8Signs
Newbie
I love YaBB 1G - SP1!
Posts: 11
|
 |
Rules - A lot of care goes a long way
« on: Oct 24th, 2003, 12:39am » |
 Quote  Modify
|
After thinking of what I could offer all of you, who probably spend more time playing with firewalls than I do (coding doesn't count!  ), I've decided to share the "horror stories" of rulesets I've seen and problems I've had reported. These are related to rules-based firewalls, because that's been my thing.
1) No rules - not remotely right. 
The Install Wizard for 8Signs (also VisNetic) Firewall has an option where the user can choose to create their rules later. The firewall starts with none, and everything is blocked by default. More than once I've seen  tear-stained emails from people who were installing remotely and on reboot were locked out and had to call a local person to turn off the firewall.
So, we added a new Install Wizard option were the user
could choose to start with all traffic allowed. Problem solved.
2) No ARP rule - hey, what just happened? 
Some otherwise knowledgable people have reported the firewall working properly and then after a few minutes "it forgets all the rules and blocks everything  "
After the first anxious time, I've learned to politely ask if there is an ARP rule. ARP isn't something people talk about a lot, but if the firewall starts with it off by default, you get trouble pretty soon. It's tricky because if you have just started the firewall, IPs will be in the ARP cache and the problem won't happen right away. Stop the firewall and the problem goes away.
FYI, ARP is the Ethernet protocol that lets you find the system with a certain IP. IP packets are sent within Ethernet packets and Ethernet packets need Ethernet ("MAC") addresses. ARP says "Hey, IP #.#.#.#, what's your MAC address?". The reply comes back, "I'm IP #.#.#.#, and my MAC address is XX-XX-XX-XX-XX-XX.". The MAC address is saved temporarily in the "ARP cache" (at a DOS prompt, type "arp -a") but the entries are purged over time and the ARP request must be made again.
3) Wide-open rules - pardon me, but are those your ports hanging out? 
Occasionally, people send me their ruleset with regard to a question. I look them over and sometimes am shocked (OK, well not really, more like this  ) to find rules that allow access from all IP addresses to all their ports. Sometimes it's not that extreme. It might require the outsider to choose source port or a small range. 8Signs Firewall has a visual display (on the Configuration screen) of port usage as an attempt to help users spot gross errors such as this. If your local ports display shows up in bright green, you're exposed and it will show the rule(s) that's doing it.
4) Pages of rules - I don't think we're in Kansas anymore, Toto 
There may be cases where this is necessary, but I've always viewed it as either a warning the user is confused or that the firewall needs a better way to handle their needs. The danger of having lots of rules is that you may lose your understanding of exactly what's getting allowed. Second to that, you pay a price in performance, because each rule must be checked (if there is not match).
The next release of 8Signs Firewall includes IP, Port and MAC groups (it's already in some other firewalls) so that one rule can do the job that several used to. This should go a long way to making rulesets concise.
James Grant
|
Mischel Internet Security Forum
Reply
Notify of replies
Send Topic
Print
Author
IP Logged
Remove
Search
Members
Login
Register