firewalls.

C (www) --- | ---> S

This simple diagram above showing a firewall rule allowing web traffic from one or more clients to one or more webservers could quite easily represent multiple lines of "tabular data" defining a firewall configuration, yet it can be quickly and intuitively understood even by people with little knowledge of how that specific firewall is configured, let alone the commands and syntax required to actually implement the rule(s).

The topic started with the whine that firewalls are too difficult, and gee, wouldn't it be nice to just drag n drop firewall configs....

And ? "Easier" does not implicitly mean "less capable".

I'm well aware that a proper interface to a firewall could be written. It will still require almost as much understanding to use as the current effort to write scripts.

It would not, because you would not need intricate knowledge of command syntax and scripting languages.

If you were to make it easier, then you're dumbing it down and "flattening" the problem domain, and all above mentioned criticisms are valid.

There is absolutely no inherent reason for a solution that makes a process easier to also make the results less complete. None.

What you would be doing, would be isolating the "problem domains" (managing a firewall, knowing the syntax of that specific firewall, knowing how to script changes) and removing the ones that are not essential (knowing the syntax of that specific firewall, knowing how to script changes) from the solution.

Exaprotect/Solsoft

[kisanth88]

A company called Exaprotect, which acquired a company called Solsoft, made a pretty neat tool that visualized the network and you could put enforcement points onto a map based on topology and apply rules. My company uses the tool for some things in our network. It's an amazing tool once you get it up and running, but there is a level of effort and understanding of how the tool works that is involved. Sadly Exaprotect is making the tool End of Life because they didn't see enough demand/profit from it. The killer feature of it was that once you got a policy looking like you wanted, and you needed to add a subnet or host. You'd simply manipulate the object at that point in the topology then click on all the enforcement points involved (easy to do because it could track them down via the policy layout) and then click "Update Policy Enforcement Point". If anyone knows of a good replacement please let me know, we're looking for one as Exaprotect is killing this product. -K

Check point

Seriously, check out check point. It doesn't have everything you are asking for (yet) but that seems to be the closest and you can porbably talk to them about other enhancements.

Palo Alto

I've hard good things about their "next generation" firewalls. Anyone have any comments?

Re:Leave the networking stuff to the networking te

[Gr8Apes]

Please graph a firewall configuration in a manner that is meaningful in this discussion for configuring firewalls.

C (www) --- | ---> S

This simple diagram above showing a firewall rule allowing web traffic from one or more clients to one or more webservers could quite easily represent multiple lines of "tabular data" defining a firewall configuration, yet it can be quickly and intuitively understood even by people with little knowledge of how that specific firewall is configured, let alone the commands and syntax required to actually implement the rule(s).

Hmm, that's easier to read than

Inbound port . . . Destination
    80 . . . . . . . webserver.mydomain.com:8080

('. . . " -> because we cannot do tables)

Instead of not having a clue what "s" is, now I know exactly where an inbound port 80 winds up. (this one includes a little more than a basic firewall by also adding in routing - ie, proxying or NAT)

And, how do I know "(www)" means port 80? (It could be any port, www is irrelevant). What if I was running sshd on 80? What then? What if I was really sneaky and multiplexed port 80 for web and sshd via some proxy client I wrote?

This is where the GUI paradigm being discussed breaks down when you're talking firewalls. Honestly - you cannot make a GUI easier to understand than tabular data regarding firewalls, since firewalls are inherently tabular data. Don't try to fit square pegs into round holes.

Having said that - you can create a GUI/management application that allows some predefined set of configurations that might be a little easier to understand, but that would be a small subset of what we're discussing above.

Re:Leave the networking stuff to the networking te

[drsmithy]

Hmm, that's easier to read than

At a glance, absolutely. Primarily because if there are other associated ports that could go with the rule (eg: to 443) that can then be captured in the diagram but not the table. Similarly, if there are half a dozen rules, rather than just one, the graphical representation becomes even easier to understand, because the more lines of very similar text you add, the harder it becomes to pick out particular ones (and more importantly, identify errors in them). Additionally, your tabular representation contains information that is not relevant at the design/conceptual level (port numbers).

And, how do I know "(www)" means port 80? (It could be any port, www is irrelevant).

Because you've defined it elsewhere in the interface.

What if I was running sshd on 80? What then? What if I was really sneaky and multiplexed port 80 for web and sshd via some proxy client I wrote?

Then you define those things elsewhere as well. Once, so you don't need to keep repeating relatively unimportant information.

This is where the GUI paradigm being discussed breaks down when you're talking firewalls. Honestly - you cannot make a GUI easier to understand than tabular data regarding firewalls, since firewalls are inherently tabular data. Don't try to fit square pegs into round holes.

Of course you can. That graphical representations are easier and quicker to understand than raw numbers is something that's been known for centuries. Again, this is why we use graphs to help interpret data rather than starting at lines of numbers.

Having said that - you can create a GUI/management application that allows some predefined set of configurations that might be a little easier to understand, but that would be a small subset of what we're discussing above.

All you need is the ability to define your own data definitions. Which, of course, any remotely good tool would have.

Re:Leave the networking stuff to the networking te

[Mr.+Slippery]

Your example is 100% backwards. Consider something simple like adding a host to a standard ACL list for webservers. Why should it be any harder than simply editing a plain text file? Why should it involve some meaningless symbolism of dragging one shape into another shape? How do I grep through these shapes? How do I filter them into reports? How do I back up old configurations? How do I copy configuration from one system to another?

Why should configuring a computer system require manual, slow, error-prone, use of a GUI?

Re:Leave the networking stuff to the networking te

[Mr.+Slippery]

Graphical representations of complex systems are nearly always easier and quicker to understand than lines of text describing same.

Uh, right. That's why flow charts remain so popular.

Some things are better expressed in text; some in figures. A set of rules -- like those for a firewall -- are better expressed in text.

Re:Leave the networking stuff to the networking te

[drsmithy]

Your example is 100% backwards. Consider something simple like adding a host to a standard ACL list for webservers. Why should it be any harder than simply editing a plain text file?

Because editing text files is a manual and error-prone process. There's little to no input validation, sanity checking, or ability restrict access and delegate responsibilities. Just type it in, proofread, cross your fingers and go.

Why should it involve some meaningless symbolism of dragging one shape into another shape?

In what way are icons any less meaningless symbolism than configuration syntax keywords ?

How do I grep through these shapes?

You use the organisational and search constructs in the GUI.

How do I filter them into reports?

By using the reporting in the GUI.

How do I back up old configurations? How do I copy configuration from one system to another?

By exporting them to some machine-readable file.

Re:Leave the networking stuff to the networking te

[drsmithy]

Uh, right. That's why flow charts remain so popular.

Flow charts (and their descendants) are *massively* easier to understand and follow than something like pages of if...then statements. That's exactly why they _are_ popular.

Some things are better expressed in text; some in figures. A set of rules -- like those for a firewall -- are better expressed in text.

Why ? Which firewall's syntax are you going to express your rules in ? How long does it take for understanding of your ruleset to transfer to those unfamiliar with that syntax ? How do you delegate access and control of specific subsets of the rules ?

old news

Not to endorse a commercial product, especially such a frustrating, one but it seems like Checkpoint had this covered many years ago. Maybe you're looking for enterprise features in a consumer product. Most of my firewall experience is close to 10 years old, but ...

> What's available for managing complex firewall arrangements? Can I take a Visio diagram, run it through a script, and
> get a list of firewall rules? What about a GUI that illustrates the current system configuration and then lets me drag
> and drop systems across firewalls, and have the individual firewall ports automatically configured?

Checkpoint had a management console that could group users, machines, groups, networks, and policies, and operate on them visually in a network diagram. Then you could apply the rules generated by that diagram to any portion of or all firewalls.

> What about tying a firewall into an authentication system so that when jdoe logs in, only then are the firewalls opened to pass her traffic?

Seriously? Look up RADIUS. Plus, there were proprietary solutions in place before RADIUS was standardized.

> What's next for firewall management?"

I don't know but most of what you're talking about has been around for years.

Re:Leave the networking stuff to the networking te

Secure perimeters are illusions. Every machine needs its own defense. Firewalls are good for NAT, which foils a few, and stateful inspection, which fools a few more. Otherwise, internal firewalling and boundary checks are the only answer, coupled to download security hashing checks-- and those get bitten, too.

Belief in firewalls and secure perimeters are the reason that some 30% of all machines in a domain are bot'd somehow..... and protect each indivdual device, not just the perimeter.

I think you're contradicting yourself a bit here, but it's the single point of defense that is an illusion. There are many layers an ALL are important. You DO need a perimeter defense, you DO need inspection, you DO need network segmentation, you DO need machine perimeters, you DO need application defense, you DO need strong authentication, you DO need restricted user accounts/application sandboxes, and you DO need system and network monitoring. Most of all, you DO need to educate users about safe behaviors.

NetAlert

[wgc]

That is interesting, but how does a user know if the port is part of some update versus a program that got compromised by a code injection, and is dropping stuff off at a compromised machine?

I don't know if Apple handles this, but NetAlert kept application signatures. You could choose to allow once or allow always, and you'd be alerted if it wanted a new port or if the application changed in any way.

Re:NetAlert

I have seen a number of firewall programs (Sygate for example) do this. However, Joe Sixpack gets so used to mindlessly clicking "Allow" because every program wants access out that he will ignore the fact that some application changed its signature due to malicious software, that the protection becomes useless.

Re:Leave the networking stuff to the networking te

[Gr8Apes]

I think we'll have to agree to disagree on this.

You've now added clauses to define meanings elsewhere - and "hide" what I consider essential from the user.

I think our basic issue here is that I believe having 100% of the data given in a table is better than 50% of the data in a graphical representation (admittedly just a number pulled out of the air as there is no way to make a quantitative representation of something that will potentially be different for every single installation.)

Not only that, you've now introduced a paradigm where firewall A might be configured with one visualization regarding www, and firewall B with another, and they'll look the same unless you drill down.

So, in short, while it might seem easier on the surface, I believe it is much more complex and far more open to error than the straight tabular data. (btw, the tabular data could also have an initial column stating it's www, thus removing all your complaints about it as it now has all the viewable data. In fact, most are set up that way.)

Re:I like PF, try PFSense, no try OpenBSD PF

I like OpenBSD PF which is essentially the same thing but with the Security of OpenBSD.

Cryptographically-based firewalls

[mkomu]

I am badly late on this topic, but I couldn't help to comment. Here's a link to public-key based firewall: http://www.usenix.org/event/usenix07/posters/lindqvist.pdf The idea is to ditch IP address-based access control lists in firewalls and to favour public-key authentication to support mobile devices. The approach is also based on end-to-end VPN rather than the popular end-to-middle VPNs. Here's a longer journal article: http://www.igi-global.com/Bookstore/Article.aspx?TitleId=39054

Re:When you finish your MBA- it'll all become clea

[NemosomeN]

Disable it in the bios of the device? Wtf, if you need security, disable it in the ROUTER. UPnP is for people who don't know how to set it manually. Why are you running your network on stock commodity hardware anyway?