[c-nsp] ASA Firewalls placement in the network!

Gert Doering gert at greenie.muc.de
Sun Oct 11 13:00:29 EDT 2009


Hi,

On Fri, Oct 09, 2009 at 10:06:49PM -0500, Brian Johnson wrote:
> So are you actually saying that DPI is a bad thing relative to server
> protection? What makes this a bad idea? In what way does it make them
> more vulnerable to attacks?

Well, the point of a well-maintained server is that it is *open* to
the world - if you want a web server to be visible by the world, then
there isn't much you can do, besides "open HTTP to it".  And other
services should not be running in the first place.

So, if you put a fiewall in front of a well-maintained server, all you 
add is "extra state table handling" with all the problems it brings 
- state table overflow (=new connections getting dropped), state getting 
desynchronized with the server, firewall CPU exploding long before the
server is hitting any load boundaries, and worst of all, weaknesses in
the firewall products that can be used to crash the firewall, DoSing
the server.

The worst thing you can do is put a stateful firewall in front of a 
busy DNS server - every single packet creating new state will bring
most hardware-based firewalls to their knees, because "session churn"
is usually handled at much lower packet rate as "pure packet throughput
for existing state"...


Now, for a typical "office network", things look different, because you
don't have that stringent control over the machines behind the firewall
(so you never know who installed what application on their machine), and
the typical direction for connection setup is different (outbound 
connection = state handling is needed for the return packets).


Your example of "crafted packets that crash the server but can be handled
by the firewall" brings up the interesting question why one would upgrade
the firewall (to recognize this packet), but not the server (to be not
vulnerable to the bad packet in the first place)... - and *that* is 
what I meant by "well-maintained server" in the first paragraph.

Now, if your servers are not hardened enough, I'm happy to sell you a 
firewall to put in front of it - but it won't do zilch against the next 
buggy PHP application that will be used to exploit the server via 
perfectly nice HTTP requests - no crafted packets, just bad applications...


(I'm also one of those people that think the claim "NAT will improve
your security" was true 10 years ago, but wont't help at all for
todays security issues - browser exploits, e-mail viruses, etc.)

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091011/e9d3274d/attachment.bin>


More information about the cisco-nsp mailing list