Time for a new FWTK?

Marcus J. Ranum mjr@nfr.net
Mon, 24 Nov 1997 21:09:15 -0500


chuck yerkes wrote:
>Hey, Marcus, want to do the FWTK/DEC SEAL stuff AGAIN under GPL or
>the BSD license?  Call it MRTK4FW (you figure it out) and get your
>net-immortality.  I'll buy coffee....

I'm pretty much done with firewalls. :) The problem is that I
don't know *HOW* to build the next generation of firewalls,
and I don't want to build another of the previous generation.
"been there, done that" repeatedly...

Early firewalls were *EASY* to implement. You had a total
of maybe 6 services to gateway, and only 1 of those 6 was
seriously brain-damaged (FTP). Nowadays a firewall has to
deal with maybe dozens of services, and only 5 of them are
not brain-damaged. And the specs change constantly. The
value of a firewall has always been *NOT* its access control
but the expert analysis that the firewall's designers put (or
should put!) into the services that they gateway back and
forth. I remember, for me, the break-over moment was when
we realized that we *HAD* to support http, even though it
is a suck brain-damaged protocol and presented numerous
security risks. That was the moment when security took
back seat, and we've been fighting over the steering wheel
ever since. The next generation firewall is going to have to
be one of 2 things:
	-> one *powerful* mother analysis engine configured
	by wizards who understand the plethora of protocols
	that are being deployed every second
	-> it'll go away completely and be replaced by a mix
	of host software for fine-detailed control, and network
	level filtering (in a router, for example) for gross-level
	control

Maybe there's a third option -- if it's a good one you can
get rich by bringing it to market. Because the current
generation of firewalls is at the end of its intellectual
lifespan -- even their designers don't know where to take
them next (except better U/Is and VPNs). The proxy firewalls
are all adding filtering and the filtering firewalls are all adding
proxies.

One thing we discussed recently was putting a screend(8)
interface into NFR's engine. Mostly just for kicks, but to
do firewalling right these days you *NEED* serious traffic
analysis. I believe (and the market will prove it if I am right)
that the future will contain some kind of box that does
firewalling-type access control, traffic analysis (what NFR
does), and intrusion detection (rules applied atop traffic
analysis). This all remains to be seen...   I *believe* you
could probably write all the capabilities of a proxy firewall using
N-code filters, but I'd have to defer that question to The Guys,
who know N-code better than I ever will...   When you can
track every TCP going through a box, read the RCPT To:
from all SMTP sessions and store them in an array, and
then apply a count to the array to decide whether or not to
forward a packet, you have an interesting capability. ;)  The
expense, again, is the *KNOWLEDGE* of what protocols
are good and what are bad, why, and how to fix them, and
when.

>Really, though, I think the TIS FWTK is a good starting point for
>proxies- esp for the tn-gw and ftp-gw.

FTP-gw should be removed; tell your users to use an FTP
client that uses PASV, and then screen FTP. That's one problem
solved. TN-gw should be removed; telnet is a monster of a
protocol, and shouldn't be allowed into your network. Allowing
it out is easy using router screening. For incoming traffic (which
was TN-gw's real purpose!) use SSH instead; it is so much
better.

> http-gw is hard, because the
>protocol is so flexible and now carries SO much.

"Flexible" is a good word for it. "Kitchen Sink" describes
it better. In a few years, if firewalls keep blocking things
(i.e.: doing their jobs) everything will be tunnellable over
http. Pointcast, Oilchange, etc, etc, etc, etc... They are the
beginning. "Apres moi, la deluge."

Use a caching web proxy server and just pray. Or put
your faith in sandboxes and signed applets. They are
here to stay.

>Much of the
>security should be back on the client (like "only run Java or
>Live^H^H^H^HJavaScript coming from these networks," at a minimum)

Host security is on the ascendant, yes...

>But it's a toolkit and it was put up free by a company trying to
>compete in a market full of charlatans with glossies and slick
>salesweasels that say that whatever the client wants can be done
>securely.

It was written in a time when firewalls were not a $400m/year
industry. It was written in a time when people did research in
security, not IPOs. The world has changed -- the Web did
it -- nothing can inject that much money into an area of human
endeavor and leave it unchanged. ALL the players have
changed -- the companies, the researchers, the technology,
the desktops, and the customers.

FWTK was good while it lasted; time to move on.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr