[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Create a canned 'Firewall Build' or RFHH

To: misc@openbsd.org
Subject: Re: Create a canned 'Firewall Build' or RFHH
From: Ben Goren <ben@trumpetpower.com>
Date: Mon, 25 Feb 2002 16:58:47 -0700
Content-Disposition: inline
References: <3C7AA743.2030107@ryu.com> <54895.216.150.207.237.1014672264.squirrel@mail.wellogix.com> <3C7ABBCE.3060901@ryu.com>
User-Agent: Mutt/1.2.5.1i

On Mon, Feb 25, 2002 at 04:33:50PM -0600, John R. S. Mascio wrote:

> A good canned firewall that addresses  a specific need is a good
> thing.   A  canned  firewall  to  address  every  possible  need
> is  impossible.   In my  case,  I'm  looking  at having  a  good
> basic, even  if somewhat restrictive firewall  to handle medical
> practices  in the  US, but  with  the ability  to add  "options"
> according to other business needs of the practice.

And here, in  your very first paragraph,  you contradict yourself:
you  want  a ``good  canned  firewall  that addresses  a  specific
need''  but also  has  ``the ability  and  `options' according  to
other  business  needs  of  the  practice.'' You  want  a  simple,
single-purpose tool that can be used for a wide variety of things.

Theo's right: firewalling is *hard*. There  are things that can be
done to make it simple, but not easy.

If your goal is to  install customizable firewalls at thousands of
clients with minimal input from  those clients, you should plan on
doing a  heck of a lot  of work, yourself; anything  less would be
sheer negligence.  Selling them such a product would be fraud.

That's  not to  say that  it's an  unobtainable goal,  or that  it
wouldn't be  worthwhile for you  to do so,  just that you  must be
prepared to do the time. Here's what you'll need:

    o   A   solid    understanding   of   the   underlying
      protocols. When you can read RFCs 791, 793, 768, and
      1918, and  not be  thrown by  anything in  them, you
      probably know enough about IP and friends. If you'll
      be proxying  anything, have a  similar understanding
      about those protocols, too.

    o Good command of  fundamental firewall principles and
      best practices. Plan on a lot  of reading from a lot
      of  sources; this  is  still an  art  and there  are
      sometimes  conflicting  opinions. Chapman  &  Zwicky
      have a good book to get you started.

    o  Lots  of comfort  with  the  firewall platform  you
      pick. OpenBSD is an  excellent choice. You should at
      least read (and understand)  the entire FAQ. Doing a
      ``man `ls /bin /sbin`'' should  be a  goal  that you
      actively work  at. Spend lots  of time  playing with
      the system, trying everything out and maybe breaking
      things.

    o Thorough  knowledge of the  firewall's configuration
      and  logging syntax. On  OpenBSD, this  means paying
      special attention  to certain portions of  the above
      point (namely  manual pages  for pf and  friends and
      section 6 of the FAQ).

    o A lab  where you can test all of  this, lots of time
      setting  up networks  and firewalls,  and even  more
      time knocking  them down. Try  *very* hard  to break
      through your own firewalls.

Once  you've made  it through  that  list, you'll  be prepared  to
develop firewalls for thousands of clients. You'll probably make a
deal  with an  OEM for  the hardware  distribution; they'll  image
the  hard  drives with  a  starting  point for  your  firewall. If
their  networks are  reasonably standardized,  then you'll  either
auto-detect their  network settings or provide  a simple interface
for the information  to be entered. You'll also have  some sort of
equally simple upgrade method for when the inevitable happens.

If their networks aren't  standardized, then you'll instead budget
for  a  few hours  of  consultation  and configuration  with  each
computer, and manually make adjustments.

Your analogy with  the medical profession is a good  one: a doctor
can tell you that the pain in  your chest is due to heartburn, and
prescribe for you a simple remedy  (take these pills every so many
hours). A doctor can't create  a magical chest-pain treatment that
will know the difference between heartburn, heart attacks, and the
flu.

You are  (or will  be) the  doctor. Diagnose your  patients before
treating them.

Naturally, if you  stumble along the path to  learning, we're here
to  help you. Don't  expect  us to  create  your magic  chest-pain
treatment machine  for us, but do  expect us to help  you use your
stethoscope and understand proper dosages for digitalis.

Sincerely,

b&

P.S. I only claim to have finished a good part of, not all, my own
recommended advice above. I've still got lots to learn, myself. b&

--
Ben Goren
 mailto:ben@trumpetpower.com
 http://www.trumpetpower.com/
 icbm:33o25'37"N_111o57'32"W

[demime 0.98d removed an attachment of type application/pgp-signature]

References:
- Re: Create a canned "Firewall Build" or RFHH
  - From: "John R. S. Mascio" <mascio@ryu.com>
- Re: Create a canned 'Firewall Build' or RFHH
  - From: "Don Cooley" <dcooley@wellogix.com>
- Re: Create a canned 'Firewall Build' or RFHH
  - From: "John R. S. Mascio" <mascio@ryu.com>

Prev by Date: OpenBSD 3.0/PF howto feedback
Next by Date: OT: Re: Create a canned 'Firewall Build' or RFHH
Prev by thread: Re: Create a canned 'Firewall Build' or RFHH
Next by thread: Re: Create a canned "Firewall Build" or RFHH
Index(es):
- Date
- Thread