|
Posted by Leythos on August 22, 2006, 8:53 am
If you were Registered and logged in, you could reply and use other advanced thread options
says...
> > Leythos wrote:
> [...]
> >> 1) A firewall should block all outbound by default (as shipped).
> >>
> >> 2) A firewall should block all inbound by default (as shipped).
>
> Yes.
>
> >> 3) A firewall should know the difference between protocols: HTTP and
> >> DNS as an example. Nothing should pass through a rule except the
> >> proper protocol it was configured for.
>
> Not necessarily. If the firewall is supposed to filter on layers above
> OSI layer 4 it should, otherwise it shouldn't, so I'd consider this
> optional rather than required.
>
> >> 4) A firewall should support direct VPN connections to/from itself,
> >> as a end-point.
>
> Only if the firewall is supposed to provide VPN endpoint functionality.
> Not everyone needs this, so I'd consider this optional as well.
We're talking a firewall, strictly a firewall, something that can be
used in all cases. We'll brake down the features into Home/SOHO/etc...
later.
> >> 5) A firewall should have a real DMZ if it claims to have a DMZ -
> >> meaning that it should have a physical jack for a DMZ that is not
> >> part of the same network as the LAN.
>
> I agree to a point. Each interface of a firewall should be distinct from
> each other. However, a firewall does not necessarily need more than two
> interfaces, so a "DMZ interface" is not a requirement.
We're talking a firewall, strictly a firewall, something that can be
used in all cases. We'll brake down the features into Home/SOHO/etc...
later.
>
> >> 6) A firewall with a DMZ/LAN should have no default rules allowing
> >> access between them.
>
> I'd rather summarize this with points 1) and 2) to "A firewall should by
> default deny all traffic between all interfaces."
I would too, but you know that someone would have an issue if I didn't
state it - since too many of the devices on the market don't have real
DMZ's and are just a IP in the same network as the LAN.
>
> >> 7) A firewall should clearly log/report all traffic, in/out, and make
> >> it easy to determine if it was approved/unapproved, etc...
>
> Yes.
>
> >> 8) A firewall should be able to detect threats, internal and
> >> external, on any port, and block those attack origination locations
> >> from access.
>
> Intrusion detection is a two-edged sword as it may consume a
> considerable amount of resources. I wouldn't consider this a requirement
> for any firewall. Even if a firewall included an IDS it should IMHO be
> disabled by default. And automatic network shunning ("block those attack
> origination locations") is still a REALLY BAD IDEA and should NOT be
> done AT ALL, much less be a default.
I wasn't thinking of IDS when I wrote the above, but it should be able
to detect various threads (Spoofing, DOS, DDOS, etc...) and it should
block the source of those on any interface. I did not include IDS at
all, as there are other products for that.
> >> 9) A firewall should be able to allow the user to create rules that
> >> can be used to cause the blocking of hosts attaching via specific
> >> rule (ports) - this would be used to block access from hosts probing
> >> the firewall for open ports, or to block worms (TCP 1433/1434 as an
> >> example).
>
> See above. I'll agree that a firewall admin should be able to create
> such rules, but they're dangerous and should be used with caution.
>
> >> 10) A firewall should provide for multiple subnets on any network
> >> interface.
>
> I'm not sure I understand what you mean by that.
>
> >> 11) A firewall should not have DHCP Service enabled on the LAN/DMZ by
> >> default.
>
> Make that "any service on any interface". One reasonable exception may
> be a service providing a (secure) configuration frontend on one distinct
> interface, that is marked as such (see also below).
>
> >> 12) A firewall should be certified as a firewall by some reputable
> >> authority.
>
> That only helps your legal department. If you think you need that: fine,
> but it's most definitely not a technical requirement for a firewall.
>
> I'd like to add:
>
> 13) In case of a failure/doubt a firewall should by default deny traffic
> rather than allow it (fail-close).
>
> 14) A firewall should by default provide a secure configuration
> interface on exactly one physical interface (e.g. a serial console, or
> ssh or https on a LAN interface).
I like the adds, lets get through what a firewall should have before we
start taking things away from what a firewall shoud have in different
cases.
A firewall, and we're not defining Home/SOHO/Business/Medical, just what
a firewall for all cases should have.
--
spam999free@rrohio.com
remove 999 in order to email me
| 
XML site map