Slashdot Mirror
What Is the Future of Firewalls?
jlmale0 writes "When I mess with my WAP/router at home or coordinate with the network team at work, it seems like I'm stuck in 1995. We're still manually listing IP address/port combinations for our firewall rules. There's a certain simplicity to this when dealing with a single system, but there are firewalls everywhere these days. What's available for managing complex firewall arrangements? What's being developed? Can I take a Visio diagram, run it through a script, and get a list of firewall rules? What about a GUI that illustrates the current system configuration and then lets me drag and drop systems across firewalls, and have the individual firewall ports automatically configured? What about tying a firewall into an authentication system so that when jdoe logs in, only then are the firewalls opened to pass her traffic? What about managing distributed firewalls so that one repository of rules opens up your system's firewalls, the DMZ firewall, and the public firewall all at once? Let's get a conversation started. What cool projects do I need to know about? What cool management features would you like to see? What's next for firewall management?"
When you finish your MBA- it'll all become clear.
Do you get a free Belkin 54g with your MBA?
INTERNET -> PORT80, PORT443
His point being more and more is routed through ports 80 and 443 in an effort to avoid firewall restrictions. I often think he was right. Consequences for firewalls left up to reader.
"Developed internally at Google, this system is designed to utilize common definitions of networks and services and high-level policy files to facilitate the development and manipulation of network access control filters (ACLs) for various platforms." http://code.google.com/p/capirca/
I love how you *nix guys don't ever take end users into consideration. You think "Oh, just learn how to script the stuff together with some shell and you'll be good!".
All the while, the end users are saying "We don't care about having to learn to write a script; just include one with your damned program, and have a standard that routers can accept this file and it will just work and be simple."
I haven't looked, but I'm sure there's and iPhone app for that.
Task Mangler
Anything that lets you automagically configure a firewall from outside of it is a potential exploit waiting to happen. Things that are stupid, slow, and require physical access are that much more secure.
I think that firewall administration has been allowed to remain shoddy because most people who aren't gamers or server admins don't need to change the settings at all. Gamers are usually obsessed enough with playing that they will take the time to figure it out. And sysadmins, well it's their job to know how to do that stuff.
This isn't an excuse for things being the way they are, but an explanation. Most people just vaguely understand that a firewall protects their computer, but they don't know any more than that and will probably never have to configure one. If the archetypal grandmother or joe six pack ever has a reason to manage firewall settings (unlikely) then an easy configuration tool will appear over night. Unless a widespread need arises, limited demand will translate to limited effort spent developing user-friendly tools.
The "Simple Way" is usually the wrong way when dealing with complex systems.
There are tools that make things easier for "roughing out" what you want, but fine tuning is always breaking out a text editor and making adjustments.
What about the users? Fuck them. They don't even know what an operating system is and don't care what it is, don't care what a firewall is outside of "it keeps the bad guys out," don't care what a router or switch is, and mostly don't care how a network works or even bother to learn how to navigate a file system. Most of all, they cannot be trusted to reliably run a script without somehow screwing it up, even if it's one click of a mouse.
This is why your system administrator treats you like someone who just got off the short bus.
--
BMOs
The BSD 'pf' packet filter is pretty good. There is even a FreeBSD-based project known as pfsense which you might want to take a look at, as it offers a pretty-much drop-in solution for packet filtering, as well as NAT, load balancing, VPN connectivity, etc. There is a web-based administration GUI as well. It looks pretty sweet, but I haven't played with it much in any serious deployment personally.
"Yeah, fuck those end users! We'll make it a bitch and a half to use our product even though the fixes are simple!"
Honestly now, I'm talking about home users, the other people who use firewalls, even though they don't know it. Make it a standard on routers where on the router's config page, it can accept a small text file with ports to be routed to the current connection. Even better, have the program send that information when the game starts, and have the ports un-routed when the game ends. It's a relatively simple, easy fix for the headache that is "finding out the proper ports for XBox Live to work" and entering them manually.
I know how to do it, but let me tell you, I don't know many other people that can install a router to begin with, let alone get their port forwarding to work for Gears of War; and they don't care to learn. Ease of use and the user interfaces on routers haven't improved one bit for consumers from the Belkin I had in 2002; why the should a market completely stagnate in user friendliness for that long?
Oh, that's right. It's because every *nix head doesn't think about the real end user, just what's "most powerful" in terms of features. Design solely for the power users and administrators, and you miss 95% of the market - what Linux has excelled at for many, many years.
Characteristically, firewalls are simply just that: a barrier to entry into a restricted, trusted area unless you're a loud to do so. So I'm confused why I would, first of all, want something 'automagically' configured for me in an enterprise setting? There's a very good reason your network admins at your workplace highly scrutinise over a single IP address: because it's important your infrastructure, IT/perimeter security standards and business, and it's their job to. If they aren't at least, on a high-level, asking you the 5-W's about why you need the rule(s) and you don't have answers, why should they even allow it?
What about tying a firewall into an authentication system so that when jdoe logs in, only then are the firewalls opened to pass her traffic?
That's what tiered firewall-VPN solutions are for.
What about managing distributed firewalls so that one repository of rules opens up your system's firewalls, the DMZ firewall, and the public firewall all at once?
Port knocking is pretty helpful in this, but can also bite your security-through-stealthy-obscurity right in the ass as well.
Can I take a Visio diagram, run it through a script, and get a list of firewall rules?
Visio diagrams are for documentation and suits. I couldn't hold any merit to that because firewall rules aren't just something you slap together (unless you're doing it for fun or at home or want Johnny Cracker hosting pr0n on an anonymous FTP on your computer at home). Flow-based solutions process rules in a top-down fashion, so it takes very good sets of eyes to develop rules that aren't going to be a liability, cause backdoors, trump existing rules and break security or flat out cause things to not work anymore in your production environment.
OK, jlmale0, are you working on requirements or marketing for a product in this space? You can tell us, it's OK.
Yes, find someone who knows something about networking and more importantly about firewalls Try someone who has a CCSP or CCIE:Security as part of their title. Some of the things you are talking about have existed for years on Cisco Pix and ASAs like downloadable ACLs (Where based on your credentials you get firewalled differently) which can be applied across a whole enterprise of firewalls. Dynamic inspection of traffic, like h.323 traffic, so you don't have to open a whole range of ports other than the signalling port.
Dear lord, gui based management of a fleet of firewalls? You want to drag and drop things and make magic happen when you do that? Sounds pretty reckless and dangerous to me. That's like saying because you can ride a bicycle, you should be allowed to drive a hazmat semi at top speed through downtown LA. If you don't understand what the rules are and how they will be applied in the first place, you are likely just going to cause problems (like accidentally shutting off your company's ability to sell their trinkets online because you locked it down on accident.)
By the way, I don't care what the kid from the nerd herd tells you, Belkin and Linksys do not sell firewalls. They sell quasi-routers with nat and some limited form of access control. Finally, UPnP is not the answer to your problem, that just makes it easy for people to put devices on your network to open security holes up in your firewall, which is why it's not supported on most enterprise grade firewalls (and wouldn't work anyway if you looked at the way most enterprises build their networks)
You may not be worth this reply, however, I will try to overcome my Unixism.
"It can scarcely be denied that the supreme goal of all theory is to make the irreducible basic elements as simple and as few as possible without having to surrender the adequate representation of a single datum of experience." - Albert Einstein
I don't mean to quote and sound all guru-ish, however, this particular quote has a deep meaning with regard to this discussion.
"Shits tough, you have to be tough too." - I think I invented that one.
Basically, if you can't swim then get out of the water, or learn to swim; those are your only choices.
Stuff like networking is zen, it's just bits on a wire. On the other hand, it can be hard. Waah.
Make it a standard on routers where on the router's config page, it can accept a small text file with ports to be routed to the current connection. Even better, have the program send that information when the game starts, and have the ports un-routed when the game ends. It's a relatively simple, easy fix for the headache that is "finding out the proper ports for XBox Live to work" and entering them manually.
That already exists. It's called UPnP. Xbox Live even supports it.
have the program send that information when the game starts, and have the ports un-routed when the game ends.
This is insane. This really is an insane concept. If you think that the home user is the black-hat botnet operator's bitch, this will only exacerbate the situation. You are removing what little human interaction there is in configuring a router and turning it over to software completely. You really need to examine what you just asked for, because it's stupid.
Why not just supply the user with a pail of K-Y Jelly?
--
BMO
There are two problems with your question.
The first is you may believe tools and diagrams will take the pain out of implementing and enforcing security policy. Network design is systems design. Diagrams are essential in communicating that a system meets the requirements to stakeholders and management who make budgets and can't visualize how improved security adds value. But firewalls and their associated diagrams are just one element of security. What about OS patches, authentication and physical security? You know that firewalls run software and software needs maintenance. Pointing to a well executed diagram won't save you from applying vendor software updates. Are your policies sane? Security tools are only as good as the policies they implement and the people who use them. You're tool may show you that you have correctly hidden an important asset from the outside world, but are all your assets protected? Does your organization give out VPN logins to unqualified users? Are you using a VPN? Can your services run over a tunnel? If your servers or services can be secured do you really need to block all ports and selectively open a few? Can any of your services take advantage of TCP Wrappers?
"When you finish your MBA- it'll all become clear." is spot on. Perform a cost benefit analysis. Figure out how many hours at your rate it will take to to cobble together some scripts or pay a developer for a custom tool. Then figure out how much it would cost to hire a qualified network engineer. Then figure out the cost of loosing business due to denial of service or network intrusions. Then realize that you still probably a network engineer to correct your diagrams and security policies after you use a custom tool. You can always do your own taxes and defend yourself in court, but can you afford to be wrong? Complex problems need people with specialized knowledge.
The second problem is no tool programmer in their right mind would want to write a program to generate scripts from Visio. I'm a programmer, not a network guy, but like many programmers I've run Linux and OpenBSD development and webservers and done my best to keep them secure. I've also used Viso, and Visual Paradigm and some other very expensive commercial tools for creating UML diagrams. In less time than it would take me to figure out how to correctly draw something in Visio, I could have skimmed the man pages and the internet for the correct syntax required to write a rule in iptables or pf. Viso is not an intuitive tool for working in most domains. Adobe Illustrator with all its quirks makes more sense in comparison. If you want a neat toy or project, take a look at GNU DIA, or Argo UML and write patches to generate configuration files. Even if you are successful there is no standard operating system or vendor independent language for defining firewall rules. Don't ever expect to drag and drop a policy to migrate rules from a Linux based appliance to a Cisco router to a Juniper switch to a BSD based appliance. Cisco has made billions by locking in customers to their own standards. Linux and BSD are integrated into many firewall appliances but they also have their own version dependent quirks and special sauce from vendors.
Secure perimeters are illusions. Every machine needs its own defense. Firewalls are good for NAT, which foils a few, and stateful inspection, which fools a few more. Otherwise, internal firewalling and boundary checks are the only answer, coupled to download security hashing checks-- and those get bitten, too.
Belief in firewalls and secure perimeters are the reason that some 30% of all machines in a domain are bot'd somehow..... along with Checkpoint, Norton, Microsoft, and so on. A CCIE or CCSP gives you someone that can help, but there's no guarantee that someone won't click on a site that will give your browsers a headache, then the infection, and so on.
The MuSystems guys can tell you about fuzzing attacks that will leave most equipment in a state of mush. With enough pounding, you can break about anything. Sorry to be dour, but you have to use best practices, and protect each indivdual device, not just the perimeter.
---- Teach Peace. It's Cheaper Than War.
Computers are complex. Something that can do many things in many different ways is always going to be complex to work with. One of the biggest disservices we've done for people in terms of computer and Internet use is telling them that they are simple and anyone can use one without any training. It's not true, it's not likely to ever be true, at least not while staying what we think of as a PC. When it becomes true you've got a WebTV (There might be a few people here who are too young to remember those... crazy) or a video game console.
As to firewalls and routers specifically? I believe UPnP does what you would like for the most part if app developers would make use of it (I haven't ever made use of it that I can think of, so I'm not 100% certain), although I believe having app developers include something that just goes in and modifies firewall rules as a black box to the end user is a risky idea. The app developer has no idea what else the user has on their system and how their changes to the firewall might affect that. This is the sort of thing end users should know about at a basic level, akin to changing a tire, checking coolant, etc. on a car. Many probably don't know and get by just fine, but they should know, it's definitely in their best interest.
I've said this before on here and I'm sure I'll say it many more times. While the internet has provided a lot of good and a lot of knowledge and I wouldn't ever support taking it away from people, you have to wonder what the hell the first guy who thought it would be a good idea to make normal users system adminstrators (that is what a home user is) on the largest, most complex network in the world was thinking.
Actually on our network we've ended up installing personal firewalls AND boundary ones.
They end up protecting from different attacks, really.
It's all about the defense in depth. We also have intrusion detection and other stuff(I'm not going to get real specific).
If nothing else, a set of hardware firewalls are quicker to update against a new attack than umpteen clients.
I don't read AC A human right
let alone get their port forwarding to work for Gears of War
Did the Gears of War developers at least bother to tell you what ports you needed, or did they leave that to be discovered in the forums by a bunch of people guessing random numbers until it kind-of works for some people?
If I have been able to see further than others, it is because I bought a pair of binoculars.
There are currently a number of applications being developed by DORKA which will allow PHBs to manage their own corporate firewalls from an Excel spreadsheet or Microsoft JET database. The applications are being developed from a usability standpoint rather than a security standpoint which allows all traffic to be allowed by default (IPv6 is ignored for simplicity because nobody understands it anyway). When the software detects a DDoS, Intrusion, or Security Breach in progress, it will send an email to the managing PHB and trigger a rule to route BLAME packets through Layer 8 instead. All there is to the interface is a red button marked "Easy" a Yellow button marked "Out To Lunch", and a red button marked "WTF?". You should find it very exciting.
boycott slashdot February 10th - 17th check out: altSlashdot.org
"Yeah, fuck those end users! We'll make it a bitch and a half to use our product even though the fixes are simple!"
No, the fixes are not simple. I don't know why you feel qualified to proclaim that they are, but you are mistaken.
I'm also not sure where you got the idea that anyone intentionally makes their products difficult to use. It is far more likely that the device you struggle to use is "difficult" due to lack of any effort, not because of a specific effort to make it difficult.
Honestly now, I'm talking about home users, the other people who use firewalls, even though they don't know it. Make it a standard on routers where on the router's config page, it can accept a small text file with ports to be routed to the current connection. Even better, have the program send that information when the game starts, and have the ports un-routed when the game ends. It's a relatively simple, easy fix for the headache that is "finding out the proper ports for XBox Live to work" and entering them manually.
Once again, your simplistic "solution" reveals how little you understand about the problem. Ignoring the technical issues (and the fact that all of this has been possible via uPnP which works much more simply than your proposal), why would a user know what a "router config page" or a "text file" is? Why would a home user know how to acquire this text file or how to submit it to a router config page? You've defined "typical user" in terms of what *you* know how to do, which is just as foolish as a unix admin defining the typical user in terms of what they understand.
I know how to do it, but let me tell you, I don't know many other people that can install a router to begin with, let alone get their port forwarding to work for Gears of War; and they don't care to learn. Ease of use and the user interfaces on routers haven't improved one bit for consumers from the Belkin I had in 2002; why the should a market completely stagnate in user friendliness for that long?
Oh, that's right. It's because every *nix head doesn't think about the real end user, just what's "most powerful" in terms of features. Design solely for the power users and administrators, and you miss 95% of the market - what Linux has excelled at for many, many years.
So much misunderstanding.. so little time. What do "*nix heads" have to do with routers? Very few routers run unix, and home router user interfaces certainly have nothing to do with unix. Why haven't you seen changes in these devices since 2002? Basically because they work well enough for that 95% of the market you mention. You know what has changed? They cost a lot less. This is really all that same 95% give a shit about.
And finally.. what gives you the idea that Linux wants anything to do with this 95%? Linux is made by skilled folks who were nice enough to share so that other skilled folks can use it and hopefully add something back to the pool. That 95% has very little to offer us.
Comments like "linux will never 'win' until it's easy to use" are silly.. Linux already won, it just isn't playing with you.
-Lod
..and rubbish. I manage over 90 firewalls as a fraction of my full-time duties and it's a cakewalk. Why? I'm competent with unix (and a bunch of scripting languages). GUI's are for the command-line challenged..