Search This Blog

Monday, November 26, 2007

firewall-wizards Digest, Vol 19, Issue 24

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Firewalls that generate new packets.. (Darden, Patrick S.)
2. Re: Firewalls that generate new packets.. (Jim Seymour)
3. Re: Firewalls that generate new packets.. (Brian Loe)
4. Re: Firewalls that generate new packets.. (Bill McGee (bam))
5. Re: Firewalls that generate new packets.. (Marcus J. Ranum)
6. Re: Firewalls that generate new packets.. (Marcus J. Ranum)
7. Re: Firewalls that generate new packets.. (Paul D. Robertson)


----------------------------------------------------------------------

Message: 1
Date: Mon, 26 Nov 2007 13:14:38 -0500
From: "Darden, Patrick S." <darden@armc.org>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>, "Chris Blask"
<chris@blask.org>
Cc: bam@cisco.com, Paul Melson <pmelson@gmail.com>
Message-ID: <CBE22E5FF427B149A272DD1DDE1075240184E595@EX2K3.armc.org>
Content-Type: text/plain; charset="iso-8859-1"


I also completely misunderstood that email.

I was like:

"ohmygosh, noway, gagmewithaspoon!!! Is like, this old
guy for real? Like, ohmygosh!!!

Now, of course, I understand that it was just Paul and I and a few
others in the minority who were in the wrong, misinterpreting his wholly
factual and unbiased justthefacts maam downhome folksy honesty for
marketing spin, hyperbole, and outright lies.

Good of you to set us straight.

--Patrick Darden


-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com]On Behalf Of Paul
D. Robertson
Sent: Monday, November 26, 2007 10:14 AM
To: Chris Blask
Cc: bam@cisco.com; Firewall Wizards Security Mailing List; Paul Melson
Subject: Re: [fw-wiz] Firewalls that generate new packets..


On Sun, 25 Nov 2007, Chris Blask wrote:

> technical and marketing aspects of such things. It is
> therefore also quite defensibly true what Bill said: <sic>
> "That is on purpose".

This is the part I have serious troubles with- "on purpose" implies that
it was a pre-planned, thought-out event, not that you just didn't screw it
up by not doing anything[1]. The code bases _started out differently_ for
no reason other than the fact that the products were from different
companies, on two different platforms. To paint that fact as if it were
some sort of strategic plan does the readers of this list a disservice.


------------------------------

Message: 2
Date: Mon, 26 Nov 2007 11:13:09 -0500 (EST)
From: jseymour@linxnet.com (Jim Seymour)
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <20071126161309.6E403E15C@jimsun.linxnet.com>


"Paul Melson" <pmelson@gmail.com> wrote:
>
[snip]
> A stateful firewall lets you think about
> your policy in terms of published services; "I let the whole Internet
> connect to this web server and that mail server, but nothing else. And then
> whatever our people inside want to do."

But you can achieve that with nothing more than a "firewall router." My
good ol' Livingston IRX-211 can do that. Even my (relatively)
inexpensive Netopia DSL routers can do that. That was Marcus' point.

>
> Call it cynical. Call it misguided. Call it naive. Call it stupid. But
> it saves time and energy which translates to money.
[snip]

What you're telling me is that, if I don't want to go to the effort,
intellectually, time-wise and financially, to obtain and install a
proxying firewall, I need not bother with a firewall at all. What
you're telling me is just skip the firewall entirely, and put together
a comprehensive set of "firewall router" packet filtering rules.

Right?

Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/contact/scform.php>.


------------------------------

Message: 3
Date: Mon, 26 Nov 2007 11:14:04 -0600
From: "Brian Loe" <knobdy@gmail.com>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<3c4611bc0711260914y60a81a43l24ab6e4e99ae40c0@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

I just want to say that this thread, so far, is the most interesting
one I've read on this list - or really close to it. Any time Marcus
points out the uselessness of everything anyone here might be
currently using for network security AND you get such detailed history
of such HUGE products such as PIXen from those who KNOW...well, hell,
that's just cool.

A bonus is someone getting offended... :)


On Nov 26, 2007 9:32 AM, Bill McGee (bam) <bam@cisco.com> wrote:
> Hi, Paul,
>
> Here's some information around some of your questions/statements:


------------------------------

Message: 4
Date: Mon, 26 Nov 2007 08:09:55 -0800
From: "Bill McGee (bam)" <bam@cisco.com>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: "Paul D. Robertson" <paul@compuwar.net>, "Chris Blask"
<chris@blask.org>
Cc: Paul Melson <pmelson@gmail.com>, Firewall Wizards Security Mailing
List <firewall-wizards@listserv.cybertrust.com>
Message-ID:
<A0A653F4CB702442BFBF2FAF02C031E90529E09A@xmb-sjc-21e.amer.cisco.com>
Content-Type: text/plain; charset="us-ascii"

You're right that there has been a great deal of convergence and feature
parity development between PIX/ASA and the IOS and CatOS Firewalls.
This, again, is "on purpose." It's part of Cisco's position that
security and risk reduction are better when the disparate parts of your
security and network solutions work together.

A plan in progress (and yes, I've been here for ten years and am pretty
sure we have had, and continue to have a strategy) means that at any
moment in time you are only going to see what's available then. That's
why the positioning and messaging evolves over time. At one time, we had
two distinct solutions (later, three with the CatOS FWSM.) As the
firewall market matured and as we were able to add additional
intelligence into both the network and our security solutions, there was
a planned convergence between the various solutions, with the end game
being that any customer could select the solution (or more often,
combination of solutions) that was right for their organization, and
still have the same level of security combined with flexibility and
interoperability.

It's not quite the same thing, IMO, as just managing to not "screw it
up."

-----Original Message-----
From: Paul D. Robertson [mailto:paul@compuwar.net]
Sent: Monday, November 26, 2007 8:14 AM
To: Chris Blask
Cc: Firewall Wizards Security Mailing List; Paul Melson; Bill McGee
(bam)
Subject: Re: [fw-wiz] Firewalls that generate new packets..

On Sun, 25 Nov 2007, Chris Blask wrote:

> technical and marketing aspects of such things. It is
> therefore also quite defensibly true what Bill said: <sic>
> "That is on purpose".

This is the part I have serious troubles with- "on purpose" implies that

it was a pre-planned, thought-out event, not that you just didn't screw
it
up by not doing anything[1]. The code bases _started out differently_
for
no reason other than the fact that the products were from different
companies, on two different platforms. To paint that fact as if it were

some sort of strategic plan does the readers of this list a disservice.

> PS - Paul R, my posts seem to again not be making the list,

The list is still moderated, it takes the moderator some time to get
through the queue...

Paul
[1] From what I recall when Cisco was repeatedly trying to get me to
buy
in to the fact that PIX should be on my list of approved firewalls at
Gannett, one of the points they kept trying to make was that PIX was
getting more IOS features to make it easier for folks to deal with a
single interface- so it would seem to me that even the keeping them
apart
wasn't necessarily a planned event.
------------------------------------------------------------------------
-----
Paul D. Robertson "My statements in this message are personal
opinions
paul@compuwar.net which may have no basis whatsoever in fact."

http://www.fluiditgroup.com/blog/pdr/

Art: http://PaulDRobertson.imagekind.com/


------------------------------

Message: 5
Date: Mon, 26 Nov 2007 14:01:15 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <6.2.0.14.2.20071126135610.03df3eb0@ranum.com>
Content-Type: text/plain; charset="us-ascii"

Jim Seymour wrote:
>What
>you're telling me is just skip the firewall entirely, and put together
>a comprehensive set of "firewall router" packet filtering rules.

That's not what I'm saying. I'm saying is that the action is all
at layer-7 these days. Use a router (or 2 tin cans and some string)
to apply broad, simple, controls at the network layer and make
sure you are directing traffic to locked down layer-7 services
on machines that you think can handle them.

Firewalls have always consisted (in my mind, anyhow..) of
"block and carry" - think of the basic stuff the firewall does
as blocking big chunks of traffic so that your layer-7 picture
is refined to the point where you can effectively reason
about it. In that model a proxy is just a "carry" tool for
layer-7 traffic - and you can then reason about the security
controls (if you're using more than just a plug-board
proxy, which is axiomatically the same as a router
permit port ACL) in the proxy.

With respect to the "stateful packet inspection" garbage;
it's computer security's equivalent of homeopathy or
accupuncture: people like it because it makes them
feel better. It's a placebo.

mjr.

------------------------------

Message: 6
Date: Mon, 26 Nov 2007 14:03:32 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>, "Paul D. Robertson"
<paul@compuwar.net>, "Chris Blask" <chris@blask.org>
Cc: Paul Melson <pmelson@gmail.com>
Message-ID: <6.2.0.14.2.20071126140205.0455b030@ranum.com>
Content-Type: text/plain; charset="us-ascii"

Bill McGee (bam) wrote:
[...]

BINGO!!! I hit on "convergence" "interoperability" "strategy"
"feature parity" and "positioning"

What do I win?

------------------------------

Message: 7
Date: Mon, 26 Nov 2007 13:49:21 -0500 (EST)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: "Bill McGee (bam)" <bam@cisco.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <Pine.LNX.4.44.0711261328580.16124-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Mon, 26 Nov 2007, Bill McGee (bam) wrote:

I'm probably going to throttle this thread after this, because it's
getting into semantics and marketing...

> You're right that there has been a great deal of convergence and feature
> parity development between PIX/ASA and the IOS and CatOS Firewalls.
> This, again, is "on purpose." It's part of Cisco's position that
> security and risk reduction are better when the disparate parts of your
> security and network solutions work together.

But to say they're *different* due to some magic strategy is still
disingenious, they're different because _they were different at the
start_, not because Cisco suddenly had some great epiphany to create a
security product on a new platform with a new codebase so that their
customers could feel secure that a bug in their screening router wouldn't
affect their firewall.

It was also Cisco's position at one point that IOS uber alles should be
the mantra- I remember early on saying something along the lines of "I
wouldn't buy a PIX because they're flawed, but moving them to IOS is going
to make me even less likely to buy any of them since I'm using IOS on my
screening routers and providing the same codebase in every portion of my
security infrastructure is stupid." *That* would have been screwing it
up. The fact that the "let's screw it up" plan didn't happen is good, but
it's not the same as designing two very different products from the start.

> A plan in progress (and yes, I've been here for ten years and am pretty
> sure we have had, and continue to have a strategy) means that at any
> moment in time you are only going to see what's available then. That's
> why the positioning and messaging evolves over time. At one time, we had

Yes, but your current "positioning message" appears to be "We made two
different products and kept them seperate..." not "We started with two
different products and didn't merge them..."

> It's not quite the same thing, IMO, as just managing to not "screw it
> up."

You start with an apple you bought from a friend and an orange you grew
in your garden, you at some point decide to proclaim that you shall turn
the apple into an orange, then decide not to.

You then proclaim that you made the apple and orange different on purpose.

That's how your "positioning message" came across to me and to a large
number of readers on this list- couple (*cough*) that with a term like
"positioning statement" and then ask us what "position" we think a
vendor's thinking their customer is in when they use that term.

It was 50/50 if I should have approved the original message because it's
mostly marketing fluff. I get a fair number of questions about approving
marginal messages when I do so- this thread's about run it's course, seems
like you're sticking with your position and I'm sticking with mine- so
we'll just have to agree to differ.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

http://www.fluiditgroup.com/blog/pdr/

Art: http://PaulDRobertson.imagekind.com/

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 19, Issue 24
************************************************

2 comments:

Anonymous said...

Thіs wеbsite was... how do you say it? Relevant!
! Finally I have found something whіch helpeԁ me.
Chеers!

Ϲheck out my web sitе ... best ephedra supplement

Anonymous said...

Very good artiсle. I ωill be facing a few of
these issueѕ аs well..

Нere іs my weblog; ripped fuel