Dailydave mailing list archives

Re: This just in: Firewalls are obsolete

From: Gadi Evron <ge () linuxbox org>
Date: Tue, 12 Jul 2005 01:49:15 +0200

In order to offer any protection, the firewall has to implement the
complex protocol -- and countless others.  This means that the
firewall vendor is at a disadvantage compared to the original protocol
author (less focus, often less information).  I don't think most
firewall vendors use radically different implementation techniques;
it's mostly C or C++, with the usual problems.  Often, the net result
is a protocol implementation at the firewall level which is
incomplete, does not completely protect the actual service, and has
security bugs on its own.

In almost all cases, if you run two software packages instead of one,
you get the union of all their bugs, not the intersection.  The
application you're trying to protect must be in a really, really bad
sgape before this equation changes.  Of course, such things do happen
in practice (cf. web applications and SQL injection), but to fix these
mishaps, you have to go well beyond typical firewalling efforts.


Let's try and not confuse things though -

If you do use two (or more) products, it is true you are now vulnerablewith both of them. However, you are also now more secure in the eventone fails.

If the two "whatevers" are of the same type, the likelihood of thesecond fallowing the first and.. dying (if you're lucky) is extremelyhigh (or more so than with two of different types).

Then, managing a network with different types of devices and/or OS's ishell by itself and therefore a security risk on its own.

I'd take manageability of my network any day over the mess of 100different devices I can't know much about.

However, there is one problem that we face which really scares me, andthat is the menace of having a monoculture.


One bug, and we're all dead. One bad patch, and we're all dead.

It's a lose-lose situation.. and the answer is probably neither.

What I personally do is fall back on yucky management-type riskassessment, see where I can live with and protect a monoculture (or morelike, better protect than otherwise not at all..) and where I can putdifferent devices and still manage them, such as at the entrance to mynetwork.


No solution is perfect.

        Gadi.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

This just in: Firewalls are obsolete Jonatan B (Jul 11)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
  - Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
    - Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
    - Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
  - Re: This just in: Firewalls are obsolete Blue Boar (Jul 11)
    - Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
    - Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
    - Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
    - Re: This just in: Firewalls are obsolete Blue Boar (Jul 11)
    - Re: This just in: Firewalls are obsolete Blue Boar (Jul 11)
    - Re: This just in: Firewalls are obsolete I)ruid (Jul 12)
  - Re: This just in: Firewalls are obsolete rdump (Jul 12)
- Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
  - Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
    - Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
    - Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
    - Re: This just in: Firewalls are obsolete byte_jump (Jul 12)

(Thread continues...)