security

Rant: Network Application Firewalls

Submitted by Bart on Mon, 11/28/2011 - 13:39

I often get into discussions about "next-generation firewalls" versus "traditional firewalls". All firewall vendors are moving in this same direction, adding deeper inspection to their devices.
For sales, it's a very easy pitch. Everyone is annoyed with the limited visibility L4 firewalls have and proxies have always been a necessary evil. Along comes this one new box that will fix all these issues. Who wouldn't want one?

Marketing will say you no longer need to worry about TCP or UDP ports, just applications. But if you think about this for a few seconds, you'll know this isn't true. Applications can only be identified once a connection has been established and a certain amount of traffic has been passed back and forth. So if you want to allow HTTP on any port, you need to allow TCP connections to any port and block them once they turn out to be something different than HTTP. You just opened your entire network to portscans and all sorts of badness. This is a very easy configuration error to make - I've seen it happen several times already.

I was going to write about some of the interesting things you could do to trick the application-identification, but found an excellent presentation which pretty much sums up my thoughts:
DEFCON19 Presentation Slides
DEFCON19 Presentation Video
You may recognize the CLI - but this applies to all vendors. It's about the technology, not the individual products.

In summary:

  • application-identification only looks at the first bytes and can be tricked.
  • application-identification caches can be poisoned.
  • its not all unicorns and rainbows, sorry.

Conclusion:
Does this mean application firewalls are useless? Absolutely not. You simply need to be aware of its limitations.

In my opinion, L7 firewalls are an additional layer of defense, not a replacement for the stateful firewalls. You still need a stateful L4 box in front to attach the network segments to that don't require application-identification or need better performance. This also reduces the risk of configuration errors on the L7 device.
On the L7 firewall you need to remember to only allow applications on the ports they need and that application-identification is an expensive operation.

Blog Category:

A new firewall

Submitted by Bart on Thu, 12/28/2006 - 20:39

I am still using an old 486 as firewall. Several times I have said that I was going to replace it "the next time it reboots", but the system is so rock stable that it never had to be rebooted. However, the system is too slow and can't handle a large number of connections. Time for a replacement, and this time I mean it!

Instead of installing yet another debian system, I decided it is time for something new. For a firewall the obvious choice would be OpenBSD. It has most of the firewalling features that I need, uses sane default values (in most cases) and has some interesting features that I want to experiment with (carp/pfsync).

Aside from firewalling, I also want to configure two IPSec VPN tunnels to remote devices. The remote devices are netscreen firewalls, they are quite flexible, i have configured VPNs with all kinds of funky systems ranging from checkpoint clusters to cheap soho routers. So I don't really expect any problems here.
The idea is to run OSPF on top of that. One of the VPN tunnels is meant as a backup in case the other tunnel fails. Adding multiple routes with different metrics is a possibility but I don't like having to add them manually every time new subnets are created or linked with the central site.

Oh, and of course my IPv6 tunnels need to be configured as well, but i'm not expecting any issues there either.

Blog Category:

Subscribe to RSS - security