Re: 56k dial up on laptop 802.11G ?
- From: Duane Arnold <notme@xxxxxxxxx>
- Date: Wed, 27 Jul 2005 20:17:11 GMT
Jeff Liebermann <jeffl@xxxxxxxxxxxxxxxxxxxxxx> wrote in
news:2qbfe1d0rkdiv9ca958dh12mhu1ojgn62s@xxxxxxx:
> Can I muddy the waters with my opinions?
Why not?
>
> Ever wonder why the terms "firewall" and "router" are different and
> haven't been combined into one? You don't hear about anyone selling a
> "firewall router" or some similar conglomeration. That's because the
> common definitions have changed somewhat since Cisco first invented
> routers and are difficult to isolate.
>
> These days, a firewall is anything that keeps the barbarians out of a
> protected LAN. It can be NAT, PAT, SPI, dual bastion host, manual
> inspection, or a dog sniffing packets, and still be considered a
> functional firewall. How this is accomplished varies by technique,
> complexity, topology.
This is the definition as to what I condider a FW. I don't like to type
so I find what I need to find and I cut and paste.
<snip>
A firewall protects networked computers from intentional hostile
intrusion that could compromise confidentiality or result in data
corruption or denial of service. It may be a hardware device or a
software program running on a secure host computer. In either case, it
must have at least two network interfaces, one for the network it is
intended to protect, and one for the network it is exposed to. A firewall
sits at the junction point or gateway between the two networks, usually a
private network and a public network such as the Internet. The earliest
firewalls were simply routers. The term firewall comes from the fact that
by segmenting a network into different physical subnetworks, they limited
the damage that could spread from one subnet to another just like
firedoors or firewalls.
<snip>
>
> A router is just something that glues two networks together. That was
> the original purpose of routers and remains the same today. It's
> assumed to operate at the IP level and make some decisions relating to
> connecting two (or more) IP networks together. It does this by
> inspecting the IP headers and sometimes the packet contents, and
> making decisions based upon their contents.
>
> The problem is that both firewalls and routers inspect packets and
> make decisions, often in exactly the same way. Yet, their purposes
> are different. Many of the examples previously offered of what
> allegedly constitutes a firewall are actually definitions of what
> constitutes a firewall, are actually examples of router functions.
> For example, static routes to a remote office are a router function,
> not a firewall function.
Both solutions can use a packet filter so in someway they do set similar
types of rules and make similar types of decisions based on the rules
implemented.
>
> Unfortunately, the large amount of overlap between firewalls and
> routers are where methinks the problem is hiding. Filtering by
> service type can be considered both a router and firewall function.
> Filtering by WAN side IP address is a firewall function. Controlling
> outgoing traffic from the LAN is pure router. I once saw a list of
> these features and their classification in a Cisco CCNE book somewhere
> on my shelf, but I sold those and can't check.
>
> So, how can one tell if it's a firewall, router, or both? Easy, by
> the function it's performing. Duz the feature in question control
> access from the WAN to the LAN? If so, it's a firewall feature. Duz
> the feature in question control the way two networks are connected?
> If so, then it's a router feature.
>
> In my never humble opinion, any NAT router should be considered a
> firewall because NAT controls access to the LAN from the WAN. How
> well it does this, and to what level of control is another question
> which methinks is at the heart of the current discussion.
And I agree to disagree here about NAT. NAT is not FW software.
<snip>
By comparing the way NAT functions between two networks, and the way
packet screening methods function between two networks, you can see that
NAT does not adhere to the firewall definition. NAT does not control
access between the networks. Some may argue that NAT does control access
because you cannot "see" the internal network. NAT does this not by using
rules or filters, however, but through concealment. It hides the network
from outside users.
<snip>
> The WRT54G
> comes stock with IP Tables which is the basis of most Linux firewall
> implementations. (Well, I use IP Chains in FreeSCO). Dumping:
> iptables -L
> from my WRT54G will results in about 60 lines of definitions, which
> methinks qualify by their complexity to be a suitable router. In
> addition, most of these rules deal with internal/external traffic
> control, which methinks qualifies as firewall functions. One of the
> things I like about the WRT54G is that the router definitions give me
> more firewall control than most cheapo routers. For example, I just
> noticed that I have some filters in place to block IP's of spammers
> that try dictionary attacks on my mail server, which is a firewall
> feature.
This is where I think a packet filtering solution or packet filtering NAT
router falls short. And again I don't like to type.
<snip>
Packet filtering firewalls allow a direct connection to be made between
the two endpoints. Although this type of packet screening is configured
to allow or deny traffic between two networks, the client/server model is
never broken.
Packet filtering firewalls are fast and typically have no impact on
network performance, but it's usually an all-or-nothing approach. If
ports are open, they are open to all traffic passing through that port,
which in effect leaves a security hole in your network.
Defining rules and filters on a packet filtering firewall can be a
complex task. The network administrator must have a good understanding of
services and protocols to be able to translate the organization's
security requirements and needs into an accurate list of allow and deny
rules or filters. In some cases, the task of configuring rules or filters
may become so complicated that implementation is impossible. Lengthy
access rules or filters can have a negative impact on network performance
and be prone to error. As the number of rules or filters increases, so
does the amount of time it takes the firewall to make comparison
decisions and the chance that an inaccurate rule or filter will be added.
The accuracy of rules or filters on packet filtering firewalls can be
very difficult to test. Even if the rules and filters seem simple and
straightforward, verifying the correctness of a rule through testing can
be a time-consuming process. Sometimes testing results can be misleading
and inaccurate.
Packet filtering firewalls are prone to certain types of attacks. Since
packet inspection goes no deeper than the packet header information, this
method of packet screening is easier to circumvent and cannot protect
against attacks directed at the application level. There are three common
exploits to which packet filtering firewalls are susceptible. These are
IP spoofing, buffer overruns, and ICMP tunneling. IP spoofing is sending
your data and faking a source address that the firewall will trust.
Buffer overruns typically occur when data sizes inside a buffer exceed
what was allotted. ICMP tunneling allows a hacker to insert data into a
legitimate ICMP packet.
Packet filtering firewalls do not perform user authentication. Again,
this method of packet screening looks at information contained in the
packet header and bases decisions on that information alone.
<snip>
>
> Please feel free to continue the discussion. I find it interesting.
> However, I would like to suggest that you both consider the
> definitions of firewall and router in terms of what they do, rather
> than in terms of how they function.
>
>
>
And I consider the FW appliance to out class the packet filtering NAT
router with SPI, because the FW appliance's architecture resembles the
packet filtering router and dual-homed Gateway architectures and is able
to look at a deeper level along with other things like actually breaking
the client/server model between two end points, providing services etc.
However, I got nothing against NAT routers. They are a good first line of
defense, until you start doing high risk things like port forwarding.
There is something to be said about book and practical knowledge I use
them both and I have been doing so since 1971 when I first entered the
computer industry.
BTW, Linux is not the greatest thing since *Air, Water and Fire*. ;-)
Duane :)
.
- Follow-Ups:
- Re: 56k dial up on laptop 802.11G ?
- From: Floyd L. Davidson
- Re: 56k dial up on laptop 802.11G ?
- From: Jeff Liebermann
- Re: 56k dial up on laptop 802.11G ?
- References:
- Re: 56k dial up on laptop 802.11G ?
- From: David Taylor
- Re: 56k dial up on laptop 802.11G ?
- From: Floyd L. Davidson
- Re: 56k dial up on laptop 802.11G ?
- From: Duane Arnold
- Re: 56k dial up on laptop 802.11G ?
- From: Floyd L. Davidson
- Re: 56k dial up on laptop 802.11G ?
- From: Duane Arnold
- Re: 56k dial up on laptop 802.11G ?
- From: Floyd L. Davidson
- Re: 56k dial up on laptop 802.11G ?
- From: Duane Arnold
- Re: 56k dial up on laptop 802.11G ?
- From: Floyd L. Davidson
- Re: 56k dial up on laptop 802.11G ?
- From: Duane Arnold
- Re: 56k dial up on laptop 802.11G ?
- From: Floyd L. Davidson
- Re: 56k dial up on laptop 802.11G ?
- From: Jeff Liebermann
- Re: 56k dial up on laptop 802.11G ?
- Prev by Date: Re: Think I made a mistake
- Next by Date: Which Protocols do I need?
- Previous by thread: Re: 56k dial up on laptop 802.11G ?
- Next by thread: Re: 56k dial up on laptop 802.11G ?
- Index(es):
Relevant Pages
|
