Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firewall question - how easy is it to get thru - Proof

From: Todd Haverkos <infosec () haverkos com>
Date: Tue, 15 Feb 2011 11:39:29 -0600
"Rivest, Philippe" <PRivest () transforcecompany com> writes:


Quick question.

When I do an audit and when I find a major flaw or deficiency, IT
always tells me "its because your in the internal LAN, we have a
firewall protecting us". I know you have all heard that. So I try to
explain that you could attack thru physical security, social
engineering, virus and a lot of other ways and in the end I always
add "Someone more "expert" in Firewall could bypass it".


Hi Philippe, 

Four words:  client-side browser exploits. 

If they allow outbound web access, and they aren't exceedingly
fastidious about patching the OS and third party internet facing
applications (most commonly Java if installed, Flash, Reader,
Shockwave, and Quicktime), they _will_ get owned by way of traffic
their firewall is allowing outbound.  That's the one to drive home,
especially if trying to sell them on vulnerability management of
desktops or (gulp) servers on which anyone is tempted to run a web
browser to search for anything ever.  Drive-by downloads, exploit
packs, or spear phishing attacks are among those the firewall isn't
going to help mitigate one iota.  And once the attacker has an
internal toehold, calling back out to him via the straight TCP, or DNS
or http that their firewall invariably allow sout of their
environment, the race to domain administrator is usually a short one
and the game is over.

Inbound-wise...does your client run web or mail servers?  Are the
issues you're finding web application or mail application related?  If
so, the firewall is a don't-care in those scenarios too because the
attack will succeed over a channel their firewall is allowing by
policy. 

If in a pinch you could always tell them "Firewall?  The 90's called
and they want their model of security back. No, your firewall isn't
going to protect you.  And--by the way--neither is your anti-virus."

While true, saying that in those terms generally isn't very
professional, however.

Best Regards, 
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: