Discuss one of the following topics:
- In this unit, we looked at the categories of network security software and devices. However, in the market, many of these have converged… the line between a firewall and a router is much less defined, especially in low to mid-range devices. Is this a good thing or a bad thing? What are the consequences of this convergence?
- In the presentation, there is some discussion on open source and commercial network security devices. Which would you prefer, and why? Does it depend on the environment? What do we sacrifice when we go with one over the other? Is there any intersection between open source and commercial network security devices?
- In the presentation, we see that there are two actions when not passing traffic… We can reject or deny. What is the difference between these? When might you use one or the other?
Anthony Clayton Fecondo says
Firewalls and routers being combined reminds me of how CPUs now have integrated graphics. Although any serious users will need a lot more power than what’s provided, the integrated graphics provide a bare minimum performance for those who wouldn’t spend money on a dedicated graphics card. I think of this as a similar situation. The integrated firewall provides a better-than-nothing defense for companies/individuals who aren’t concerned enough to get a devoted firewall. However, if you have any serious commitment to security, I’m sure you would spend the money on a dedicated firewall. The hardware firewall offers stateful inspection, IDS.IPS, and have a higher capacity than integrated software firewalls. I think this is a good thing because it provides everyone some firewall protection (primarily ACL). However, having this weaker integrated firewall might create a false sense of security that could dissuade some people (who otherwise would have gotten a dedicated firewall) from spending the money on one.
Vaibhav Shukla says
In the presentation, we see that there are two actions when not passing traffic… We can reject or deny. What is the difference between these? When might you use one or the other?
Both the “deny” and “reject” settings will block the traffic but there exists a small difference between rejecting and denying the traffic . When a packet is rejected, the packet is thrown away and an ICMP error message is returned to the sender. When a packet is dropped, the packet is simply thrown away without any notification to the sender.
In case of deny if the TCP connection attempts, the connection will hang until the timeout limit has been reached. Since UDP is a connection-less protocol, the lack of acknowledgement from client can give rise to different assumptions In fact, not receiving a packet back in UDP can be thought that the packet was accepted. Reject can be a better option as it doesn’t slow down the network and additionally when user receive ICMP error message they can contact the administrator or check their connection options to ensure that they are reaching out to the correct port.
Security point of view deny is a good option because it will force every connection from a potential attacker to time-out, thus slowing down the scanning of your server.Deny will also save a bit of bandwidth on the uplink by not sending the error packet.
Mengqi He says
In the presentation, we see that there are two actions when not passing traffic… We can reject or deny. What is the difference between these? When might you use one or the other?
When receiving a data packet, firewall mechanism gives two options: reject or deny. The reject option will block the traffic and notify the source that the destination is unreachable via any (ICMP or TCP) message. Then the remote host will know that the receiver’s system and its firewall are running. Unlike reject, the deny option will silently discard, or drop the packet with no reply packet sent to the sender. This will take some time before it times out request, and then the sender would see the “request time out” massage.
Mushima K. Ngalande says
In the presentation, we see that there are two actions when not passing traffic… We can reject or deny. What is the difference between these? When might you use one or the other?
When a packet reaches the firewall, it’s run against a set of rules for passing traffic: Among them are:
– Reject- This prohibits a packet from passing. Sent is an Internet Control Message Protocol (ICMP) destination-unreachable back to the source host.
– Deny- Prohibit a packet from passing. Send no response.TCP aborts the connection and the application gets to know that the connection has failed after just one round-trip time
Reject is useful in that it allows a legitimate user to receive a notification immediately from the application being reached that that the connection failed. By rejecting unknown packets,
A common reason for using Drop rather than Reject is to avoid giving away information about which ports are open, however, discarding packets gives away exactly as much information as the rejection.
With Reject, you do your scan and categorize the results into “connection established” and “connection rejected”.
With Drop, you categorize the results into “connection established” and “connection timed out”.
So basically the differences are, when an application tried to connect to a non-existent serveice when Rejected the Failure is .reported promptly to the user. When it’s dropped Applications pause for a prolonged time, then fail
Drop offers no effective barrier to hostile forces but can dramatically slow down applications run by legitimate users. Drop should not normally be used.
Drop in also useful in a DOS attack as it helps because the attacker may not overwhelm your download, but the ICMP responses may overwhelm your upload speed, meaning you will not be able to remotely log in and manage your network under attack, and legitimate traffic is completely blocked.
Scott Radaszkiewicz says
In the presentation, we see that there are two actions when not passing traffic… We can reject or deny. What is the difference between these? When might you use one or the other?
Most firewalls today support the ability to either reject or deny traffic. If a Firewall is set to Deny, also referred to as Drop, then the Firewall will discard the packet and do nothing further with it. If a Firewall is set to Reject, then the Firewall will not allow the packet through and it will send some sort of Reject message back to the sender.
The use will depend on what the organization is trying to do with that blocked traffic. If a Firewall is set to Deny/Drop the packet, then no returning information is sent back. From a security standpoint, this means you are not even acknowledging to the original sender that the packet made it to the Firewall. If you are attempting to deter hacking, this could be of an advantage. If your Firewall is set to Reject and sends back an Reject response, a hacker now has more information to work with. Reject also increases traffic, as there is a packet sent back out on the channel with the reject notification.
One reason for setting a Firewall to Reject is that you might want to let the sender know that the packet was rejected. Not all traffic that is being rejected is because of hackers, and you could be blocking legitimate traffic. Having the sender know that will help.
Mengxue Ni says
In the presentation, we see that there are two actions when not passing traffic… We can reject or deny. What is the difference between these? When might you use one or the other?
Reject means that for every packet received an ICMP port unreachable packet is sent to the source address. This tells the remote host that your system is up and running and that you are running a firewall.
Deny means the packet is discarded, dropped to the floor, assigned to oblivion. No reply packet of any kind is sent. (In the new iptables for Linux 2.4, this is now called DROP which is clearer then DENY). If you set a rule which matches a particular source address and a rule-target of DENY, then your computer may as well be turned off as far as that source address is concerned. However, if you DENY some port ranges, say ports below 1024, and allow others, then it is also obvious that you are running a firewall.
LAN: REJECT is appropriate for UDP packets you don’t want to accept; it causes an ICMP port unreachable reply. The correct response to unwanted TCP packets is a reset, unfortunately ipchains is not capable of sending a TCP reset. Sending port unreachable ICMP messages in response to a TCP packet (as REJECT does) is useless and is disregarded by many protocol stacks. A viable option is to use DENY, which sends no reply. Alternatively, you can use a package such as return-rst in conjunction with ipchains to produce the correct response.
Jon Whitehurst says
It all depends on what you want to do. In today’s standards Routers have basic features of a firewall and firewalls have basic router features. Firewalls are becoming more and more application aware instead of port based in the last number of years. Routers are meant to route traffic and firewalls are meant to inspect and allow or deny. Depending on the business that you are in the business governs how the network is ran and what is being seen or not seen. If you are in an educational system then most is open to the student and staff you may be more routers then firewalls allowing traffic out. If you work for the government or a company that is trying to protect their intellectual property then the firewall plays more of a key role in trying to protect the business.
Ruslan Yakush says
Network security products come as open source and commercial. The difference between the two is significant, and each has its own benefits and disadvantages. Open-source is free and commercial is not. Depending on the environment and infrastructure needs, open-source security product such as Linux-based OS can be the best choice since it would provide a full customization down to recompiling kernel to special needs, but there is no vendor support, which means whoever is administering the linux is fully responsible for stable operations.
On the other hand, commercial products offer easy GUI or WUI where all configurations can be done very easily without CLI and any special customizations. Most importantly, vendor provides full support for commercial product. costs money.
There is also an option of blended product type that is both commercial and advanced. For example, RedHat Linux is the commercial product that provided full customization in CLI plus full vendor support. This choice is costly, but if company is multi-million E-Commerce business, then benefit would outweigh the cost.
In most cases, I would choose commercial product, such as Firewall Appliance with vendor support as this type of product offers great deal of benefits.
Shain R. Amzovski says
In the presentation, there is some discussion on open source and commercial network security devices. Which would you prefer, and why? Does it depend on the environment? What do we sacrifice when we go with one over the other? Is there any intersection between open source and commercial network security devices?
With commercial network security devices and software, such as Cisco products, they provide great out-of-the-box security protection and are relatively easy to use and provide a GUI that is user friendly. The problem with commercial solutions is they can be pricey, especially at an enterprise level. In a Linux environment, there is open source firewalls, such as iptables, which we discussed in our lecture this week, which are not easy to use, but provide a high-level of security, that can be customized to fit the framework of the organizations architecture. The best part of firewalls such as iptables is that like other open source software, it is free. This can play a major role when deciding on security, which also depends on the size of the organization and how much money they are willing to spend on security. Since iptables is open source and ran through the Linux terminal, a Linux expert is generally needed to help with setting up the firewall. However, there are other open source GUIs that work with iptables, such as Firewall Builder. What we sacrifice with going with commercial over open source is that customizable factor, along with price. However, we are almost guaranteed a reliable product with commercial products, along with support. Also, a GUI provides easy-to-use security, right out of the box.
Amanda M Rossetti says
I think that it is a good thing that routers are now coming with built in firewalls, especially at the low-mid range. I think that this will provide more protection for small businesses and home users who otherwise wouldn’t have any sort of firewall at all. I think that larger organizations still need to have an additional separate firewall since the ones being built into routers are currently very limited. I think there is a risk of businesses who really should have an additional firewall not getting it because they falsely believe that the built in firewall is enough coverage for their purposes.
Noah J Berson says
I prefer open source solutions to closed ones. Open source means that it was built usually by a small team but is often reviewed by many different eyes. Some open source software is even developed by large companies that are confident in their abilities. With closed source, you never get to see what is inside the code and just relying on the integrity of the vendor. Vendors can also be compromised without their knowledge by state actors or even issued gag orders if they do know. What we consider to be “hardened” systems
There are times to use close source technology for network security. The vendor probably has the resources to pump up R&D to create secure devices. You are also giving up a lot of support for when things go wrong. The closed source also tends to have cleaner interfaces and easier usability but that doesn’t have to be in all cases.
Loi Van Tran says
There are some inherent differences between open source and commercial network security products.
Open source products are free to use. With open source products a skilled IT professional can look under the hood and tailor the product to organizations specific needs. Everything is customize able with the proper skill set. Although open source does not have a direct support group, it has a longstanding community that continuously analyzed and produces more secure and stable code. Once a vulnerability is found, open source products does not have to wait for a company to release an update. Some of the major disadvantages is that it’s not being straight-forward to use. It requires in-depth knowledge of the system which can incur additional training costs and specialized experts. Another disadvantage is compatibility with proprietary software.
Proprietary network security products can be bundled in ease-of-use. It offers many benefits over open source but also has some disadvantages. Proprietary products typically comes with a user-friendly interface, pre-configured with certain rules, and advanced features that could me easily managed by the administrator. You won’t require as much in-depth knowledge as open-source because you’ll have direct support from the company that provided the products. All of this comes at a greater cost over open source. Aside from the cost, their are limitations to what an administrator can do since they can’t look under the hood to see the code. Customizing a proprietary product to meet the organizations need will definitely incur more costs.
The choice to choose one over the other really depends on the organization, the resources that they have, and the compatibility of the array of IT products that they may use. There’s also a question of sustainability, for example open source requires a specialize skill set. Replacing personnel with those specifics skills can be difficult.