On Tue, 14 Mar 2000, Unknown wrote:
> Correct me if I am wrong, please.
This is Firewalls, we'll correct you even if you're not wrong ;)
>
> This discussion is whether adding perl/c compilers to the firewall machine
> is an additional security risk in your architecture. Well, picture this: in
> your scenario somebody has just compromised the most hardened, best
> monitored host on your network, without you knowing about it. How hard do
> you think it would be for this individual, who has just hacked that
> ultra-secure machine, to reconfigure it, and upload binaries for what he
> needs. Let's take this into perspective. If somebody had sufficient skill
> to compromise a properly configured firewall machine, getting stuff like
> compilers and perl installed on it would be a joke. However, having perl on
> that machine, actively scanning log files, could have stopped the intruder
> dead in his track.
This, of course *assumes* that the compromise took some measure of skill.
That rules out vendor bugs, configuration problems and rogue users.
That's not the sum of the measure you want to protect against.
> Although I strongly believe in defence in depth, I don't believe that not
> having perl on a firewall is a sufficient additional security measure to
> warrant being called an extra layer. At this point, it is nothing but a
While my post says essentially the same thing, it's important to at least
look at the problem and decide how much additional protection you gain
versus the additional risk you accrue. One very important point that
seems to have escaped attention was someone pointing out that the firewall
shouldn't be "just another box." There's a great deal of social power to
treating it differently that shouldn't be trivially overlooked.
> VERY minor annoyance to the intruder, one he would be able to bypass quite
> easily. On the other hand, those perl programs parsing your log files could
> have alerted you of the break in in the first place. You decide.
While I've seen very few exploit scripts written in Perl, it could be
handy to the right attacker. Since perl compiles just fine, I'm not sure
if the addition of the interpreter is fully necessary anyway.
> -Igor
>
> PS when I refer to a firewall, I am talking about a "properly" hardened
> host running no network services, who's sole job is to decide whether it is
> going to move a packet from one network card to another, and log those
> decisions. If this is not what you would concider a firewall (not a
> sufficiently hardened host, etc..) then perhaps you should address those
> issues before takling perl/C compilers.
Not all firewalls are packet level devices, perhaps you should revisit
your definition.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
