| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 11 May 2011 17:03:57 +0200 From: phocean <0x90@...cean.net> To: <full-disclosure@...ts.grok.org.uk> Subject: Re: Sony: No firewall and no patches Thanks this useful sum-up for the discussion. I have a few comments though: - DDoS : anyway, a firewall isn't more susceptible to DoS than the server it protects. If you look at the hardware performance of modern firewalls, if an attacker has the ability to DoS it, then only a considerable server farm that very few companies can afford will be able to sustain it. So I think this can't be counted as a negative point, even if in theory it has less performance than stateless. - SPoF : there are clusters (active/active or active/passive) for firewalls as well as for server. - stateless scales badly on large networks, because it requires much more complex and lengthy rules if you are serious with security. Another advantage of stateful is that there is a first sanity check of the sessions on a specialized hardware rather than on a generic TCP/IP stack of a bloated server OS. For instance, the network stack of Windows is probably much more prone to bug/crash due to poor handling of crafted packets than a dedicated firewall (Checkpoint, Cisco, Fortinet...) may be. On Wed, 11 May 2011 09:22:33 -0500, Michael Krymson wrote: > I can't speak for everyone, but I certainly find this discussion far > more > interesting and useful to security than quite a few others on here. > So feel > free to keep it public. > > I'm not about to wade in too deeply, but I thought I'd summarize and > add a > few notes. > > ---------------------------------------------------------- > STATEFUL (session-based filter) > Pros > - can provide other filtering services during inspection (depends on > device > feature set) > - won't have to constantly fight battles (against admins, vendors, > clients, > auditors, managers, outsiders) to explain why you don't have a > "firewall" > - handles ephemeral ports, dynamic connections, and matches returning > traffic well > > Cons > - more DDoS susceptible > - another piece of hardware so another point of failure > - won't add much when you're already accepting * into IP x on port n > > ---------------------------------------------------------- > ACLs (packet-based filter) > Pros > - with pure ACLs, will always be faster > - as such it can scale with traffic better > - excellent when you're just blanket stopping all traffic except * to > x on > port n > > Cons > - poor filter for ephermeral port needs, or dynamic connections > - susceptible to protocol anamolies used in attacks (includes covert > channels) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists