Re: Fw: No Security is Bad Security

[smail () NETWORKSECURITY NET (Jim Maze)]

Hey Aleph, I have a few comments to add regarding this post.

Scott Seidler wrote:

>  It seems that the more you can spend on a firewall and other security
> measures, the better you are at protection.

This is misleading. This is why many companies spend hundreds of
thousands of dollars on state-of-the-art security solutions only to wind
up a victim of a successful attack because they are still vulnerable due
to poor implementation.  The level of security achieved from a
particular security solution is not directly tied to cost. I've seen
Mom-and-Pop shops that are using free security measures such as Linux
based firewalls, s/key authentication, SSH, and TCP wrappers that are
much more secure than your average Firewall-1 implementation. The key is
implementation, not cost. Now, if more expensive commercial solutions
ARE implemented correctly, they often do offer significant advantages
over some of the freeware tools out there, but unfortunately many
security consulting firms are focused on pushing the products out the
door rather than proper and careful implementation of the products.

> While no firewall  will claim 100% protection, we have learned that some
> are better than others for simple reasons.
>
> Software based firewalls, while they usually have more options to integrate
> directly, might require a more technical
>  suport base internally than most smaller companies or agencies may have.
>
>  Additionally, the daily upkeep and constant vigil to find out about
> software patches and vunerabilities tend to be secondary (or third, or
> fourth, etc) to the daily jobs of most systems people. Thus old bugs and
> often blatant overlooks become the  doorway with the "open for business"
> sign hanging above them.
>
>  Unfortunately, basing a firewall on a multpile use operating system (NT,
> UNIX, etc) can leave unexpected doorways open and allows for opportunity
> for "pilot error" mistakes. Just the time to keep up with them all is too
> great for most system managers.

Again, implementation is more important than the particular platform,
vendor, or technology. If a software based firewall is configured
properly, it will not be vulnerable to 99.9% of the bugs out there. Why?
Because a proper implementation of a software firewall includes a
stripped down OS that contains only the basic kernel and networking
componenets necessary for the firewall to operate.  While I am a big
advocate of regularly patching systems, it is often not necessary to
apply most patches on a software firewall, simply because the patched
binaries are not installed to begin with. I agree that multiple use OS
based firewalls have the *potential* to become a victim of an OS bug,
but it's not very likely if the device is implemented properly.

> So far we have implemented successfully many hardware based firewalls. The
> positives on this type of platform far outweigh the marginal extra cost for
> the purchase price. These are single function - Firewall only - types of
> devices.
>
>  Some hardware based platforms have no user accessable operating system to
> have potential open ended problems with, and right out of the box they seem
>  to set up with limited commands when acting as a one way only firewall. Of
> course there are many more programming options in these units that go way
> beyond the scope of this posting and are, as Aleph has pointed out to me on
> the first issue of this email (appreciated by the way Aleph - thanks), too
> vendor specific to really elaborate on.

No argument here - I agree completely.

> Suffice to say that Network Address Translation (NAT) and Protocol Address
> Translation (PAT) are not the only things to base
> a Firewall purchase on. There are many other options and hooks that make a
> really good firewall, such as interaction with other
> devices (routers, high end authentication, encryption, etc.).

While debating over software vs. hardware, you haven't touched on the
whole issue of choosing the right underlying firewall technology for a
given environment. While things like NAT and PAT and interoperability
with other security devices are definitely important, the underlying
technology used by the firewall should be one of the major deciding
factors as well. For example, you may want to use an application gateway
firewall for perimeter security while using stateful packet filtering
internally where more flexibility is required. Many comanies (and
consulting companies) overlook this issue.

>  Addtionally, Two types of products that allow for on-line
> monitoring/reporting/ detection and also allow for security audits and even
> testing of vunerablities are a must for any budget that can afford them.
>
> You can try Cisco (http://www.cisco.com) or Network Associates
> (http://www.nai.com/default_ngc.asp) for examples of these products.
>
> Some of these fit really well into the big router manufacturer operating
> system schemes by even allowing an automatic rewrite to
> the ACL (access control list) to block a detected party. And dont forget
> the ever possible "page me when you find something wierd" option too.
>
> Both of these systems are not inexpensive with price tags of around 10k for
> the systems I have seen.
>
> I have had great feedback on these types of products from my customers -
> especially the firewalls and felt i could dissiminate the info to my fellow
> Bugtraq-ers.

Again, I agree.....but for organizations with a smaller security budget,
freeware tools should be presented as an alternative to high-cost
commercial products. As security professionals, our focus should be on
providing the best possible solutions to our customers that fit into
their security budget - not just on pitching high-margin product lines.

That's my nickel.

-maze