RE: what should I do when....

["Scott Race" <srace () jdaarch com>]

I think we can all agree that a firewall is just a piece of the security
model, and not the only thing. I'm not sure where anyone in this thread
ever said all you need is a firewall and you'd be secure.

A firewall is like my days as a bouncer at strip clubs (prestigious, I
know).  I was just one piece of security there. I let people in based on
the club's rules (firewall rules).  I made decisions based on the rules
I was given.  I was only as effective as the rules I was given - if the
manager said to let someone in, I did.  If they said not to let someone
in, I didn't.

We should all just agree that a firewall in just *one* piece of
security, albeit a necessary one, but it's not a complete security model
alone.

-Scott

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Ansgar -59cobalt- Wiechers
Sent: Friday, July 11, 2008 10:37 AM
To: security-basics () securityfocus com
Subject: Re: what should I do when....

On 2008-07-11 Adriel Desautels wrote:
> A firewall is software running on hardware that is designed to enforce
> security policies that have little effect on how a hacker breaks into
> your network. So long as the hacker works within those policies his or
> her traffic will be passed, and they'll get in.
>
> A firewall is not a system that *secures* a network, shielding it from
> access by unauthorized users, but it might want to be and some people
> might like to think that it does that effectively. Can you show me one
> that does *secure* a network?

For every security concept you identify threats, break them down into
distinct attack scenarios and identify countermeasures for each attack
scenario (or decide that you'll live with the risk that the given
scenario poses).

> During one of our penetration tests I convinced a user to browse to a
> page hosted on our company website. When they did, their browser was
> exploited and their computer connected back to me over https. Why did
> I choose https? I chose https because I knew that the firewall allowed
> outbound https connections for users. I then used that access to
> perform distributed metastasis and penetrate other systems. The
> firewall did not "Secure" the network and "prevent" unauthorized
> access, we still got in.

There are obviously several ways to deal with this scenario on a
firewall-level:

a) Disallow https altogether.
b) Whitelist sites that are allowed to be accessed via https.
c) Man in the middle: Break the https connection into two connections,
   one from the client to your proxy, the other from your proxy to the
   server. Then your proxy can inspect/filter the traffic.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq