Firewall concepts

Travis H. solinym at gmail.com
Sat Dec 10 23:41:18 PST 2005 

On 12/8/05, Marcus Franke <MFranke at evendi.de> wrote:
> > A firewall on every pc will soon become a nightmare to manage as the
> > network grows.

Not necessarily.  If the needs of the machines do not change, then
there is no change to manage.

Your pf rules, in theory, can be quite simple, and adjustments can be
made on an as-needed basis.

The main problem comes when they need to offer some kind of service
that requires inbound connections, such as traditional servers, some
multimedia and p2p protocols.

The question is, are those changes going to be applied to all
machines, or just one at a time?  If the former, than having a global,
shared ruleset is the way to go.  If the latter, then having an
independent per-machine configuration file is the way to go.  You can
even implement a middle ground by use of anchors or textual inclusion
using some kind of preprocessor (email me if you want a copy of one).

> Concerning the manageability I would say, yes, you are right. One
> should invent a solution like the manageability of WinXP SP2 with
> the help of the ActiveDirectory in a windows server domain.

*shudders*

I've never been exactly sure what problem "the registry" or "active
directory" solves.  The former is a hierarchical namespace containing
configuration information, which sounds like a filesystem to me.  What
program variables are considered "configurable" seems somewhat
arbitrary.  Can you explain what problem ActiveDirectory solves?  I'm
willing to bet if you can tell me the requirements, I can point you to
an open-source solution.  There is something called OpenLDAP...

> But, often you read that attacks against servers will be done from
> the inside network.

Indeed, a firewall on every machine is the only way to implement the
"principle of least privilege" in many cases.

Trying to centralize access control on one firewall machine is a
useful idiom, but can become challenging as the links to "untrusted"
networks increases, for example when some internal user installs a
modem or WAP.  Now the outside world has equivalent access to what was
a trusted insider.  Furthermore, having a single firewall provides a
single point of failure; if it dies, no packets flow.  And other
issues can combine to make a centralized gateway impractical.  For
most users bandwidth of the firewall isn't an issue, but a single
full-duplex gigiabit ethernet link can saturate a 32-bit 33MHz PCI bus
to capacity.  In reality you can start seeing dropped packets as low
as 200-300Mbps, and without selective acknowledgements the performance
of TCP really suffers in the face of dropped packets.

If increasing bandwidth doesn't do it, end-to-end encryption with be
the death knoll of a centralized firewall or NIDS system, as the ports
used and application data will be unavailable to any system in the
middle (unless of course all systems escrow their keys with the
firewall or gateway, which is complex and problematic and defeats the
purpose of end-to-end encryption).
--
http://www.lightconsulting.com/~travis/  -><- Knight of the Lambda Calculus
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

More information about the freebsd-pf mailing list