Educause Security Discussion mailing list archives
Re: Firewalls
From: randy <marchany () VT EDU>
Date: Fri, 12 Jul 2013 11:48:48 -0400
Reading the discussion on FW reminds me of the overarching problem with using FW as "protection" devices and not understanding that they are only useful "detection" devices. Consider the following examples: 1. whitelisting - you want to set up a list of authorized places a unit can go on the net. The unit has a business need to access www.majorbank.com (I sanitized the name). You set up the FW ACL to allow access to majorbank.comaddress range. You test the ACL and discover that their main www site is degraded. After some investigation, you discover that majorbank hosts its main page on akemai. Now you have to allow akemai and everything else that akemai hosts. Ironically, only the main page is hosted by akemai. Did this increase or decrease your protection level? 2. FW admins vs software - There have been numerous discussions about which ports to block. I've not seen any discussion on FW admins finding out what ports are required by software packages. In some cases, the requirements of 2 software packages may end up leaving your machine wide open. For example, a very old (+8 years) requirement for end users running Oracle/Banner, Citrix server would require the following ports to be open: *Oracle/Banner:* Allow TNS_LISTENER and SSH to Oracle server (Allow 1521/tcp, 22/tcp) Allow TEXAR Security for load balance check (allow 333/TCP) Allow LSA to Domain Controllers (allow 1026/TCP, 1028/UDP, 1029/tcp) Allow Active Directory (LDAP, LDAP/SSL) lookup to Domain Controllers (allow port 389/udp & 389/tcp, 636/tcp) Allow Network Time Protocol to Domain Controllers (allow 123/udp, 123/tcp) *CITRIX:* CITRIX initially connects on ICA (1494/tcp) and then negotiates a new connection to the server on a high port number (1023-65534) to separate out multiple client connections Allow ICA to CITRIX server (allow all tcp) 3. Clearly, there needs to be a list of what ports are required to be open for software packages to work. Careful analysis needs to be done to see if there are software combos that basically nullify your FW ACL. We have a very old (2003) list on our www site: http://www.security.vt.edu/briefs-online_templates/indexers/downloads/misc_downloads.html(click on Firewall Ports and Protocols Summary) that lists common software used back then and what ports/protocols needed to be open in order to run those packages. I hope that FW admins have taken the time to thoroughly investigate the port requirements of software running on their endpoints. 4. Ironically, the "fathers" of the IT Firewall (Cheswick, Bellovin, Ranum, Zuk, Pensak, Presotto, Mogul, Reid, Vixie, Avolio) aren't fans of the firewall anymore. A quote from the article "Who Invented the Firewall?" ( http://www.darkreading.com/management/who-invented-the-firewall/208803808) states: "Cheswick, lead member of the technical staff at AT&T Research, says he hasn't personally used a firewall since the 1990s: "They are an economic solution to weak host security. I want to see stronger host security," he says. Even so, Cheswick says the firewall still has a place -- but as "just another network element." "The firewall as Bill and I described it in 1994 in our book is obsolete," says Bellovin, now a professor of computer science at Columbia University. Having a guard at the front door today when there are thousands of backdoors into the network just doesn't fly now, he notes. "I'm not saying get rid of it at the door. It provides a low grade of access control for low-value resources. But the real access control [should be] at the host."" 5. I do agree the FW is a necessary piece in a security architecture. But for it to be effective, a lot of work needs to be done to make sure you don't create a worse problem than the one you're trying to solve. I think we need to remember that it is an effective DETECTION device and not an effective PROTECTION device. I see its usefulness in network forensics. Since the EDU security environment is basically split between the standard corporate security model (for our administrative systems like payroll, hr, etc.) and the ISP model (most of us require our students to purchase their own computers and connect to our nets), it seems to me we should focus on what leaves the net rather than what comes into the net. For example, a hacker compromises a machine - score: Hacker 1 Defender 0. The defenders detects anomalous traffic to questionable site and blocks that callback - score: Hacker 1 Defender 1 and tie goes to the defender. Is there a risk of data leakage going undetected? Of course, but that's why you have defense-in-depth. :-) I also believe host based FW are more effective especially since wireless basically allows anyone to bypass your border defenses. I've ranted enough. Randy Marchany VA Tech IT Security Office & Lab
Current thread:
- Re: Firewalls Peter Setlak (Jul 03)
- <Possible follow-ups>
- Re: Firewalls Chris Golden (Jul 10)
- Re: Firewalls Bob Williamson (Jul 10)
- Re: Firewalls Nathaniel Hall (Jul 14)
- Re: Firewalls John Kaftan (Jul 10)
- Re: Firewalls Nathaniel Hall (Jul 14)
- Re: Firewalls Bob Williamson (Jul 10)
- Re: Firewalls Chris Davis (Jul 11)
- Re: Firewalls Bradley, Stephen (Jul 11)
- Re: Firewalls Chris Davis (Jul 12)
- Re: Firewalls randy (Jul 12)
- Re: Firewalls Alan Nord (Jul 17)