Re: what should I do when....

[Adriel Desautels <adriel () netragard com>]

Agreed. Can I stop talking about firewalls now?

Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

        Join the Netragard, LLC. Linked In Group:
        http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn


Scott Race wrote:
> I think we can all agree that a firewall is just a piece of the security
> model, and not the only thing. I'm not sure where anyone in this thread
> ever said all you need is a firewall and you'd be secure.
>
> A firewall is like my days as a bouncer at strip clubs (prestigious, I
> know).  I was just one piece of security there. I let people in based on
> the club's rules (firewall rules).  I made decisions based on the rules
> I was given.  I was only as effective as the rules I was given - if the
> manager said to let someone in, I did.  If they said not to let someone
> in, I didn't.
>
> We should all just agree that a firewall in just *one* piece of
> security, albeit a necessary one, but it's not a complete security model
> alone.
>
> -Scott
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Ansgar -59cobalt- Wiechers
> Sent: Friday, July 11, 2008 10:37 AM
> To: security-basics () securityfocus com
> Subject: Re: what should I do when....
>
> On 2008-07-11 Adriel Desautels wrote:
> > A firewall is software running on hardware that is designed to enforce
> > security policies that have little effect on how a hacker breaks into
> > your network. So long as the hacker works within those policies his or
> > her traffic will be passed, and they'll get in.
> >
> > A firewall is not a system that *secures* a network, shielding it from
> > access by unauthorized users, but it might want to be and some people
> > might like to think that it does that effectively. Can you show me one
> > that does *secure* a network?
>
> For every security concept you identify threats, break them down into
> distinct attack scenarios and identify countermeasures for each attack
> scenario (or decide that you'll live with the risk that the given
> scenario poses).
>
> > During one of our penetration tests I convinced a user to browse to a
> > page hosted on our company website. When they did, their browser was
> > exploited and their computer connected back to me over https. Why did
> > I choose https? I chose https because I knew that the firewall allowed
> > outbound https connections for users. I then used that access to
> > perform distributed metastasis and penetrate other systems. The
> > firewall did not "Secure" the network and "prevent" unauthorized
> > access, we still got in.
>
> There are obviously several ways to deal with this scenario on a
> firewall-level:
>
> a) Disallow https altogether.
> b) Whitelist sites that are allowed to be accessed via https.
> c) Man in the middle: Break the https connection into two connections,
>    one from the client to your proxy, the other from your proxy to the
>    server. Then your proxy can inspect/filter the traffic.
>
> Regards
> Ansgar Wiechers