Firewall Wizards mailing list archives
Re: firewalls and the incoming traffic problem
From: Anton J Aylward <anton () toronto com>
Date: Sun, 28 Sep 1997 17:44:37 -0400
At 11:32 AM 28/09/97 +0000, Marcus J. Ranum wrote: ## Reply Start ##
What's worrying me is all the folks I've seen who put a firewall in, and believe it is going to somehow protect the incoming traffic.
[snip]
I'm not saying that "firewalls are dead" because this problem has always been there and firewalls DO serve a purpose. The fact is that sites with firewalls get broken into less often that sites without. But - are a majority of firewall users falsely confident?
I'm not going to comment on the rest of Marcus's posting because its just so true. WhaI am going to address, and these quotes illustrate my point, is something a little different. I'm taking the liberty of moving this to a "philosophical" mode rather than a technical one because I feel that is the way Marcus is headed, and its his list so he can press the delete button if he feels I'm too far outside the charter - and you're welcome to edit out this sentence. Those on the list in North America will be familiar with the Dilbert comic strip by Scott Adams. Those in other countries can look at http://www.unitedmedia.com/comics/ for some examples. I mention this because of a theme in his book "The Dilbert Principle". After the purge of the middle management bulge in the 80's and early '90s, and associated downsizing, he comments, people are not being promoted into middle management. These are not the technical wizards, who are needed in their current positions to keep the company running. Also because of budget cuts, these people are receiving no training as managers. I gather from his comments that Adams receives a lot of e-mail about this. So we have a layer of middle managers who are guided by the trade press and by salesmen. Remember the days of 'you never get fired for buying IBM', cos the IBM salesman always told the manager when an 'upgrade' was required, and probably prepared the budget request for him? Well, they've come again - sort of. Imagine a manager who connects his department to the Internet, because the trade press told him he had to in order to stay competitive. And of course he needs a firewall to keep the hackers out. (Perhaps he should have read the Ernst & Yung reports on computer security!) So now he can report to the board that this has all been successfully achieved. Now I have to admit I've never been in a site where the tick-off list has proceeded this far but the firewall was still in the packing crate. After all, many of the vendors of low end systems are box-pushers. Like in the early days of PCs, they make their money by moving product, not wasting time installing it, configuring it, developing and deploying 'policies'. Thank heavens, else I'd be out of a lot of work! What has happened here? The media, driven by marketing, has repeated an age old cycle. It begins with an over simplification, because they don't believe their audience could understand the 'facts', and an accompanying debasement of terminology. Some of the things that are being marketed as 'firewalls' are a long way removed from what is described in Cheswick & Bellovin. The compromises that are involved in scaling it all down into one box - for marketing convenience - is not always to the benefit of the security needs. I've discussed the false confidence that GUI interfaces instill ("Oh, I understand this" - yes you understand how to work the GUI, you don't understand how split DNS, proxy, store and forward, chrooting.... work, you don't understand perimeter protection) in Chapman's list. Yes, Marcus, I firmly believe that the overwhelming majority of firewall users are falsely confident. I firmly believe that without a documented security policy, and a firewall expressly configured to meet this and tested for conformity and flaws, a firewall is a placebo. OK, a fools paradise. Just as downsizing - or whatever you want to call it when the company starts small and lean and grows - has resulted in many system administrators actually being programmers with a _little_ more experience who have been 'rubber stamped' as such with no training or additional awareness ("Oh, you need the root password to do that, here you are...") so the same is happening with security. I'm not saying the same things happens with security administrators, no, its even worse. many small sites don't even have someone responsible for security. A network or system administrator is told to take care of the firewall. No policy, no training, no understanding, no time. No accountability. No commitment on the part of management. Why? Becuase its all been a media and sales hype circus, which has derailed the professional aspect. Just as anyone who can enter formulas in a spreadsheet thinks he's a programmer, so anyone who can operate the GUI is put in charge of the firewall. Often more than one person, perhaps with conflicting agendas. I quite a support for this being a marketed stance - probably in response to this being actual customer needs - the recent review of firewalls which appraised them on how easy the GUI was to use and ignored their resistance to attack being just one example of this. Perhaps we should aggressively work to discontinue the use of the term firewall. Cerainly in my presentations I ask the audience what THEY think a firewall is or does, and the ensuing mix of answers makes it very apparent that different people have different needs. This makes it easy for me to point out that vendor A's firewall may not meet user Z's needs because it was designed for user W's. However I don't think marcus is going to rename this list 'perimeter-protection-policies-and-equipment-wizards'. No, firewalls are not going to go away. Firewalls as we know them may cease to exist, but now the media and marketeers have latched onto the buzzword and inculcated it into managements's brain, it will remain with us. Unless we do a serious job of re-education. Add lets face it, we've enough on our hands educating management about the need for security and basic security awareness in the first place. Sigh. /anton ## Reply End ## -------------------------------------------------------------------------- Anton J Aylward | "Quality refers to the extent to which The Strahn & Strachan Group Inc | processes, products, services, and Information Security Consultants | relationships are free from defects, Voice: (416) 494-8661 | constraints and items which do not add Fax: (416) 494-8803 | value." - Dr. Mildred G Pryor, 1995
Current thread:
- firewalls and the incoming traffic problem Marcus J. Ranum (Sep 28)
- Re: firewalls and the incoming traffic problem Paul D. Robertson (Sep 28)
- Re: firewalls and the incoming traffic problem Jyri Kaljundi (Sep 29)
- Re: firewalls and the incoming traffic problem Aleph One (Sep 28)
- Re: firewalls and the incoming traffic problem neil d. quiogue (Sep 29)
- Re: firewalls and the incoming traffic problem Aleph One (Sep 30)
- Re: firewalls and the incoming traffic problem neil d. quiogue (Sep 29)
- Re: firewalls and the incoming traffic problem Darren Reed (Sep 28)
- Re: firewalls and the incoming traffic problem Bennett Todd (Sep 29)
- Re: firewalls and the incoming traffic problem Leonard Miyata (Sep 30)
- <Possible follow-ups>
- Re: firewalls and the incoming traffic problem Anton J Aylward (Sep 28)
- Firewall administration. Darren Reed (Sep 29)
- Re: Firewall administration. Bennett Todd (Sep 30)
- Firewall administration. Darren Reed (Sep 29)
- RE: firewalls and the incoming traffic problem Itai Dor-on (Sep 28)
- Re: firewalls and the incoming traffic problem Bennett Todd (Sep 29)
- RE: firewalls and the incoming traffic problem Dana Nowell (Sep 29)
- Re: firewalls and the incoming traffic problem Paul D. Robertson (Sep 28)