Ryan Reynolds wrote:
>
> Nobody asks "How secure is
> FW-1/Gauntlet/Sidewinder/etc.", they just assume that the products are
> completely secure.
Yeah, but people shouldn't just assume that.
I'm not going address bug related security holes here. Bugs
are definately a problem, but they tend to happen to everyone
over time. I'm going to talk about design problems.
Firewalls tend to block plain TCP connections to port X if
you tell them to do it. The problems start cropping up when the
attacker isn't quite that cooperative. Things that should be
part of firewall evals, but aren't to my knowledge, is:
(I'm talking SPFs here, I don't have a lot of in-depth proxy knowledge)
- Is different variants of fragrouting/fragment overlaps correctly
handled?
(In many "cheap" firewalls, the answer is no)
- Are the above occurances properly logged? (In many cases, not at all)
- Does the firewall protect against firewalking? (Not too common)
- If it does (through a fluke of luck?), is it logged?
- Can it detect reverse-opened connections?
(i.e. protected client connects from port 1024 to server port 80,
the connection closes but the firewall keeps it open for a while,
the server sends SYNs back from port 80 to 1024, hoping that 1024
will later be used by something else such an RPC application)
- If it features "application layer inspection", how does it handle
TCP segment overlaps and fragment overlaps (i.e. are the packets
and streams actually reassembled?)
- Does it log such occurences?
- Can the firewall detect ARP spoofing games on locally connected
networks? (Not that important, but sure is nice)
- How about protection against FTP ALG data channel attacks?
(I know FW-1 and PIX have released patches for one variation,
what about all the other variations, and all the other firewalls?)
.. hmm. I could start listing some of the more arcane stuff aswell,
but I won't. I guess it'd be boring to most of you :-)
I agree that many (most?) firewalling problems are caused by
human error, plain dumb admins, bad network design, etc.
The FTP ALG problem is a pet peeve of mine, but it serves
to illustrate a point. If the firewall can be caused to
pass traffic to "blocked" addresses and ports simply by
nicely asking it to do so for you, is it really doing the
job it was put in place to do?
The point is: If you instruct the firewall to allow a
small set of traffic, you expect it to allow only that traffic.
If it _fails_ in doing that, the firewall is... not a firewall?
(Stepping down off of the soapbox permanently this time)
--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
