Re: Time to move beyond the 32 bit Internet.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/01/2014 08:07 PM, Mark Andrews wrote:
> Part of the issue is that a firewall doesn't actually do much to
> help a properly secured host and they just makes applications harder
> to develop as they need to start punching holes in multiple firewalls.

Maybe the question is "how many of the hosts out there are properly
secured"?



> It just drops a little traffic which would otherwise be rejected
> immediately or dropped after timeout by the host.

Not sure what you mean...


> Additionally firewall developer do not keep up to date with protocol
> changes (how many firewalls, 15 years after EDNS was developed,
> still think that DNS/UDP packets are 512 bytes).  They are often
> used to incorrectly to block legitimate traffic (icmp PTB, fragments)
> associated with "wanted" flows.

This could be an indication of room/need for advice.



> They are themselves a attackable DoS point due to table exhaustion.

Agreed. But that really depends on the type of firewall (stateless vs.
statefull) and other assumptions such as "the good folks are in the
internal network, the bad ones on the outside" -- and even then
firewalls can limit the number of state table entries based on source
address or user.



> They also don't encourage other manufactures to take security of
> their products into proper consideration.  

Well, they guy deploying the firewall is most likely not the vendor. --
i.e., he probably has deployed products that "might not have taken
security seriously", and ends the firewall at least possibly blocks some
attacks against them.


> Just because they are
> inside a "firewall" doesn't mean that they are in a safe environment
> yet that is the attitude some manufactures seem to take.
> 
> Also once the application punches holes in the firewall may as not
> be there as the service is exposed.

This seems to be an argument against "diode" firewalls rather than
against firewalls in general?

Cheers,
-- 
Fernando Gont
e-mail: fernando@xxxxxxxxxxx || fgont@xxxxxxxxxxxxxxx
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1







[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]