Security Basics mailing list archives
Re: what should I do when....
From: Adriel Desautels <adriel () netragard com>
Date: Tue, 15 Jul 2008 18:03:01 -0400
Agreed. Can I stop talking about firewalls now? Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 Join the Netragard, LLC. Linked In Group: http://www.linkedin.com/e/gis/48683/0B98E1705142 --------------------------------------------------------------- Netragard, LLC - http://www.netragard.com - "We make IT Safe" Penetration Testing, Vulnerability Assessments, Website Security Netragard Whitepaper Downloads: ------------------------------- Choosing the right provider : http://tinyurl.com/2ahk3j Three Things you must know : http://tinyurl.com/26pjsn Scott Race wrote:
I think we can all agree that a firewall is just a piece of the security model, and not the only thing. I'm not sure where anyone in this thread ever said all you need is a firewall and you'd be secure. A firewall is like my days as a bouncer at strip clubs (prestigious, I know). I was just one piece of security there. I let people in based on the club's rules (firewall rules). I made decisions based on the rules I was given. I was only as effective as the rules I was given - if the manager said to let someone in, I did. If they said not to let someone in, I didn't. We should all just agree that a firewall in just *one* piece of security, albeit a necessary one, but it's not a complete security model alone. -Scott -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ansgar -59cobalt- Wiechers Sent: Friday, July 11, 2008 10:37 AM To: security-basics () securityfocus com Subject: Re: what should I do when.... On 2008-07-11 Adriel Desautels wrote:A firewall is software running on hardware that is designed to enforce security policies that have little effect on how a hacker breaks into your network. So long as the hacker works within those policies his or her traffic will be passed, and they'll get in. A firewall is not a system that *secures* a network, shielding it from access by unauthorized users, but it might want to be and some people might like to think that it does that effectively. Can you show me one that does *secure* a network?For every security concept you identify threats, break them down into distinct attack scenarios and identify countermeasures for each attack scenario (or decide that you'll live with the risk that the given scenario poses).During one of our penetration tests I convinced a user to browse to a page hosted on our company website. When they did, their browser was exploited and their computer connected back to me over https. Why did I choose https? I chose https because I knew that the firewall allowed outbound https connections for users. I then used that access to perform distributed metastasis and penetrate other systems. The firewall did not "Secure" the network and "prevent" unauthorized access, we still got in.There are obviously several ways to deal with this scenario on a firewall-level: a) Disallow https altogether. b) Whitelist sites that are allowed to be accessed via https. c) Man in the middle: Break the https connection into two connections, one from the client to your proxy, the other from your proxy to the server. Then your proxy can inspect/filter the traffic. Regards Ansgar Wiechers
Current thread:
- Re: what should I do when...., (continued)
- Re: what should I do when.... Adriel Desautels (Jul 11)
- Message not available
- Message not available
- Fwd: what should I do when.... Eric Starace (Jul 11)
- Re: Fwd: what should I do when.... Adriel Desautels (Jul 12)
- Re: what should I do when.... ॐ aditya mukadam ॐ (Jul 11)
- Re: what should I do when.... Adriel Desautels (Jul 11)
- Message not available
- Message not available
- Re: what should I do when.... Ansgar -59cobalt- Wiechers (Jul 15)
- Re: what should I do when.... Adriel Desautels (Jul 15)
- Re: what should I do when.... Ansgar -59cobalt- Wiechers (Jul 15)
- Re: what should I do when.... Dan Anderson (Jul 15)
- RE: what should I do when.... Scott Race (Jul 15)
- Re: what should I do when.... Adriel Desautels (Jul 15)
- RE: what should I do when.... Rivest, Philippe (Jul 10)
- Re: what should I do when.... Ansgar -59cobalt- Wiechers (Jul 10)
- Re: what should I do when.... Adriel Desautels (Jul 11)
- Message not available
- Re: what should I do when.... Ansgar -59cobalt- Wiechers (Jul 11)
- RE: what should I do when.... Worrell, Brian (Jul 11)
- Re: what should I do when.... Adriel Desautels (Jul 07)
- Re: what should I do when.... Dave Koontz (Jul 08)
- Re: what should I do when.... Gregory Boyce (Jul 07)
- RE: what should I do when.... Rivest, Philippe (Jul 08)