Re: Firewall administration

[Rik Farrow <rik () spirit com>]

Appararently, David Collier-Brown <davecb () Canada Sun COM> wrote:

>     Service    Ports Opened       Risk
> ---+----------------------------+-------------------
>  X | Email   | smtp, 225/tcp    | Spam[1][2][3]
>  X | News    | nntp, 119/tcp    | Spam[2][3]
> ...
>  X | NFS v2  | sunrpc, 111/udp  | Spoofing[4][5]
>    |         | portmapper       |
>    |         | mountd
>    |         | nfsd             | eavesdroping[9]
>
> With a bit of carefull collection of dependancies, one can
> easily show the user that he just added spam-forwarding
> (footnote [1]) when he turned on mail, by changing the
> words ``Spam[1]'' to red....

I have a couple of problems with this.  For example, one vendor
supports almost 200 services--your form has gotten very unwieldy.

More importantly, you have left too much out.  The number of email
exploits just using sendmail is too long to list.  Spam, while
interesting, does not permit someone to break-into a system.

And services like NFS, which has an authentication mechanism
so weak as to be almost useless (similar to CIFS) does not
belong in this list.  Having a warning would be akin to having
a sticker on the dashboard which reads:

"Warning: due to the bad design of the doorlocking mechanism,
passengers may fall out when turning corners."

Get rid of the bad design.

Finally, what about the exploits yet to be created?  Minimalism
is critical in firewall configuration.  Making it easy to do
the wrong thing, enable a service just because it's in the 
menu or form, weakens your security.  Yes, I know that the
firewall configuration should come from a security policy,
but that is not what always happens.

Rik