svlug_firewall_definitions

This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.



To: svlug@svlug.org

Date: Tue, 16 Jan 2001 01:05:23 -0800
Subject: Re: [svlug] /etc/hosts.deny & wrappers & xinetd
From: Rick Moen <rick@linuxmafia.com>

begin  Ajay quotation:

> And an access control list on a firewall is one way of restricting
> access to services, but to my knowledge most people consider firewalls
> only a first line of defense....
       ^^^^^^^

I believe you misspelled "an additional".

In the name of minimising wasted time, when people come at you with
opinions and clueless questions about "firewalls", ask them "When you
use the term 'firewall' in this context, are you referring to
application-level proxy gateways, or do you mean filtering routers.  If
the latter, is this an implementation with stateful filters, or not?"

If, as is usually the case, they have no fscking clue what you've just
asked, then they are wasting your time, and you should suggest a reading
list before they bother you again.

===

To: Rick Moen <rick@linuxmafia.com>
Subject: Re: [svlug] BAD PASSWORD: it is based on a dictionary word 
Date: Tue, 16 Jan 2001 01:33:08 -0800
From: J C Lawrence <claw@kanga.nu>

On Tue, 16 Jan 2001 00:31:15 -0800 
Rick Moen <rick@linuxmafia.com> wrote:

> Some sysadmins insist on implementing good administrative
> practices on machines they're responsible for, as reflecting on
> their professionalism and good name.

The definition of practices if of course contextual.

At SGI the explicit expectation is that all developer systems will
have an open guest account.  When I came there and immediately
locked down guest (I made the passwd "guest") it was not long before
I had a couple comments from odd folks (Dave Olson among others)
querying why ("Ahh, you're from outside, that makes sense.")  There
the expectation was, and remains, that every developer system will
have an open guest account (no passwd) so that among other things
easy monitoring may be done of what revs of what software are being
run on what platforms (most developers keep up with the current beta
IRIX release on their dekstops and development boxes), and on odd
accassions interesting distributed processing may be done in off
hours.

Their security model is heavy firewalling, strong invasive and
behavioural border traffic analysis (Simon Cooper's work FWIW), and
the creation of a wide-open "safespace" within that boundary.

===

Date: Tue, 16 Jan 2001 11:30:53 -0800
From: Don Marti <dmarti@zgp.org>
Subject: Re: [svlug] /etc/hosts.deny & wrappers & xinetd

On Tue, Jan 16, 2001 at 01:05:23AM -0800, Rick Moen wrote:

> In the name of minimising wasted time, when people come at you with
> opinions and clueless questions about "firewalls", ask them "When you
> use the term 'firewall' in this context, are you referring to
> application-level proxy gateways, or do you mean filtering routers.  If
> the latter, is this an implementation with stateful filters, or not?"

The word "firewall" is now meaningless. Hey, let's start the Canonical
List of Things that People Call "Firewalls" I'll list a few, with
examples.

Dedicated router configured for stateless packet filtering.  (many Cisco
products)

System running a general-purpose OS, with routing enabled, configured
for packet filtering, either stateless or stateful (Linux box with ipchains
or iptables)

Software package for a general-purpose OS that implements packet filtering,
either stateless or stateful  (Checkpoint Firewall-1)

System running one or more application-level proxies. (Linux box with a
minimal Postfix configuration fronting for an internal "bells-n-whistles"
mail server)

Software package that implements content-based filtering for an
application-level proxy or other service (Sophos anti-virus plugin for
Sendmail Content Management API)

(By some definitions, Junkbuster is a firewall.)

===

Date: Tue, 16 Jan 2001 12:39:41 -0800
To: svlug@svlug.org
Subject: Re: [svlug] BAD PASSWORD: it is based on a dictionary word
From: Rick Moen <rick@linuxmafia.com>

begin  Don Marti Uses GIFs on the Sly quotation:

> One more thought on the subject of firewalls...nobody has ever
> explained to me why, if you don't trust a machine or machines to be on
> the Internet, why you don't just put it in private address space with
> no NAT or other route out, and use application-level proxies?

Setting up an application-level proxy gateway requires time, expertise,
money, and CPU power to burn.  Whereas pretty much anyone can set up
NAT and a few filtering rules (not necessarily safely or correctly),
claim to management to have installed a "firewall", and be hero for a day.

The latter are being hawked as preconfigured products, in fact.  (See:
NetMax.)  No comprehension required; just add blind faith.

===

Date: Tue, 16 Jan 2001 15:36:38 -0800
To: svlug@svlug.org
Subject: Re: [svlug] BAD PASSWORD: it is based on a dictionary word
From: Rick Moen <rick@linuxmafia.com>

begin Chris Waters quotation:

> Anyway, I have to admit that I couldn't answer Rick's second question
> about firewalls.  (Is my "firewall" router/masquerader "stateful"?)

Stateful filters are ones that evaluate each packet within the context
of a network traffic stream (e.g., a TCP connection), rather than
attempting to determine their desirability in isolation.  E.g., is a SYN
response valid or part of a DoS attack?  (Yes, we have SYN cookies, but
that's missing the point.)  Keeping track of packet state requires
tracking some stream details such as TCP sequence numbers, and basically
maintaining a table of all open connections so that you can match up
incoming and outgoing streams -- thus making it possible to meaningfully
filter UDP.  You also should take into account the effects of IP-packet
fragmentation, which usually means reassembling all fragments before
letting any through.  Implementations differ widely.

In the extreme case, such an implementation would verge on becoming an
application-level proxy gateway, since it would have to make filtering
decisions on the basis of protocols higher up the OSI-model stack.  And
would necessarily become much more complex.

Anyhow, Linux 2.4 / netfilter can support a variety of stateful filters
on routing.  Linux 2.2 / ipchains cannot.

Darren Reed's "IP Filter" kernel add-on for *BSD has provided stateful
packet filtering for quite some time.

The point was that, unless the person burbling about "firewalls" and 
making vague claims about them in your face has some notion of these
issues (not to mention having something _specific_ in mind when he uses
the term), he's wasting his time and yours.

There are good books on filtering routers and application-level proxy
gateways.  People wanting to discuss "firewalls" with any pretense to
semantic content need to read them first.


===


the rest of The Pile (a partial mailing list archive)

doom@kzsu.stanford.edu