Search This Blog

Wednesday, April 27, 2011

firewall-wizards Digest, Vol 57, Issue 8

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Proxies, opensource and the general market: what's wrong
with us? (Timothy Shea)
2. Re: Proxies, opensource and the general market: what's wrong
with us? (Tracy Reed)
3. Re: Proxies, opensource and the general market: what's wrong
with us? (ArkanoiD)


----------------------------------------------------------------------

Message: 1
Date: Tue, 26 Apr 2011 08:30:59 -0500
From: Timothy Shea <tim@tshea.net>
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>, treed@ultraviolet.org
Cc: firewall-wizards@listserv.cybertrust.com
Message-ID: <BANLkTin1SA+OoVAVbDvtX9yQRY-Y4_nRug@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

On Mon, Apr 25, 2011 at 4:24 PM, Tracy Reed <treed@ultraviolet.org> wrote:

> On Sun, Apr 24, 2011 at 09:27:34PM +0400, ArkanoiD spake thusly:
>
> I don't know what "functionally fit" means either.
>
> As for web interfaces, most of the Linux firewalls I've used (especially
> Shorewall, my favorite) have no web interface. I really don't want
> someone managing my firewall who requires a web interface. I also like
> to version control my firewall configs and back them up within my normal
> backup infrastructure which most web interfaces cannot handle.
>
> This comment makes me think you are the only 'security person' in your
organization. I work for a security team. I'm just one part of that team
and we run lots of firewalls. And the biggest issue with having a large
number of firewalls with a big team is management. I care that I can manage
them all from a central interface, that I can manage who does changes, that
I can audit changes, and back out changes when needed. Also - passing
audits is easier (not that's a security concern - but it is a time saver).
We have a lot of different people playing in this environment and need tools
robust enough to deal with that.


> > I asked guys on LinkedIn (having to admit LinkedIn security community
> > sucks big time, some sane people are still there :-) , if they still
> > have some interest in opensource firewall solutions. The short answer
> > was "NO". The long ones were:
> >
> > -- It is all about performance, we want as many Gbits per $ as
> > possible, so ASIC is only way
>
> The number of infrastructures that need firewalls which are transferring
> < 100Mb/s are far greater in number than those pulling > 1Gb/s. Do all
> your LinkedIn pals work for Google, Facebook, etc? I have deployed lots
> of firewalls and only a few ever handled more than a few hundred
> megabits. The vast majority transfer at most on the order of single
> megabits. Yet some of these single-digit-Mb/s firewalls protect large
> numbers of credit card data and have serious security requirements.
>

Anyone who internally segments their network has high bandwidth
requirements. I'm replacing a firewall right that has gig interfaces
because its dropping packets. And I have never worked for a 'google'.


> > Protocol support is not that good, no common management interface and
>
> What protocols are we talking about here and what are we wanting to do
> with them?
>
> What is an example of a commercial product that has a common management
> interface? What other product is it in common with?
>

Which ones don't? Checkpoint, Netscreen, even Cisco PIX/ASAs has (ugh)
Ciscoworks.


>
> > not really ready for enterprise which is not full of geeks at all,
>
> I would think you would want to hire a geek to operate your firewall and
> other security infrastructure if security was important to you.
>

Like routers and switches - firewall management has become a commodity. I
have no problem with a network team or "non-geeks" running our firewalls. I
have no problem even outsourcing that function. We have other controls in
place to evaluate changes to that environment.


>
> > management overhead and TCO are going to jump up beyond any reasonable
> > limit.
>
> Why?
>
> > OpenDLP is just a sad joke, running a bunch of regexps against your
> > data is not the thing to be called DLP.
>
> How do the commercial products do it?
>

The problem is management and in the case of DLP - updates of new signatures
and support of wide variety of systems. As far as I can tell - OpenDLP
supports only Windows systems. We need to monitor Oracle, DB2, messaging,
different types of end-points, e-mail, etc. Support is also critical as
"non-geeks" are typically the ones keep track of violations (I certainly
don't want a "geek" doing that).


>
> > As I am still running the OpenFWTK project, I have to admit I get
> > little to *NO* support form Opensource community.
>
> I very rarely hear about openfwtk and I'm in the business. I know of
> very few companies who have deployed or want to run proxies. Most just
> stick with stateful packet filtering and maybe a squid/varnish proxy for
> http and call it a day. In order to have community support you have to
> have a community. There are 30 people in #shorewall on freenode.net and
> for nearly 10 years now there has always been someone to help out
> whenever I had an issue. The mailing list is quite active also. Tom
> Eastep does a fantastic job of running the project working with the
> community. openfwtk-devel at
> http://sourceforge.net/mail/?group_id=192764 has 7 subscribers and 10
> emails in the archive over years. And no IRC channel. It is barely
> visible at all on the net. You don't get community support if you have
> no community.
>
>
Traditional packet filtering firewall has become less important in the
overall security architecture. We build 'security' into every part of the
application. And we do run "proxies" but they are closer to the
application, usually contain custom code specific to the application, and
they perform a wide variety of tasks such as authentication, authorization,
validations of the request, etc. No opensource products exist for this. I
also need people who can support and write code to this platform and a
commercial solutions comes with it a built in ecosystem in which we can find
resources.

As for users - we shove them through their own commercial proxy. We chose
to do so because of the ability to manage, reporting, and total cost of
ownership is less than putting in a bunch of squid proxies (which I've
personally installed many times). And I include in the total cost of
ownership having to respond to malware incidents because opensource malware
tools aren't kept as up to date as commercial versions.


--
Tim Shea
tim@tshea.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20110426/301b0fb0/attachment-0001.html>

------------------------------

Message: 2
Date: Tue, 26 Apr 2011 00:25:37 -0700
From: Tracy Reed <treed@ultraviolet.org>
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20110426072536.GF29903@tracyreed.org>
Content-Type: text/plain; charset="us-ascii"

On Tue, Apr 26, 2011 at 04:49:51AM +0400, ArkanoiD spake thusly:
> A "framework" means it is not just a bunch of inconsistent code.
> API.. well, Gauntlet had a kind of API. Zorp does have, OpenFWTK does.
> A linux box with squid+squidguard+IMspector+nntpcache+greensql+dante+whatever is something else,
> despite the fact it can do "more".

Even "inconsistent code" is rather nebulous. Does it all have to be written by
the same person? In the same style? Same language? What?

Googling for "openfwtk api" produces references to the fwtk API in websites
talking about openfwtk. Googling for "fwtk api" produces references to OpenFWTK
saying stuff like "OpenFWTK is an application proxy toolkit which inherits the
ideology of TIS fwtk and maintains API backwards compatibility." What is the
OpenFWTK API?

Googling for "firewall API" turns up a bunch of stuff about the Windows XP
firewall API. "cisco pix api" turns up nothing relevant. "barracuda firewall
api" turns up "The Barracuda Spam Firewall API is a set of six CGI scripts that
can be accessed to administer the Barracuda in a remote manner." CGIs? Well,
Barracuda isn't exactly high end. Googling for "websense firewall api" doesn't
turn up anything although a search for "firewall endpoint data discovery" (one
of the high end features you mention below) turns up links to websense stuff.

RSA DLP Endpoint looks like it might be more along the lines of what you are
talking about but it isn't a firewall at all. It looks like an agent that runs
on the workstation.

I understand packet filters and proxies to be firewalls. A lot of the rest of
the stuff (DLP, endpoint discovery, OCR, etc. etc.) seem like separate pieces
of software. Security related, sure, but not firewalls.

> > Depends on what you mean by "real". I know tons of people look at the
> > Linux firewall code.
>
> You mean packet filter code? :-)

Yes. Here we have a problem somewhat like the classical meaning of "hacker" vs
the common meaning of "hacker". And this firewall vs packet filter debate may
not even have that much legitimacy. I can find a number of people who still
subscribe to the classical idea of a hacker but a few of the denizens of this
mailing list are the only ones I know of who insist on issuing a correction
when someone calls a packet filter a firewall. It just seems like pointless
snobbery.

> Shorewall is just packet filter configuration frontend.

Indeed it is. And the PCI SSC considers this packet filter a firewall which
makes card data more secure. And that's just what I need to make my clients
happy.

> We do. Say, dealing with webmail *exactly* the same way as "classic" email
> protocols is a must these days.

You propose that a firewall should be able to MITM the https stream of gmail,
parse the HTML/Javascript coming from gmail (wouldn't you have to even execute
the Javascript and possibly run into the Halting problem etc?) and...do what
with it? And if gmail changes their code? And you expect a firewall to do this
for every webmail implementation? That does not seem reasonable.

> > > Protocol support is not that good, no common management interface and
> >
> > What protocols are we talking about here and what are we wanting to do
> > with them?
> >
> > What is an example of a commercial product that has a common management
> > interface? What other product is it in common with?
>
> "Common" means you may build a feature rich system using components you need.
> It is vendor-centric, usually, but Juniper, McAfee and even Cisco are good examples.

"no common management interface" and "common means you may build a feature rich
system using components you need"? I'm just not following.

> > > OpenDLP is just a sad joke, running a bunch of regexps against your
> > > data is not the thing to be called DLP.
> >
> > How do the commercial products do it?
>
> Lots of pretty complicated ways, including endpoint data discovery, digital
> fingerprinting, data normalization, on-the-fly ocr and stuff.

Googling for "firewall data normalization" or "DLP data normalization" does not
produce anything useful.

"data loss prevention ocr" turns up http://www.codegreennetworks.com/index.htm
but only because OCR stands for the Office for Civil Rights which is apparently
the part of the US govt that enforces HIPAA. And that DLP box looks less like a
firewall than an appliance which sits on a span/mirror port and sniffs traffic
and applies matching and parsing rules.

In short, it's hard to tell what any of this really means, whether anyone is
really producing software that does much of this stuff, or whether anyone is
really asking for it, and whether it isn't all just marketing BS in an industry
infamously rife with such BS.

I vaguely remember when fwtk was first released back in 1993. Network Security
JumpStart (via Google Books) says: "FWTK was created for the Defense Advanced
Research Projects Agency (DARPA) by Trusted Information Systems (TIS) when
DARPA realized that no packet filter would be secure enough to filter protocol
content."

So that explains the problem that FWTK and presumably by extension OpenFWTK is
trying to solve. DARPA identified the problem in 1993 but nobody else seems to
have picked up on it or care much in 2011. PCI DSS is my area of focus and
nobody is pushing the filtering of protocol content, just packets.

The closest thing I am aware of is PCI DSS requirement 6.6. The goal of 6.6 is
to prevent SQL injections etc. from leaking payment card data and it only
applies to those requiring compliance with SAQ-D who store payment account
numbers. That is the minority of e-commerce shops...I hope! 6.6 gives you the
option of doing source code reviews of the externally facing web applications
or implementing a web application firewall.

This is where something like OpenFWTK might might be useful but it seems like
Apache mod_security and its commercial variant have this market well serviced.
And even then, when a web application spews sensitive information via SQL
injection it usually does so without ever violating the HTTP protocol. In 1993
the big threat was buffer overflow exploits where your HTTP server might
suddenly serve up a root shell on the tcp connection. That seems to be what
DARPA was trying to stop. That problem has been mitigated more or less.
Enforcing HTTP protocol (et al) may still be valuable but it does not protect
us from the biggest threats of today. There is where DLP etc. come in,
apparently.

> Exactly how am i expected to get the community?

What problem are you trying to solve? Is it really a problem anyone needs
solved? You sure you aren't solving DARPA's problem of 1993? Shorewall solves
the problem I and many others have to solve. Very few people need many of the
features which you have mentioned. Those who do need such things probably have
tons of money and are in corporate CYA environments where they want someone to
blame when things go wrong so they will want commercial support. DLP and the
many other fancy features mentioned are covered by the big guys and small shops
don't need/care for it. For all these reasons it is hard to identify who might
be potential members of your OpenFWTK community.

--
Tracy Reed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20110426/cde80c7b/attachment-0001.pgp>

------------------------------

Message: 3
Date: Wed, 27 Apr 2011 23:48:22 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20110427194822.GA12632@eltex.net>
Content-Type: text/plain; charset=koi8-r

On Tue, Apr 26, 2011 at 12:25:37AM -0700, Tracy Reed wrote:
>
> Even "inconsistent code" is rather nebulous. Does it all have to be written by
> the same person? In the same style? Same language? What?
>
> Googling for "openfwtk api" produces references to the fwtk API in websites
> talking about openfwtk. Googling for "fwtk api" produces references to OpenFWTK
> saying stuff like "OpenFWTK is an application proxy toolkit which inherits the
> ideology of TIS fwtk and maintains API backwards compatibility." What is the
> OpenFWTK API?

A set of functions and data structures that provide access to common configuration,
authentication, logging and (to some extent) data processing mechanisms.

Wasn't it clear enough?

> when someone calls a packet filter a firewall. It just seems like pointless
> snobbery.
>
> > Shorewall is just packet filter configuration frontend.
>
> Indeed it is. And the PCI SSC considers this packet filter a firewall which
> makes card data more secure. And that's just what I need to make my clients
> happy.

(shrugs) if that's enough for you, I doubt reading this list provides any value in this context :-)

> > We do. Say, dealing with webmail *exactly* the same way as "classic" email
> > protocols is a must these days.
>
> You propose that a firewall should be able to MITM the https stream of gmail,
> parse the HTML/Javascript coming from gmail (wouldn't you have to even execute
> the Javascript and possibly run into the Halting problem etc?) and...do what
> with it? And if gmail changes their code? And you expect a firewall to do this
> for every webmail implementation? That does not seem reasonable.

It may sound "reasonable" or not, it is sane requirement. Sane in some customer point of
view, like in "I do not care about your technical problems, I just pay the money to someone
who stops whining and gets the job done. If there is more than one, ok, I agree to listen to
some tech talk about how do you do it better than others".

> > "Common" means you may build a feature rich system using components you need.
> > It is vendor-centric, usually, but Juniper, McAfee and even Cisco are good examples.
>
> "no common management interface" and "common means you may build a feature rich
> system using components you need"? I'm just not following.

You do not really see a difference between Shorewall and, sorry for the buzzword, "enterprise ready system"
which includes firewalls, filtering routers (ah, sorry, those two are the same for you), IDS, endpoint security
solutions, DLP components, security information management systems, reporting tools etc etc any "big name" may
provide?

> Googling for "firewall data normalization" or "DLP data normalization" does not
> produce anything useful.
>
> "data loss prevention ocr" turns up http://www.codegreennetworks.com/index.htm
> but only because OCR stands for the Office for Civil Rights which is apparently
> the part of the US govt that enforces HIPAA. And that DLP box looks less like a
> firewall than an appliance which sits on a span/mirror port and sniffs traffic
> and applies matching and parsing rules.
>
> In short, it's hard to tell what any of this really means, whether anyone is
> really producing software that does much of this stuff, or whether anyone is
> really asking for it, and whether it isn't all just marketing BS in an industry
> infamously rife with such BS.

(shrugs) we have a solution here that does it all. Don't think there is a problem you cannot
google it out.

> So that explains the problem that FWTK and presumably by extension OpenFWTK is
> trying to solve. DARPA identified the problem in 1993 but nobody else seems to
> have picked up on it or care much in 2011. PCI DSS is my area of focus and
> nobody is pushing the filtering of protocol content, just packets.

Damn fscking sure. Compliance is a "totally different thing".
(I "do some PCI DSS" as well, but cannot even imagine it as "are of focus", it is damn boring.
Well, writing new standards may be fun, but "just following" is not :-).

> This is where something like OpenFWTK might might be useful but it seems like
> Apache mod_security and its commercial variant have this market well serviced.
> And even then, when a web application spews sensitive information via SQL
> injection it usually does so without ever violating the HTTP protocol. In 1993
> the big threat was buffer overflow exploits where your HTTP server might
> suddenly serve up a root shell on the tcp connection. That seems to be what
> DARPA was trying to stop. That problem has been mitigated more or less.
> Enforcing HTTP protocol (et al) may still be valuable but it does not protect
> us from the biggest threats of today.

Damn sure, for http-driven attacks protocol-level threats are almost non-issue (except
a few SSL ones). It does not mean there is no job for an application proxy, though.

> There is where DLP etc. come in,
> apparently.

Not here, DLP is not designed to do that.

> > Exactly how am i expected to get the community?
>
> What problem are you trying to solve? Is it really a problem anyone needs
> solved? You sure you aren't solving DARPA's problem of 1993?

Yes.

> Shorewall solves
> the problem I and many others have to solve. Very few people need many of the
> features which you have mentioned. Those who do need such things probably have
> tons of money and are in corporate CYA environments where they want someone to
> blame when things go wrong so they will want commercial support. DLP and the
> many other fancy features mentioned are covered by the big guys and small shops
> don't need/care for it. For all these reasons it is hard to identify who might
> be potential members of your OpenFWTK community.

"Someone to blame" is a good point (not someone to be responsible or to solve the problem :-)

Well, I just wonder why there is almost no one who is willing to try the same things "for free".

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 57, Issue 8
***********************************************

16 comments:

Anonymous said...

discount ativan ativan dosage for flying - ativan dosage 25mg

Anonymous said...

order valium effects of 10mg valium - buy valium in australia

Anonymous said...

diazepam 10mg diazepam 2mg sciatica - buy valium online australia no prescription

Anonymous said...

generic valium pill identifier valium davis drug guide - generic pictures of valium

Anonymous said...

ativan lorazepam can get high ativan - ativan used drug withdrawal

Anonymous said...

buy xanax online buy xanax online legally cheap - xanax side effects withdrawal symptoms

Anonymous said...

ativan no prescription ativan withdrawal cold turkey - ativan ld50

Anonymous said...

order ativan ativan effects - does ativan high feel like

Anonymous said...

valium diazepam manufacturers buy valium online in australia - 10 mg diazepam green

Anonymous said...

xanax for sale without prescription xanax for anxiety - buy cheap generic xanax online

Anonymous said...

order carisoprodol online carisoprodol 350 mg muscle relaxer - carisoprodol tab 350mg

Anonymous said...

carisoprodol 350 mg soma intimates coupons codes - carisoprodol 350 mg review

Anonymous said...

soma carisoprodol carisoprodol overdose mg - order soma to arizona

Anonymous said...

generic valium drug interactions gabapentin valium - 5mg valium compared 1 mg xanax

Anonymous said...

soma buy carisoprodol high blood pressure - drug interaction soma vicodin

Anonymous said...

soma medication soma drug purchase - online radio stations soma