Applications

Rant: Network Application Firewalls

Submitted by Bart on Mon, 11/28/2011 - 13:39

I often get into discussions about "next-generation firewalls" versus "traditional firewalls". All firewall vendors are moving in this same direction, adding deeper inspection to their devices.
For sales, it's a very easy pitch. Everyone is annoyed with the limited visibility L4 firewalls have and proxies have always been a necessary evil. Along comes this one new box that will fix all these issues. Who wouldn't want one?

Marketing will say you no longer need to worry about TCP or UDP ports, just applications. But if you think about this for a few seconds, you'll know this isn't true. Applications can only be identified once a connection has been established and a certain amount of traffic has been passed back and forth. So if you want to allow HTTP on any port, you need to allow TCP connections to any port and block them once they turn out to be something different than HTTP. You just opened your entire network to portscans and all sorts of badness. This is a very easy configuration error to make - I've seen it happen several times already.

I was going to write about some of the interesting things you could do to trick the application-identification, but found an excellent presentation which pretty much sums up my thoughts:
DEFCON19 Presentation Slides
DEFCON19 Presentation Video
You may recognize the CLI - but this applies to all vendors. It's about the technology, not the individual products.

In summary:

  • application-identification only looks at the first bytes and can be tricked.
  • application-identification caches can be poisoned.
  • its not all unicorns and rainbows, sorry.

Conclusion:
Does this mean application firewalls are useless? Absolutely not. You simply need to be aware of its limitations.

In my opinion, L7 firewalls are an additional layer of defense, not a replacement for the stateful firewalls. You still need a stateful L4 box in front to attach the network segments to that don't require application-identification or need better performance. This also reduces the risk of configuration errors on the L7 device.
On the L7 firewall you need to remember to only allow applications on the ports they need and that application-identification is an expensive operation.

Blog Category:

Useful little utilities

Submitted by Bart on Sun, 09/16/2007 - 11:51

Aside from the usual web browsers, email client and office suite, what is installed on your laptop? Over time I collected a number of useful utilities, amazing enough, most of the onces that that I use daily could still fit on a floppy.
Yes, my laptop is running windows, with good reason but thats a different discussion.

PuTTY
A free SSH client that I use all the time, mostly to connect to systems for which I don't need to load a saved session.
3CDaemon
A small TFTP, FTP and Syslog server. Nothing to run 24/7 but very handy to quickly set up a server to transfer files. I mainly use the TFTP function to upgrade devices and copy config files.
SecureCRT
This application isn't free but it is the one I mostly use to access serial consoles because it allows me to store different profiles for different devices. I also use it for my larger list of SSH bookmarks, SecureCRT handles those better than PuTTY. If anyone knows a free alternative, let me know but don't dare to suggest hyperterm ;)
ipcalc
Simple command line (or web) ip calculator - useful when calculating netmasks on a monday morning
Active Directory Explorer
One from the sysinternals collection. Useful when looking up the full DN of an object in AD in case I can't reproduce it just by looking at the AD structure.
BIND Dig
Dig for troubleshooting DNS issues because standard windows nslookup is just so horrible. It's included in the BIND package for windows, you can just copy the required files for dig without installing the full BIND of course.
Metapad
Just as a notepad replacement.
VIM
A real editor.
TrueCrypt
Used to encrypt my data partition so in case my laptop gets stolen, they will have a lot more trouble accessing the good stuff.

Of course there is a lot more (firefox, winscp, filezilla, openoffice, msoffice,...) but everyone already knows those.
Just by looking at this list, I don't think it would be difficult to figure out what my job is.

Blog Category:

Subscribe to RSS - Applications