New generation firewalls

[abhay4589]

I was going through some of the firewall vendors out there, there they use terms like "Application aware" and "Deep packet Inspection".
I have PF firewalls up and running nicely. Are there any comparable features in FreeBSD? Or is it really worth the effort to invest in such solutions only to find out that they don't work?

 

[gkontos]

I was going through some of the firewall vendors out there, there they use terms like "Application aware" and "Deep packet Inspection".
I have PF firewalls up and running nicely. are there any comparable features in FreeBSD?
Or Is it really worth effort to invest in such solutions only to find out that they don't work?

Marketing BS!

Application Aware

That suggests layer 7 inspection. Proxies and Web Application firewalls can reach to that level.

Deep packet Inspection

Reminds me of a very old classic porn. (I hope nobody gets socked)

I always prefer to separate layers when firewalling. PF though can do very deep inspection.

 

[abhay4589]

Is that It? I mean they make it look lot bigger then this.
This is literal sentence from one of the vendor and they claim, I tool it from article:

such as allowing all users to read their Facebook wall posts but not necessarily send out any Facebook messages during working hours.

Some of them also claim to have Identity Protection.
Am I missing something here because I know all that stuff that you mentioned pretty well.
I am also using OpenDNS to protect users, Just wanted to make sure that I am doing enough to protect users.

 

[wblock@]

allowing all users to read their Facebook wall posts but not necessarily send out any Facebook messages during working hours.

That means "change firewall rules in a cron(8) job." "Identity protection" could refer to NAT or HTTPS or something else.

 

[johnblue]

I always prefer to separate layers when firewalling.

Agreed.

@OP: Vendors tend to like to roll firewalls and content filtering into one magical package. If people ask for an all-in-one, I usually recommend going with an Astaro/Sophos box. You get a fully functional firewall/content filter license for personal use and while it is robust, it does have a learning curve. At least it gives you a chance to hack on it and learn it. Do not expect to put one into production at your place of employment and have it just work.

I ended up punching content filter holes to get netflix working because the real time filter didn't like the stream for some reason. I also did not like how it "called home" to display block messages and it didn't have a way for end users to HTML request a site for white-listing on the block page. IIRC, Sophos actually gets their content filter blocklist from someone else which is odd .. but back to the separation of duties!



Since you are already running an OpenBSD firewall, another step you can considering implementing with minimal pain and suffering is a DNS blackhole. DNS, as you might know, is used for good and for evil. Malware utilizes DNS. Botnets utilize DNS. APT actors utilize DNS. If there is a known FQDN with weaponized attack vector/delivery, the quickest kill for you is going to come from a DNS redirect to a blackhole. Here is a really good "howto" with a BSD slant:

http://www.pintumbler.org/Code/dnsbl

Additionally, the author included code that automates the blackhole updates via cron and it will email you the results. He sums it all nicely with:

A DNSBH can dramatically improve an organizations overall security posture for next to nothing.

 

[throAU]

There's a lot to be said for an off-the-shelf product that integrates seamlessly into active directory, generates shiny reports for management and has an existing knowledge base based on plenty of users with near identical software versions.

Sure, you can build a similar thing with FreeBSD, OpenBSD or whatever but the chances are your particular box will be nothing like anyone else's, which makes tracking down problems if/when they occur a lot less simple. Plus, upgrades are a single firmware upgrade rather than say, upgrading samba or version of pf (or whatever) seperately and finding that some new strange compatibility issue with the rest of your setup is introduced.

If you take hourly rate * number of man-hours to configure *nix box to do application level content inspection and reporting and compare to an off the shelf hardware firewall, the hardware firewall often makes sense. Especially when you consider you already need to buy dedicated server hardware to run your custom *nix based firewall on anyhow. Unless you're re-purposing old decommissioned hardware, but personally I don't like doing that, as my firewall is a device I kind of need to be up.

 

[gkontos]

It really comes down to how much money you spend versus the value of what you need to protect.

Firewalls work on different layers of the OSI model.

• Network Firewalls (layer 3-4)

Their job is to perform statefull inspection and protect a network from some common network attacks. A good firewall should provide a way of creating and maintaing effective policies and tools to monitor and analyze your logs.
Some commercial vendors offer central management stations for deploying and verifying policies across many firewalls.

• Application Firewalls (layer 7)

They are usually put after a network firewall and their job is to inspect and intercept application requests. Tuning is always required there. (https://www.owasp.org/index.php/Web_Application_Firewall)

That said, If you are looking for a all in one solution you will end up buying something that does a little bit of both.

If you are marketing a firewall you will want to use impressive and loud words because you aim at a target group with somewhat limited knowledge and a lot of competition.

If you are an IT manager, you will buy the most highlighted product so, that your ass is covered when there is a security breach because your development team did not use proper coding procedures and your system admins never patched a web server.