>I believe that the firewall provides significant additional security
>by providing a tool which assists the network (security) administrator
>to do her job.
I used to believe that but now with technology such as cell phone modems, I
don't think they're as valuable as they used to be. It is too easy to bypass the
firewall these days. When I did firewall reviews, I would always ask if data
dialout were permitted. I can only think of 1 site that didn't allow it. Now, I
just whip out that cell phone modem and watch jaws drop.
Before the flames start, I DO THINK FIREWALLS ARE NECESSARY, HOWEVER,
I now think that firewalls are the LAST component of a security architecture
that should be installed. Upper Mgt. usually stops or cuts back funding for
security once a firewall is in place. They have a false sense of security.
I think it's vitally important that the INTERNAL systems be secured FIRST to
whatever level of security is needed by the organization. It is, quite frankly,
too easy to bypass a firewall these days (that cell phone modem thing sticks in
my mind).
Yes, they keep the random outsider from probing an internal net but the majority
of attacks/damage is internal. Also, most FW allow email and I demonstrated at a
SANS presentation a couple of years ago that an email based (non-virus) attack
would work more often than not. The fact that sites that were hit by Melissa or
any other email virus and that most of those sites had FW in place reinforces
the need for good Incident Response tools and the inability of FW to prevent
those types of attacks (yes, bad FW policies are a problem.....).
I keep thinking of the Maginot line in WWII if there are no good intrusion
detection capability, incident response capability or incident recovery
capability.
>If the network is to be attacked, it should be attacked here. And I deploy my
>best network administrator at that point, to carefully monitor the behavior and
>security of the firewall.
If the network is attacked, you shouldn't expect it where you have the
"strongest" defense. As Mark said later, internal attacks aren't considered
part of the FW defense here. However, things like cell phone modems should be.
>But Wallace's first law of how to be a security officer says "if they give you
>the title without the credibility, authority and the face time, then you're not
>a security officer, you're a scapegoat."
This is precisely WHY the internal hosts must be strengthened first and then the
FW should be installed. Upper Mgt will consider the net 'safe' once the FW is
installed. If a breach happens, they'll want to know WHY it happened WHEN they
spent HUGE $$$ for the FW.
>Summary - if you consider that the firewall is a system, including
>hardware, software, policy, and professional administration, then
>I'd argue that firewalls are very much part of the solution. Indeed
>I argue that they're a necessary part, early in the solution.
I would agree with everything here but the last sentence. They should be a
necessary part LATE in the solution.
I guess I'm a little depressed about securing a net when the client OS allows me
to install something like a keystroke recorder (via BackOrifice or Netbus or a
commercial tool) and bypass any encryption tools in place. It sure forces me to
develop Incident Response tools. The Time Based Security rule: Exposure Time =
Detection Time + Reaction Time take on more importance since I can't secure the
clients. But I digress.......:-)
-Randy Marchany
VA Tech Computing Center
Blacksburg, VA 24060
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
