Ben Nagy wrote:
>
> OK, smarty pants...
ouch :)
> Then again, I don't write firewalls like Mike.
I _did_ say that I was biased and that you should
stop reading, mkay? ;)
Now for my beef with web based firewall administration...
- First, for some reason I have yet to figure out, writing HTTP
servers never seems to get done by the clued people, and instead
left for the type monkeys. Recent case in point: buffer overrun
in Netscreen's HTTP server which gives you control over the
instruction pointer (which Netscreen claims isn't exploitable;
maybe they sprinkle orange book fairy dust over the box prior
to shipping? Who knows.)
- I'd never trust plain unencrypted HTTP. See below.
- HTTPS solves some problems. However, considering the amount of
bugs in all browsers, this still leaves much to be desired.
Recent case in point: hitting the "back" button in IE creates
a temporary connection between two different security domains,
which is exploitable by scripts. And I have yet to see a web-based
firewall admin interface which works with scripting disabled.
- Some of this could be worked around by setting up a separate
management station on a separate interface (if the firewall in
question allows it), with a browser that is ONLY allowed to connect
to the firewall and nowhere else. If I had to manage a firewall via
HTTP(S), this is how I'd do it. However, given any size organiza-
tion, you are likely to have more than one firewall admin, and I'd
trust anyone else to screw this up by giving themselves "temporary"
(read: anywhere between a week and a year) admin access from the
wrong interface, and break the security model completely.
My favourite design is a specialized app with a bare bones
encrypted connection to the firewall. This is what we do, which
indeed leaves the value my opinions somewhat questionable. In my
defense, I can say we do things this way because of my opinions
(and my colleauges'), and not the other way around.
And, no, GUI stuff isn't easily portable, so if you absolutely need
to admin your firewall from a BeOS box, web based administration is
probably a key factor. ;)
Of course, all of this is moot for a SOHO type business, which is
likely to have so many other security problems that possible
attacks against the web interface is just another drop in the sea.
--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
"Senex semper diu dormit"
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
For Account Management (unsubscribe, get/change password, etc) Please go to:
http://lists.gnac.net/mailman/listinfo/firewalls
