On Wed, 26 May 1999, Marcus J. Ranum wrote:
> >1. Using a firewall, you add a layer of security, even if it's not
> >perfect.
>
> This is, what, proof by vigorous assertion?? If the firewall
> lets an insecure protocol back and forth without altering it
> or applying any security-related processing to it, can you explain
> how that constitutes a "layer of security"?
Depends on the firewall, and how you define "layer of security" I suppose.
There's an increasing school of thought that says blocking the first 80%
of potential attacks is very useful, instead of allowing the remaining
20% being very silly. Your Paranoia May Vary. My perspective certainly
won't.
> >For example, you can specify what addresses are allowed to use
> >the protocol, and also the direction of communication (I believe the
> >original poster wanted to be able to use DCOM outgoing, not incoming).
> >While this isn't perfect, I hope you'll agree that it's far better than
> >having no firewall at all.
>
> It's definitely better. But how much? The question is whether
Not enough IMO - but I seem to be in the minority.
> it's better enough to make the firewall worthwhile. If all it's
> doing is address based filtering, then you may as well just use
> a router (which also won't do any security-related processing).
> If you have a firewall that "understands" outgoing versus incoming
> for a protocol like DCOM, I suppose that's also a marginal
> improvement. But the "incoming/outgoing" filtering in most
> "stateful" firewalls amounts to little more than simple window
> control on filtering. Those are not exactly compelling security
> properties!
>
> That's my concern: people insist on running broken/lame protocols
> through their firewalls, and they convince themselves that the
> firewall is doing something for them. In fact, the firewall is
> doing next to nothing. Nothing a router can't do, anyhow.
Yep, I've been bitching actively about SSL for *years*. Nobody seems to
be willing to listen. I've even gone to firewall vendors with specific
proposals. Every time I've met with "Yes, it sucks, and we're waiting
for key escrow, but nobody else cares about security in this regard so we
won't put it in the product, and you'll have to pay by the hour if you
want a custom solution."
> >2. You are not limited to using a single firewall, nor are you limited
> >to having only two interfaces in a firewall.
>
> If one layer of toilet paper protecting your network is not
> sufficient, are two?
I'm equally skeptical (though perhaps not so eloquent ;)) of the value of
"protection" these days. It's an increasingly difficult fight to limit
things to "only the necessary protocols", and "none of that active
content crap." Indeed it seems we're moving backwards in security. It
doesn't help that vendors tunnel application protocols without protection
and call it "supported by the firewall." Don't even let me start in on
VPNs...
> Sure. That's a reasonable approach; I've been known to recommend
> things like it in the past. Identify protocols you don't fully
> trust and let them in only to systems that are not connected
> to trusted networks. Which begs the question, "if you don't trust
> the protocol, why are you using it for something important?"
Because the idiots that design protocols don't talk to the idiots who do
security until it's way too late.
> I'm not just messin' with you here -- these are fundamental
> problems with the concept of firewall, and they are problems I've
> been wrestling for, oh, a while. In fact, I've finally concluded
> as a result of these issues that firewalls are no longer useful
> technologies. There are too many "business critical" applications
They are somewhat useful in that they provide a measure of protection
from the current run of attacks. They can be somewhat useful in keeping
complete idiots in the business from doing completely idiotic things as well.
> I used to think they were useful because they encoded a programmable
> form of security knowledge, so that unsophisticated administrators
> could implement basic security without having to research the
> network behaviours of various application protocols. Well, that
> was true. So what happened is that everyone felt safe, stopped
Administrators are increasingly unsophisticated, attackers increasingly
moreso. That's the main problem.
> thinking and questioning, and simply began pointing and clicking
> and picking which services they wanted to allow in and out of
> their networks. Bad move. I believe that the vast majority
> of firewalls let more traffic through than makes any kind of
> sense. But there is no present viable alternative. Oops. :(
>
> >4. People have different security needs. If you're a bank, you're going
> >to have different security needs than if you are a consultant who needs
> >to test various protocols on non-critical test servers. Intruders will
> >have different motives for attacking you. If there is little to be
> >gained from attacking you, then it's reasonable to say that you
> >shouldn't be building a fortress when all you need is a bicycle lock.
>
> Yup.
I don't agree with that premise. The problem here is that the value of
attacking is in the eye of the attacker, not in the eye of the defender.
Given that, it's not reasonable to go immediately to not building
fortresses even when the external value of things is low. I think it's more
reasonable to base the measure of protection on what you can lose, not what an
attacker can gain (and they're different.) Risk assessment is important
enough that I think the distinction worth mentioning.
> What you're talking about there is risk assesment. It's a very
> important process! You need to make estimates on the Important
> Four Security Questions:
> 1) What am I trying to protect?
> 2) How hard will someone try to get at it?
This is only a good metric if you can directly relate the value, and
doesn't take into account the percentile of attackers who will be in for
the long-haul no matter what. I think it should be down-rated as a
metric. Maybe it's the difference between "will someone try" and "can
someone try" that bothers me.
> 3) How much will it hurt me if they succeed?
This should be #2.
> 4) How much effort/cash am I willing to spend to protect it?
More importantly, "Can I isolate this asset more to provide protection,
and how much does it hurt me to do so?"
> Everyone's networks are different. I believe that a lot of the
> networks out there that are presently connected to the internet
> shouldn't be. Look at the kind of criminal negligence and
> incompetence that has been revealed at Los Alamos' network.
That and a lot of data is put on general purpose OS'. MLS still have
merit in a solid INFOSEC model. An MLS at Los Alamos would have denied
the transfer to a lower-level machine. All or nothing trust extension is
a major problem. Non-realtime credentail checking is another. Those are
two areas where we've seen no significant work. An OS can protect itself
and its data at the cost of administrative overhead. Minimizing that
overhead is one of the major issues to be solved.
> What happens is that many organizations start from their requirements
> first and then back into their security policies based on that.
> Unfortunately, that's backwards. In order to avoid massive
Same with protocol designers, application designers, etc.
> cognitive dissonance when taking that approach, people have to
> convince themselves that their firewalls are actually _good_
> and actually _do_ something that makes it "ok" to run these
> massively insecure protocols into and out of the network.
> As Ryan pointed out, even the 4 protocols I "think" I know how
> to do somewhat safely are riddled with problems. Web wasn't
> even on that list. Nor pointcast, real audio, ICQ, ICQ's cool-o
> instant home page server thingamajig, oil change, and the
> zillion new applications coming out that will tunnel over
> HTTP. :( So far we've been spared a virus/trojan horse that
> knows how to tunnel out through firewalls via HTTP. How many
> sites will not be vulnerable to such an attack? How many sites
> restrict outgoing HTTP at their firewalls? We need a couple
This is the comming doom. Trojans and tunnels. Meanwhile, people sell
encrypting the tunnels as "security", leaving out even trending and
analysis as possible protection measures.
Next we get to be like the anti-virus people - always playing a losing
game of catch-up. But then if we can't get a word processor that ~90% of
the world seems to use _without needing macros_ changed over the course
of several years to eliminate the largest virus threat out there, what
hope do we have on the host or network side?
Maybe it's time to find a lawyer and start publishing "Worst crap from a
security perspective" lists. We could even rate in rolls of toilet
paper...
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
