Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

What Is the Future of Firewalls?

kdawson posted more than 4 years ago | from the engine-block-goes-in-front dept.

GUI 414

jlmale0 writes "When I mess with my WAP/router at home or coordinate with the network team at work, it seems like I'm stuck in 1995. We're still manually listing IP address/port combinations for our firewall rules. There's a certain simplicity to this when dealing with a single system, but there are firewalls everywhere these days. What's available for managing complex firewall arrangements? What's being developed? Can I take a Visio diagram, run it through a script, and get a list of firewall rules? What about a GUI that illustrates the current system configuration and then lets me drag and drop systems across firewalls, and have the individual firewall ports automatically configured? What about tying a firewall into an authentication system so that when jdoe logs in, only then are the firewalls opened to pass her traffic? What about managing distributed firewalls so that one repository of rules opens up your system's firewalls, the DMZ firewall, and the public firewall all at once? Let's get a conversation started. What cool projects do I need to know about? What cool management features would you like to see? What's next for firewall management?"

cancel ×

414 comments

Sorry! There are no comments related to the filter you selected.

When you finish your MBA- it'll all become clear. (4, Funny)

bsane (148894) | more than 4 years ago | (#31904784)

When you finish your MBA- it'll all become clear.

Re:When you finish your MBA- it'll all become clea (5, Funny)

RobDollar (1137885) | more than 4 years ago | (#31904800)

Do you get a free Belkin 54g with your MBA?

Re:When you finish your MBA- it'll all become clea (1)

NemosomeN (670035) | more than 4 years ago | (#31904864)

Yes sir, couldn't get it working properly at first, but I dragged and dropped it outside the red box, and it seems to be working. Problem solved!

Re:When you finish your MBA- it'll all become clea (1)

Peach Rings (1782482) | more than 4 years ago | (#31905092)

How many times did you reboot it?

Re:When you finish your MBA- it'll all become clea (2, Interesting)

x2A (858210) | more than 4 years ago | (#31905300)

I don't have a one-of-those, I just have my scripts call iptables :-/ it's not as flash as drag 'n drop, but I tried programming a virtual usb mouse to automate clicking things on the screen when things happen, but while trying to write the detection software that tells it to click certain rules when somebody plugs their computer into the network, which was detected by pointing a webcam at the network switch to watch when lights came on/off, my head fell off. Turns out, I needed my head on.

Re:When you finish your MBA- it'll all become clea (1)

Kjella (173770) | more than 4 years ago | (#31905390)

When you finish your MBA- it'll all become clear.

After some cost/benefit analysis on the ideas above, I think yes. It's not going anywhere.

You (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31904790)

are one fucking lazy bastard.

Leave the networking stuff to the networking team (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31904796)

Sounds like someone wants to get rid of the network team by implementing a few DIY tools...

Re:Leave the networking stuff to the networking te (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#31905170)

You sound like some 14 year old with DIARRHEA.

Re:Leave the networking stuff to the networking te (5, Insightful)

Ximok (650049) | more than 4 years ago | (#31905360)

Yes, find someone who knows something about networking and more importantly about firewalls Try someone who has a CCSP or CCIE:Security as part of their title. Some of the things you are talking about have existed for years on Cisco Pix and ASAs like downloadable ACLs (Where based on your credentials you get firewalled differently) which can be applied across a whole enterprise of firewalls. Dynamic inspection of traffic, like h.323 traffic, so you don't have to open a whole range of ports other than the signalling port.

Dear lord, gui based management of a fleet of firewalls? You want to drag and drop things and make magic happen when you do that? Sounds pretty reckless and dangerous to me. That's like saying because you can ride a bicycle, you should be allowed to drive a hazmat semi at top speed through downtown LA. If you don't understand what the rules are and how they will be applied in the first place, you are likely just going to cause problems (like accidentally shutting off your company's ability to sell their trinkets online because you locked it down on accident.)

By the way, I don't care what the kid from the nerd herd tells you, Belkin and Linksys do not sell firewalls. They sell quasi-routers with nat and some limited form of access control. Finally, UPnP is not the answer to your problem, that just makes it easy for people to put devices on your network to open security holes up in your firewall, which is why it's not supported on most enterprise grade firewalls (and wouldn't work anyway if you looked at the way most enterprises build their networks)

The answer to your question is... (0)

zonker (1158) | more than 4 years ago | (#31904820)

No. Which makes me a sad panda.

Digital Mongolians (1)

cosm (1072588) | more than 4 years ago | (#31904828)

Damn you spam Mongolians [youtube.com] !

Honestly? (0)

pyite (140350) | more than 4 years ago | (#31904850)

All the tools suck. Firewalls cause more harm than good. The platforms are all mediocre. In my world (low latency trading), pulling firewalls out is one of the highest priorities if it can be done (legally and reputationally).

Re:Honestly? (1, Informative)

Anonymous Coward | more than 4 years ago | (#31905060)

low latency trading makes me sad.

Standardized Firewall Config Scripts (1, Interesting)

Hadlock (143607) | more than 4 years ago | (#31904854)

Did anyone play Borderlands for the PC? Remember what a nightmare it was to get multiplayer working on that thing? uPnP sorts out some bits, but having a file that you can upload to the firewall to configure that would be nice. There are scores of profitable websites out there that will walk you through how to configure your router for bit torrent -- clearly there's a need for Something Better. If not config scripts/files, then something else.
 
I still can't host Borderlands multiplayer games.

Re:Standardized Firewall Config Scripts (1)

Kizeh (71312) | more than 4 years ago | (#31905008)

And how much of this had to do with NAT rules rather than firewalls?

Re:Standardized Firewall Config Scripts (0)

afidel (530433) | more than 4 years ago | (#31905230)

Yeah really, it's like a salami attack against the entire investment community (economy) but for some reason it's legal (at least for now, I'm hoping the SEC comes out with something substantive from their current call for comments).

Re:Standardized Firewall Config Scripts (1)

elronxenu (117773) | more than 4 years ago | (#31905322)

NAT or no NAT - any protocol which requires connections be accepted on varying port numbers is going to cause problems. Examples - SIP, BT, most IM protocols for file send.

Best is if there's a netfilter module for the protocol; it can watch the traffic and open up holes dynamically for related connections.

Re:Standardized Firewall Config Scripts (0)

Anonymous Coward | more than 4 years ago | (#31905216)

Just stop being such a whiner.

The future is now (1)

miggyb (1537903) | more than 4 years ago | (#31904856)

Everything you said sounds like it can just be scripted, not some sort of fundamental shift in the way we think about firewalls. The beauty of the Unix philosophy (do one thing and do it well) is that it works at an almost intuitive level. The more complexity you layer on at the base level, the less clear things become for someone trying to understand it.

Re:The future is now (4, Insightful)

blackraven14250 (902843) | more than 4 years ago | (#31904982)

I love how you *nix guys don't ever take end users into consideration. You think "Oh, just learn how to script the stuff together with some shell and you'll be good!".

All the while, the end users are saying "We don't care about having to learn to write a script; just include one with your damned program, and have a standard that routers can accept this file and it will just work and be simple."

Re:The future is now (3, Insightful)

bmo (77928) | more than 4 years ago | (#31905166)

The "Simple Way" is usually the wrong way when dealing with complex systems.

There are tools that make things easier for "roughing out" what you want, but fine tuning is always breaking out a text editor and making adjustments.

What about the users? Fuck them. They don't even know what an operating system is and don't care what it is, don't care what a firewall is outside of "it keeps the bad guys out," don't care what a router or switch is, and mostly don't care how a network works or even bother to learn how to navigate a file system. Most of all, they cannot be trusted to reliably run a script without somehow screwing it up, even if it's one click of a mouse.

This is why your system administrator treats you like someone who just got off the short bus.

--
BMOs

Re:The future is now (5, Insightful)

blackraven14250 (902843) | more than 4 years ago | (#31905248)

"Yeah, fuck those end users! We'll make it a bitch and a half to use our product even though the fixes are simple!"

Honestly now, I'm talking about home users, the other people who use firewalls, even though they don't know it. Make it a standard on routers where on the router's config page, it can accept a small text file with ports to be routed to the current connection. Even better, have the program send that information when the game starts, and have the ports un-routed when the game ends. It's a relatively simple, easy fix for the headache that is "finding out the proper ports for XBox Live to work" and entering them manually.

I know how to do it, but let me tell you, I don't know many other people that can install a router to begin with, let alone get their port forwarding to work for Gears of War; and they don't care to learn. Ease of use and the user interfaces on routers haven't improved one bit for consumers from the Belkin I had in 2002; why the should a market completely stagnate in user friendliness for that long?

Oh, that's right. It's because every *nix head doesn't think about the real end user, just what's "most powerful" in terms of features. Design solely for the power users and administrators, and you miss 95% of the market - what Linux has excelled at for many, many years.

Re:The future is now (0)

Anonymous Coward | more than 4 years ago | (#31905398)

Who gives a shit about 15 year old Xbox kiddies?

Re:The future is now (0)

Anonymous Coward | more than 4 years ago | (#31905412)

Isn't this a lot of what UPnP is was designed to do?

Re:The future is now (3, Insightful)

Fred Ferrigno (122319) | more than 4 years ago | (#31905426)

Make it a standard on routers where on the router's config page, it can accept a small text file with ports to be routed to the current connection. Even better, have the program send that information when the game starts, and have the ports un-routed when the game ends. It's a relatively simple, easy fix for the headache that is "finding out the proper ports for XBox Live to work" and entering them manually.

That already exists. It's called UPnP. [wikipedia.org] Xbox Live even supports it.

Re:The future is now (3, Insightful)

bmo (77928) | more than 4 years ago | (#31905476)

have the program send that information when the game starts, and have the ports un-routed when the game ends.

This is insane. This really is an insane concept. If you think that the home user is the black-hat botnet operator's bitch, this will only exacerbate the situation. You are removing what little human interaction there is in configuring a router and turning it over to software completely. You really need to examine what you just asked for, because it's stupid.

Why not just supply the user with a pail of K-Y Jelly?

--
BMO

Re:The future is now (1)

biryokumaru (822262) | more than 4 years ago | (#31905198)

It's kind of funny how this comment thread comes up immediately following this [slashdot.org] article...

Re:The future is now (2, Insightful)

miggyb (1537903) | more than 4 years ago | (#31905206)

You mean like defaults?

Re:The future is now (2, Insightful)

MightyMartian (840721) | more than 4 years ago | (#31905228)

Your average end user is going to likely be quite satisfied with a basic web-based firewall GUI sitting over top of iptables. However, your average end user is highly unlikely going to need to an in-depth understanding of complex routing tables, queue rules, etc. I mean, why aren't you bitching about Cisco, which is every bit as difficult to work with for complex networks?

For most users, a basic web-based configuration set up is great. For another subset something like Webmin or the Cisco GUI tools will probably do the trick. But there will always been some subset that need to do very complex firewall and routing jobs.

In other words, what the fuck is your problem?

Re:The future is now (1)

Fred Ferrigno (122319) | more than 4 years ago | (#31905246)

If we're talking about average home users, UPnP works well enough, if they even need it which many don't. On the other hand, if your "end users" are system admins managing large, complex networks, then there just isn't going to be a one-size-fits-all solution. The more complex and specialized your demands on the system are, the more effort you're going to have to put into configuring it.

Re:The future is now (1)

phantomfive (622387) | more than 4 years ago | (#31905340)

We don't care about having to learn to write a script; just include one with your damned program

Which reminds me, one of the reasons developers stop doing open source is because end users can be really demanding, and really annoying in the way they demand.

Re:The future is now (1)

Xipher (868293) | more than 4 years ago | (#31905376)

The only time I want an end user managing a firewall is in their own home, and I think most consumer devices have a decent enough web interface to get by. If you're talking about a business environment that needs something more then a consumer appliance then you should probably hire a network admin to help manage it. Security is often a trade off for ease of use, and I'm not saying unnecessarily convoluted configuration methods are secure, but if you want to be able to secure your network it's something I see as being more complex then the average end user is going to understand. I don't expect the average executive assistant at a company to understand the implications of allowing any thing through the filter, but I wouldn't doubt they would do that so they can use a little application just got installed by this email from an African prince.

Re:The future is now (5, Interesting)

Crackez (605836) | more than 4 years ago | (#31905408)

You may not be worth this reply, however, I will try to overcome my Unixism.

"It can scarcely be denied that the supreme goal of all theory is to make the irreducible basic elements as simple and as few as possible without having to surrender the adequate representation of a single datum of experience." - Albert Einstein

I don't mean to quote and sound all guru-ish, however, this particular quote has a deep meaning with regard to this discussion.

"Shits tough, you have to be tough too." - I think I invented that one.

Basically, if you can't swim then get out of the water, or learn to swim; those are your only choices.

Stuff like networking is zen, it's just bits on a wire. On the other hand, it can be hard. Waah.

Future of Internet and firewalls (5, Insightful)

seawall (549985) | more than 4 years ago | (#31904858)

A wise wise network engineer at UW once showed me the following diagram several years ago:

INTERNET -> PORT80, PORT443

His point being more and more is routed through ports 80 and 443 in an effort to avoid firewall restrictions. I often think he was right. Consequences for firewalls left up to reader.

Re:Future of Internet and firewalls (3, Insightful)

bersl2 (689221) | more than 4 years ago | (#31904988)

Shouldn't it be INTERNET <- PORT80, PORT443? You're talking about outbound traffic firewalling, right? Inbound is explainable by the limitations imposed by NAT.

Yep! That's why the future is in smarter devices (1)

King_TJ (85913) | more than 4 years ago | (#31905274)

I've been contacted by several Internet security product vendors recently (after I attended a free network security conference in town). The "in" thing right now seems to be selling "security appliances" that can intelligently sniff traffic on port 80 or 443 and discern what's actually going through. Of course, right now, they seem to be trying to sell these as additions to your environment, rather than replacements for existing traditional firewalls ... but it's only a matter of time before it all gets rolled together into one product.

Re:Future of Internet and firewalls (1)

BitterOak (537666) | more than 4 years ago | (#31905298)

A wise wise network engineer at UW once showed me the following diagram several years ago:

INTERNET -> PORT80, PORT443

Actually, it's more like: INTERNET -> PORT22, since just about anything can be sent through an ssh tunnel. And the encryption makes most types of deep packet inspection impossible.

Re:Future of Internet and firewalls (1)

Crackez (605836) | more than 4 years ago | (#31905444)

IP != TCP

Man, I cannot wait for IPv6 already. I'm ready for the pain. It'll be worth it.

Re:Future of Internet and firewalls (0)

Anonymous Coward | more than 4 years ago | (#31905374)

your wise engineer is not so wise... i get the point, but its taken out of context. port 80 is NOT internet traffic nor 443. its a port, thus you can run any program via it if its written to do so. you can web pages through 6969 if you wanted - if your web-server is configured to do so. same goes for port 443, this is just HTTP (80) tunneled through the SSL protocol. once again, you can do whatever you want with whatever port you choose - depends on how the program is written.

Google's capirca (3, Interesting)

Anonymous Coward | more than 4 years ago | (#31904860)

"Developed internally at Google, this system is designed to utilize common definitions of networks and services and high-level policy files to facilitate the development and manipulation of network access control filters (ACLs) for various platforms." http://code.google.com/p/capirca/ [google.com]

If only everyone followed this spec... (1)

CoffeeDog (1774202) | more than 4 years ago | (#31904866)

... firewalls would be so much simpler:

The Security Flag in the IPv4 Header [ietf.org]

(I saw some other Slashdot comment with this link in it, but it just fits so well here!)

Re:If only everyone followed this spec... (1)

hduff (570443) | more than 4 years ago | (#31904974)

TFF

Re:If only everyone followed this spec... (0)

Anonymous Coward | more than 4 years ago | (#31905200)

The problem with this should be obvious - anyone who is sending out "malicious" packets would just set the "evil" bit to be 0.

it depends on what you're doing. (1)

indrora (1541419) | more than 4 years ago | (#31904894)

Some firewalls are shit: see, anything relating to SonicWALL or PepLINK (trust me, its a combination that *sucks*

Others are useful once you have the basic idea. Anything is good when configured nicely; even iptables has a reasonable idea of how to do firewall stuff.

Either way, firewalls *are* pretty much entirely shit. There is no "drop-in" security

Re:it depends on what you're doing. (1)

cHiphead (17854) | more than 4 years ago | (#31905122)

I'm slowly moving everything to pfSense, tired of dealing with shit firewalls or over-the-top bullshit to configure simple rules on a firewall (Sonicwall, Cisco, im looking at you and your goddamn requirement for Java to use the web interface on a PIX if the client doesn't have a competent onsite tech that can handle ssh/console commands safely).

Checkpoint wasn't too terrible but its GUI had a certain learning curve.

I am, of course, looking at it from a small business support standpoint. Tell me if I'm off base (not that I really mind the job security of confusing firewall configurations for clients).

Cheers.

Firewall Builder (1)

jamincollins (599712) | more than 4 years ago | (#31904958)

Firewall Builder does most of what the submitter is looking for already.

Re:Firewall Builder (2, Interesting)

mydots (1598073) | more than 4 years ago | (#31905278)

fwbuilder also does a great job of managing multiple firewalls even if they are different platforms and will even manage your home router if it has openwrt installed. It will manage everything over ssh, so its definitely secure for remote firewall management over public ip addresses. I have been alpha/beta testing version 4.0 for many months now and there have been a lot of great improvements including cluster support.

Re:Firewall Builder (2, Interesting)

smpoole7 (1467717) | more than 4 years ago | (#31905384)

Firewall Builder does most of what the submitter is looking for already.

.

Just browsing through here, but I'm surprised (and then again, I'm NOT surprised) at the answers thus far. I get the same replies when I ask a similar question.

What the submitter is talking about is a 21st Century Firewall (capitalized out of reverence). Why not have automatic host discovery? Why should I have to painstakingly come up with a list of all target machines with IP addresses? Is this not 2010? :)

Did everyone miss the question about "jdoe's" computer being connected, and then (and ONLY then) her needed ports being enabled in some other PC on the network? That would actually be a VERY nice capability.

For the record, I've looked at IPCop; Shorewall; SuSEFirewall2; the firewall tools built into Webmin; (and years ago) Mandrake's firewall package; you name it (this is just a partial list off the top of my head). All of them follow the same paradigm: YOU must come up with the list of IPs and ports. If anything moves or changes, YOU have to painstakingly re-enter all of the port/IP info (and hope you didn't miss something!).

So-called GUI interfaces and/or firewall "builder" tools still follow this same basic config paradigm. Just adding automatic discovery would be a HUGE help ... simply put, someone connects a machine, the firewall says, "new PC added at 192.168.1.100, DHCP, it's exposing ports 100, 200 and 500."

Everything I've tried thus far can't even reliably list all PCs on the network! I have to run an NMAP discovery or (under Windoze) something like the Angry IP Scanner. It doesn't make sense.

Some of what the submitter is asking would most properly be done in a really smart firewall/network switch combination. You would probably have to install a small software package on each network machine, too, that could "talk" to the firewall. But the question remains, why isn't this kind of thing available? It *IS* a little surprising (and frustrating) the someone hasn't developed a point-and-click, self-discovering, self-cataloging firewall system by now.

I think the real problem is that true propeller-headed geeks actually *enjoy* poking in stuff with iptables rules at a prompt. They're the most likely to have the skills to develop something like a true GUI firewall, but they're the least likely to want to.

Complex often means hand tweak. No way around it (1)

syousef (465911) | more than 4 years ago | (#31904994)

I don't have a lot of trouble with firewalls at home. I'm running a WRT54GL with Tomato (previously was using DD-WRT but I like the graphing in Tomato, and didn't need anything available in DD-WRT but not Tomato so I switched). This setup has given me no trouble (baring one stupid r/c game/simulator with networking that is a total mess and doesn't work properly with or without a router - and even that works intermittently). However I'm not doing anything too advanced with it.

Once you do get to enterprise networking the picture quickly changes. Bear in mind this isn't my area of expertise but I do need to understand the firewalls I work with for trouble shooting. Each architecture is unique. The design decisions aren't well represented in something like Visio and the rules couldn't possibly be generated from that. I would be suspicious of any tool that claimed to be a one click solution from diagram to ready to implement firewall rules. I'm happy to be proven wrong but I've not seen such a tool. Complex means complex, and that often requires those hand rules are tweaked.

Re:Complex often means hand tweak. No way around i (2, Interesting)

CAIMLAS (41445) | more than 4 years ago | (#31905406)

Yes, there are those outside cases. However, consider how many scenarios can be easily covered with an "exceptioned template".

Take IP tables, for instance. It typically goes something like this: Deny all, do NAT/masq from the inside, do traffic shaping/QoS, and finally allow specific ports/do specific port forwarding. It's formalistic and not all that complex, once you understand it - and it's largely linear, with most of the scripts following the same basics.

For 90%+ of scenarios, it would be easy to instigate a framework for transparent transport of rules between systems (homogeneous and maybe even heterogeneous ones) or automatically setting rules based on inside services. The problem with doing it, however, is that it would provide a negligible benefit over what's out there now (as firewall rules tend to rarely change).

The security ramifications of such an application seem like they'd be hit and miss, internally. Yes. you want to prevent hosts from talking to each other when they've got no reason to - though there are other methods for doing this in a cleaner, less granular/more centralized fashion (802.1q VLANs). It works better because, again, it covers 90%+ of conceivable scenarios with less configuration.

It all comes down to KISS. Sometimes firewall restrictions are appropriate; sometimes something else is. More often than not, though, people use what they know and misapply it for fear of not being able to grasp a new technology in time to properly implement it, and we end up with a gongshow.

I, For one, (1, Insightful)

cadeon (977561) | more than 4 years ago | (#31904998)

I hope firewalls (well, specifically, NAT routers, DMZs, port forwarding, etc- which all seem to get grouped in 'firewalls') in general will become much LESS of an issue in the future thanks to IPv6. In that world, everything's got a unique address so there's really no need for NAT, private subnets, or the routing issues associated with those.

IMHO, the task of firewalling has been (somewhat incorrectly) pushed on the device doing the routing, when it should be handled on the device itself. Hosts, actual end points, should be able to decided what they will do with the traffic that gets to them, not something in the middle. It's been placed on the router because in our current IPv4 / NAT world, it has to be put there, so the traffic can even *make it to* said end point host. That's not the case with the worldwide-unique addresses of IPv6.

As such, in the IPv6 world of the eventual future, firewalls will exist more due to policy than security (i.e. access to certain services will be disallowed if you're on a corporate network). The security firewalling will need to be done on the device itself, which makes good sense- don't want people ssh hammering your laptop? Well, don't run that service, or restrict it to only devices you trust.

Re:I, For one, (1)

sgbett (739519) | more than 4 years ago | (#31905096)

I agree NAT and port forwarding aspects will(should) be out the window but I still think firewalls that, say, ringfence subnets will still be of value.

Particularly if its a choice between that and letting machines (more specifically a particular OS) handle their own security. That would be a terrifying thought.

Re:I, For one, (1)

cadeon (977561) | more than 4 years ago | (#31905204)

Particularly if its a choice between that and letting machines (more specifically a particular OS) handle their own security. That would be a terrifying thought.

Accountability will be where it needs to be.

Security is the Host's Problem, not a problem that should be seen as solvable by using an external device.

Re:I, For one, (1)

CAIMLAS (41445) | more than 4 years ago | (#31905416)

The need for firewalls in the first place would be negated if every operating system out there didn't ship with a substantial set of outside-facing services enabled. A network connection should always be considered to be a hostile, unsafe environment: you enable what you need, when you need it. Make the UI easy to do so, sure; but don't make it the default.

Re:I, For one, (0)

Anonymous Coward | more than 4 years ago | (#31905168)

You are an idiot. Do you really think corporations are going to open up their firewalls because somehow IPv6 magically makes them secure?

Re:I, For one, (1)

cadeon (977561) | more than 4 years ago | (#31905244)

No, I'm saying the task of security is misplaced and IPv6 will enable it to be placed properly.

I also said that corporations can still use firewalls to enforce policy, quite often those policies are going to disallow services which could pose a security risk.

Firewalls still have a place in the world. They are still of good use, I'm just saying that there will be much more flexibility as the rules can be placed On The Host Itself as opposed to on an external device that has to be configured to do the firewalling, since it's already doing the routing.

Thanks for the input though.

Re:I, For one, (0)

Anonymous Coward | more than 4 years ago | (#31905320)

There is absolutely no reason to put firewall type processes on every server in a data center when you can simply install a firewall. What a waste of money.

Re:I, For one, (2, Insightful)

scdeimos (632778) | more than 4 years ago | (#31905290)

Firewalls have been put on the routers (or some intermediate device) instead of the hosts precisely because the hosts can't be trusted. Certain hosts will always be subject to variations of the Ping-of-Death theme and tainted payloads and will never be safe with host-based firewalls.

Re:I, For one, (0)

Anonymous Coward | more than 4 years ago | (#31905354)

If a host / OS is vulnerable to a Ping-of-Death variant or any other attack, WHY is it assumed the way to fix it is to drop in ANOTHER box in front of it?

I mean yes, that's the easy way to go about it, and we were forced here due to old, insecure OS models suddenly gaining public internet access. But it's a patch to the real problem, not a fix.

Security should be a host-level concern.

Re:I, For one, (0)

Anonymous Coward | more than 4 years ago | (#31905422)

As soon as you get your perfect host based firewall setup that doesn't adversely affect the performance of the host let me know. Til then, defense in depth and actually getting stuff done will always come before utopian perfection moves in.

Re:I, For one, (1)

eyrieowl (881195) | more than 4 years ago | (#31905452)

If I have systems, and I do, which require the utmost in performance, and which also have to connect to the outside world, the last thing I want is for those systems to IN ANY way be impacted b/c some bozo wants to flood me with packets. I want that cut off somewhere else, not at my box. I have a well-known, small set of external systems I want to connect to, and I only want to see traffic from them. It's not about my host being poorly designed, it's simply that I want to have my system focus only on the task it's doing, not some other b.s. I'll be using my network devices very heavily, high traffic rates (by no means all external), and I'll be often saturating my CPUs with actual work. Tell me again why I don't want another box acting as a firewall to help protect my systems?

Re:I, For one, (2, Insightful)

bsDaemon (87307) | more than 4 years ago | (#31905292)

IPv6 isn't going to eliminate the need for DMZs and stuff like that. Sure, NAT can be don away with, but NAT isn't "firewalling". Really, what we should be talking about is packet filtering, and in this sense, dedicated packet filtering boxes are key. There is no reason that network hosts should be wasting cycles on packet filtering if putting a box out in front a network segment, say, behind a boarder router or in front of an aggregation switch, can dedicate cycles to the task -- especially if the box doing the packet filtering doesn't introduce latency beyond an acceptable level.

Re:I, For one, (2, Insightful)

cadeon (977561) | more than 4 years ago | (#31905430)

Thanks, well stated. Very constructive and kind.

I still believe that host level security is lacking and should be addressed, because problems can arise from the outside world or within the firewalled subnet.

The assumptions that the outside world is 'big, bad, and evil' and 'my subnet is cookies and cream' is a very bad one and very detrimental to security IMHO. That's why I say security is primarily a host-level concern, because the *real* mindset should be 'everything off my machine is potentially big, bad and evil.'

I don't want to discount the niceties of centralized rules and reporting, or as you point out, potential performance impact. I'm just trying to point out that the security model we've settled into is a result of the hosts being insecure (mostly due to legacy OS's suddenly getting worldwide internet access). Adding a new piece of hardware doesn't fix the core problem, it just patches it- and it still leaves you open to attacks from within your subnet.

Accountability for security should be at the host level.

Re:I, For one, (1)

afidel (530433) | more than 4 years ago | (#31905344)

Nope, centralized management and reporting mean it's valuable to have a single device doing the decision making. It also makes it much easier to do IDS/IPS if 99% of the attacks are stopped at the perimeter because it makes the remaining single:noise much easier to deal with. I can't imagine what trying to sort through our SNORT logs would look like if I had to account for all of the failed attacks that are dropped by the firewall.

Additional device based firewalls are often a good idea, but at least for shared servers the rules can become so complex as to be either unwieldy or useless.

Re:I, For one, (1)

digitalnoise615 (1145903) | more than 4 years ago | (#31905392)

I hope firewalls (well, specifically, NAT routers, DMZs, port forwarding, etc- which all seem to get grouped in 'firewalls') in general will become much LESS of an issue in the future thanks to IPv6. In that world, everything's got a unique address so there's really no need for NAT, private subnets, or the routing issues associated with those.

IMHO, the task of firewalling has been (somewhat incorrectly) pushed on the device doing the routing, when it should be handled on the device itself. Hosts, actual end points, should be able to decided what they will do with the traffic that gets to them, not something in the middle. It's been placed on the router because in our current IPv4 / NAT world, it has to be put there, so the traffic can even *make it to* said end point host.

No. It was not moved to a router because of the current IPv4/NAT - after all, there is a thing called a software firewall. The problem is that unless NIC manufacturers place hardware firewalls on their NICs, software is inadequate, and subject to being compromised - and yes, I know hardware firewalls can be as well. But I'm looking at a certain OS in this instance.

Even with IPv6, network overhead will continue to be an issue - and if I'm not mistaken, IPv6 uses larger headers, and thus more overhead, than IPv4. On older networks, if you remove the routers that intelligently direct traffic, because "they're no longer necessary" you are almost guaranteed to run into a situation where the available bandwidth is now entirely saturated - thanks to broadcast traffic.

Personally, I don't care if I have a world-wide unique IP address - I want a device that sits on peering point of my network and goes "Oh hell no!" and drops packets for me - without placing that overhead on each individual machine downstream, and hoping/praying that some rogue user/software/etc. hasn't decided to open a port it/they think is necessary.

What's next for firewall management? (5, Funny)

Centurix (249778) | more than 4 years ago | (#31905000)

I haven't looked, but I'm sure there's and iPhone app for that.

Feature, not bug (4, Insightful)

RightwingNutjob (1302813) | more than 4 years ago | (#31905018)

Anything that lets you automagically configure a firewall from outside of it is a potential exploit waiting to happen. Things that are stupid, slow, and require physical access are that much more secure.

Re:Feature, not bug (2, Informative)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#31905140)

Only partially true. Physical access is, indeed, generally a security plus(though not a cure-all: if the inconvenience causes somebody to jury-rig their own remote access solution, you now almost certainly have a much less secure system than one that was designed for remote access in the first place. Also, just because the janitor earns 6 bucks an hour and no hablo ingles doesn't mean he can't connect a serial cable...)

Slow and stupid, though, are dangerous. Humans have a tendency to make stupid, sloppy errors. Anything that requires them to keep hundreds or thousands of complex details in mind brings out the worst in them, and causes stupid misconfigurations. Of course, any tool that allows an MBA to achieve stupid misconfigurations just by dragging objects around in a drool-proof GUI also causes stupid misconfigurations...

Re:Feature, not bug (5, Funny)

clintonmonk (1411953) | more than 4 years ago | (#31905388)

Things that are stupid, slow, and require physical access are that much more secure... in bed.

It's about demand –or lack thereof (4, Insightful)

dn15 (735502) | more than 4 years ago | (#31905038)

I think that firewall administration has been allowed to remain shoddy because most people who aren't gamers or server admins don't need to change the settings at all. Gamers are usually obsessed enough with playing that they will take the time to figure it out. And sysadmins, well it's their job to know how to do that stuff.

This isn't an excuse for things being the way they are, but an explanation. Most people just vaguely understand that a firewall protects their computer, but they don't know any more than that and will probably never have to configure one. If the archetypal grandmother or joe six pack ever has a reason to manage firewall settings (unlikely) then an easy configuration tool will appear over night. Unless a widespread need arises, limited demand will translate to limited effort spent developing user-friendly tools.

I've said it before, and I'll say it again. (1)

LibertineR (591918) | more than 4 years ago | (#31905062)

99% of what anyone needs in a firewall can be accomplished by an ISA2006 Server (reverse proxy and AD authentication) fronted by a Cisco Pix for port management.

If you can get past that, then you deserve the goodies, IMHO.

DD-WRT (1)

guabah (968691) | more than 4 years ago | (#31905068)

When in doubt use port triggering instead of forwarding, and enable uPnP.

when jdoe logs in... (0)

Anonymous Coward | more than 4 years ago | (#31905080)

Check out junipers UAC system. It does this quite well when paired with netscreen firewalls.

UML Deployment Diagram to Firewall Cfg Generator (1)

idsfa (58684) | more than 4 years ago | (#31905084)

Just wish I had one ...

Just run it through a Chinese server (2, Funny)

countertrolling (1585477) | more than 4 years ago | (#31905104)

They'll firewall it for you..

Re:Just run it through a Chinese server (0)

Anonymous Coward | more than 4 years ago | (#31905190)

In Soviet China
The firewall blocks you...

?

Standardization is EXTREMELY difficult (2, Informative)

CodePwned (1630439) | more than 4 years ago | (#31905110)

In a star trek world people would work well together but the money is made coming up with the next biggest and best product meaning you beat our the competitors. Working together often eliminates that huge profit margin one gets when they have the "best" tech for "this need". Open Source solutions are often (not always) designed from this viewpoint that "A collaborative effort will result in an ideal product with the motivation being profit profit profit".

Add on top of that is that there are many things that drive technology. Some needs are speed, others are security, etc etc etc.

In my work for the our "data" is our life blood. If it's hacked, destroyed etc... we're screwed. We sell our information so while speed is often important... security is #1. If I was working for the stock exchange, security would come in second merely because time is ESSENTIAL. Security comes immediately after. Get the gist?

Now, when you're talking high level networking where you're dealing with thousands or even hundreds of thousands of connections simultaneously then you have to combine a mix of things.

This is where it makes it extremely difficult to make a program that does everything in simple man terms. That's why there are network administrators and architects. There are far too many variables to turn into a windows like gui where "Are you sure?" will cover it. Here's a small list of the variables you're going to encounter

- Size of network
- Location of all users (remote and local)
- Security requirements (government contracts often require certain levels)
- Company polices (do you need to have site filters for porn sites)
- What kind of filters will you use
- What kind of hardware is this all operating under
- Many routers run different flavors of linux where some commands are different (Cisco *cough*).

It pretty much comes down to... networking in the home is easy because it is simple. You're going to have X number of boxes connected wired or wirelessly to a single incoming connection. Easy.

However, in the real environment you may have 20+ connections coming in with complex equipment that routes and load balances those incoming and outgoing connections. If someone were create a piece of software for this it would need every single manufacturer of routing equipment to work together. That's just not going to happen.

So... the only common things that can happen are learning to write script once you've thought out your network and that's the easy part.

Re:Standardization is EXTREMELY difficult (1)

blackraven14250 (902843) | more than 4 years ago | (#31905174)

You have a great point about "networking in the home being simple". Now let me remind you:

There's problems connecting to nearly every game server through a router when a non-technical person is doing the connecting, because there's no standard way for the creators of the games to open up the correct ports; this is a simple thing the question asks, yet is still completely unaddressed by the guys making home routers. They could easily come up with a method to accept a small text file with the proper information for the game's connections, but they aren't innovating the user experience whatsoever.

Re:Standardization is EXTREMELY difficult (0)

Anonymous Coward | more than 4 years ago | (#31905330)

because there's no standard way for the creators of the games to open up the correct ports

UPnP works just fine, developers are just fucking retards, and router vendors won't implement it on all of their routers because they're also retards.

Re:Standardization is EXTREMELY difficult (1)

Kaboom13 (235759) | more than 4 years ago | (#31905410)

There is, it's called uPnP. It sucks, terribly. It was made by a pack of gibbering idiots. Different vendors having dick sizing competitions managed to implement it in ways that are completely incompatible and broken. The home users stupid enough to really need it own cheap, shitty routers (often provided by their ISP) that implement it in a broken manner if it all. The users with better routers that implement it correctly all disable it, because the creators did not bother to include any sort of authentication, making it a security hole (also the fact that even in the best of conditions it only works to sporadically). If you want the router to just accept a text file, which presumably means logging into the router, and manually uploading it, how is that any easier then setting the port forwards? How do you handle it when it wants to forward a port that is already forwarded to a different ip? How do you handle it when a lazy game dev (and it will happen) just says fuck and sets all the ports open? Look at any support forum for a modern multiplayer game. There will be people with NAT issues, and the support staffs first (and often only) suggestion is to either remove the firewall completely of forward everything to the PC.

Setting port forwards is simple on any decent router. If your router makes it complicated, blame the vendor. You don't need anything special, you don't need an external server to do NAT traversal, you just need a screen to come up when you host the game telling you to forward port X (you only need one per game, more then that is bad design) to ip Y, where Y is the IP of the system you are on. If you feel generous, put a link to portforward.com or something to help them find documentation. If they can't figure that out, they probably should not be opening ports to begin with. Point them at the nearest gamestop and tell them to purchase an xbox 360 and an xbox live subscription they aren't ready for the real internet.

Stateful Firewalls (1)

Redlazer (786403) | more than 4 years ago | (#31905178)

Unless I'm missing something, our Aruba controllers do firewalling on the fly, for OUTBOUND.

If you're talking about Inbound, then, sorry. I just can't trust you guys.

Certs? (1)

nine-times (778537) | more than 4 years ago | (#31905184)

I feel like things might be able to be simplified a little better if there were better use of certificates for authentication and encryption. Of course, that requires a better (free) method of managing and authenticating the certificates themselves.

It might not have a lot of improvements in the realm of firewalls, but it might enable better/easier VPN and control over routing rules. Instead of dealing with IPs and MAC addresses, you could allow specific users and machines. Of course, I'm not sure how much you want to deal with the overhead of all that. Current IP-based routing is doing well enough, and speed matters.

Otherwise, I don't know... IPv6 and ditching NAT? As far as the feeding a Visio diagram in, I'm not sure how much I want my firewall interpreting diagrams for intent. Some firewalls already have GUIs of some kind or another, with varying degrees of helpfulness.

For my purposes, I wouldn't mind seeing cheap, standard, dead-simple VPN that's supported across all clients without additional software installs. Firewalls are only one part of that problem. I imagine a better system of distributing/verifying certs might help.

I like PF, try PFSense (5, Insightful)

bsDaemon (87307) | more than 4 years ago | (#31905212)

The BSD 'pf' packet filter is pretty good. There is even a FreeBSD-based project known as pfsense [pfsense.org] which you might want to take a look at, as it offers a pretty-much drop-in solution for packet filtering, as well as NAT, load balancing, VPN connectivity, etc. There is a web-based administration GUI as well. It looks pretty sweet, but I haven't played with it much in any serious deployment personally.

Cisco Security Manager (1)

Shane (3950) | more than 4 years ago | (#31905232)

Cisco Security Manager does all that and more. The key features being Interface roles and ACL/device hierarchy.

Obviously this is not opensource.

Re:Cisco Security Manager (1)

sampas (256178) | more than 4 years ago | (#31905464)

pfSense is great, but it does not scale to the level of Cisco Security Manager, which is enterprise ($$$) software to manage all the devices you already bought ($$$) from Cisco and paid more to support ($$$). CSM tracks changes and does workflow, too. I use both pfSense and Cisco almost every day. While CSM saves a lot of time, knowing how to configure which policies to share and how to share them is still complex and requires some thought. Cisco has a checkbox that will either limit all your user VPN tunnels to 256 kbps (e.g.) total or 256 kbps per tunnel. The wording isn't clear and I can never remember which one it is. If your users start complaining that VPN is really slow, it's probably the wrong setting.

Basic firewalling is not complex. Defense-in-depth and creating compartmentalized networks for each layer in each application in your worldwide network gets complex no matter what tools you use. The trouble with unified threat management is that no single vendor is going to catch everything.

The single most effective thing you can do to secure your networks is to start by denying all ports inbound AND outbound. Then open up only those ports required for your business. Use an authenticated proxy for client web traffic, and your users don't have to connect the Internet directly any more.

Look into more serious UTM firewalls (1)

Rene S. Hollan (1943) | more than 4 years ago | (#31905234)

UTM: unified threat management.

Disclaimer: I work for a manufacturer of such devices.

The better ones integrate with Active Directory and/or Kerberos to authenticate sessions, and do spam and virus scanning (using a quarantine server, if available).

Some will even decrypt and reencrypt HTTPS traffic to check what's in it. (They resign the server's cert with their own CA cert that the user's browser has to trust -- in some environments, an intermediate CA cert can be imported signed by a CA cert that has already been pushed to the desktops.)

Some will even set up VPNs via a PC-based admin app in a step as simply as drag and drop.

That said, they don't come cheap: figure $500 and up for a home/SOHO office version (3 lan ports, DMZ, and one or two WAN ports (for WAN failover), along with licensing for virus and SPAM scoring server access.

Re:Look into more serious UTM firewalls (1)

rbphilip (530254) | more than 4 years ago | (#31905366)

What do you suggest? Sonicwall seems to offer what you suggested, but a previous poster had bad things to say about Sonicwall. I've got mixed feelings about Sonicwall, but their new SOHO stuff looks interesting (TZ100 or TZ200)..

Playbook (by Matasano) (0)

Anonymous Coward | more than 4 years ago | (#31905258)

It's not quite as nifty as what the post mentions, but Playbook by Matasano "syncs your firewall configurations with a secure web-based console"

http://runplaybook.com/

(note: my only relationship with Matasano is that I like their blog)

SOHO mindset in an Enterprise world (4, Insightful)

adosch (1397357) | more than 4 years ago | (#31905306)

Characteristically, firewalls are simply just that: a barrier to entry into a restricted, trusted area unless you're a loud to do so. So I'm confused why I would, first of all, want something 'automagically' configured for me in an enterprise setting? There's a very good reason your network admins at your workplace highly scrutinise over a single IP address: because it's important your infrastructure, IT/perimeter security standards and business, and it's their job to. If they aren't at least, on a high-level, asking you the 5-W's about why you need the rule(s) and you don't have answers, why should they even allow it?

What about tying a firewall into an authentication system so that when jdoe logs in, only then are the firewalls opened to pass her traffic?

That's what tiered firewall-VPN solutions are for.

What about managing distributed firewalls so that one repository of rules opens up your system's firewalls, the DMZ firewall, and the public firewall all at once?

Port knocking is pretty helpful in this, but can also bite your security-through-stealthy-obscurity right in the ass as well.

Can I take a Visio diagram, run it through a script, and get a list of firewall rules?

Visio diagrams are for documentation and suits. I couldn't hold any merit to that because firewall rules aren't just something you slap together (unless you're doing it for fun or at home or want Johnny Cracker hosting pr0n on an anonymous FTP on your computer at home). Flow-based solutions process rules in a top-down fashion, so it takes very good sets of eyes to develop rules that aren't going to be a liability, cause backdoors, trump existing rules and break security or flat out cause things to not work anymore in your production environment.

Protocol awareness (0)

Anonymous Coward | more than 4 years ago | (#31905314)

Not simply port numbering but actual protocol identification. That's what all the major players are doing for "next generation" firewalling.

Three Words (0)

Anonymous Coward | more than 4 years ago | (#31905324)

PALO ALTO NETWORKS

They don't scale well. (1)

sr8outtalotech (1167835) | more than 4 years ago | (#31905326)

Standardization among endpoints is the only real way to lessen the headache. If you know that workstations need to use port X and protocol Y it's much easier to setup. Without it you have some goofball configuring RDP to listen on 32322 not 3389 like most everyone else.

I smell marketing (4, Insightful)

JoeBuck (7947) | more than 4 years ago | (#31905346)

OK, jlmale0, are you working on requirements or marketing for a product in this space? You can tell us, it's OK.

Windows generation (0)

jamesh (87723) | more than 4 years ago | (#31905358)

I blame Microsoft for making complex problems appear simple. They put a simple and limited layer over the top of a complex background to hide it and suddenly everyone thinks they can be a sysadmin without having a clue about how it works underneath, and without that clue the user gets it wrong once they try and do anything vaguely complicated.

Firewalls are the the same, only more so. You _need_ to understand what is happening to the packets as they move through your networks if you want to admin anything beyond a simple 'internet on one side, intranet on the other, nat in between' firewall. A point and click interface might be fine for home use (although it almost certainly won't have sufficient egress filtering) but for something with more than a single internal network requiring complex separation rules between them you need to know what you are doing.

So to answer the OP, the future of firewalls is network admins understanding their jobs, same as it's always been. Text representation of firewall rules with sufficient comments is just fine.

I've got the fix for you (2, Funny)

RJHelms (1554807) | more than 4 years ago | (#31905362)

Create a GUI interface using Visual Basic. See if you can track an IP address

Firewalls suck basically... (0)

Anonymous Coward | more than 4 years ago | (#31905442)

Its funny TFA makes it sound like Firewalls havn't changed at all in years. I was just commenting the other day how firewalls are now able to log not only what machine sent or received what packet but the process name and id and user context of the host computer responsibile for initiating or receiving the request. What is possible and the level of integration throughout the technology stacks is incredible and scary.

Coupled with ipsec you can now strongly authenticate individual ip/tcp sessions between any system on the network. What is available to those who are willing to move beyond a soho device and the absurd notion that ports are somehow related to service is actually quite significant in modern operating environments.

Firewalls are just as importantly about logging and monitoring access as they are about implementing access controls but very few administrators take this seriously and fail to review their logs.

Firewalls for ad-hoc access control in my view set a dangerous precident by shifting the responsibility from the end systems where the most amount of information is available to provide authentication and authorization to the network which is quite stupid and easily fooled. Internal machines must not be assumed safe just because they are on an internal leg of a firewall... PPL who make these assumptions are idiots and it happens everywhere.

I seriously think the world would have been better off had firewalls never existed and authentication/authorization of acesss to network resources were not treated as second class citizens.

Trusted host or trusted user. (1, Informative)

Anonymous Coward | more than 4 years ago | (#31905458)

Some firewalls can be configured to allow based on user auth instead of source IP, which is a bit more useful for some situations. Restricted layer 7 proxies generally work this way, with the classic example being Gauntlet.

As a modern example, OpenBSD PF has the integrated pfauth mechanism where you authenticate with system as a user. When you login with ssh to the firewall, it dynamically loads a pre-configured ruleset appropriate to your profile, then drops them when the session is terminated.

This doesn't make configuration any simpler from your point of view, but PF overall makes configuration much simpler for those who understand firewalls.

the one with a cat pat (0)

Anonymous Coward | more than 4 years ago | (#31905472)

Errr what ? may be GUI might not have future.

dentists reading [woodboroughhouse.com]

You are confusing security with complexity... (0)

Anonymous Coward | more than 4 years ago | (#31905474)

Firewall management is difficult when a lot of holes and special rules are created. This happens when firewalls are used for things that god never intended such as enterprise wide point to point specialized rules. The trick is to go from security requirements and policies and design a network and gating solution that meets those needs without creating a lot of complexity.

In a dynamic organization, this means that the policies, rules and design have to be revamped on a regular basis to keep things simple and to prevent spaghetti connections and firewall sieves from developing.

You are specifying solutions and rules instead of stating the problem to be solved.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>