On 07/01/2014 08:07 PM, Mark Andrews wrote:
Part of the issue is that a firewall doesn't actually do much to
help a properly secured host and they just makes applications harder
to develop as they need to start punching holes in multiple firewalls.
Maybe the question is "how many of the hosts out there are properly
secured"?
It just drops a little traffic which would otherwise be rejected
immediately or dropped after timeout by the host.
Not sure what you mean...
Additionally firewall developer do not keep up to date with protocol
changes (how many firewalls, 15 years after EDNS was developed,
still think that DNS/UDP packets are 512 bytes). They are often
used to incorrectly to block legitimate traffic (icmp PTB, fragments)
associated with "wanted" flows.
This could be an indication of room/need for advice.
They are themselves a attackable DoS point due to table exhaustion.
Agreed. But that really depends on the type of firewall (stateless vs.
statefull) and other assumptions such as "the good folks are in the
internal network, the bad ones on the outside" -- and even then
firewalls can limit the number of state table entries based on source
address or user.
They also don't encourage other manufactures to take security of
their products into proper consideration.
Well, they guy deploying the firewall is most likely not the vendor. --
i.e., he probably has deployed products that "might not have taken
security seriously", and ends the firewall at least possibly blocks some
attacks against them.
Just because they are
inside a "firewall" doesn't mean that they are in a safe environment
yet that is the attitude some manufactures seem to take.
Also once the application punches holes in the firewall may as not
be there as the service is exposed.
This seems to be an argument against "diode" firewalls rather than
against firewalls in general?
Cheers,
--
Fernando Gont
e-mail: fernando(_at_)gont(_dot_)com(_dot_)ar ||
fgont(_at_)si6networks(_dot_)com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1