Re: firewalls and the incoming traffic problem

[Anton J Aylward <anton () toronto com>]

At 11:32 AM 28/09/97 +0000, Marcus J. Ranum wrote:
## Reply Start ##

> What's worrying me is all the folks I've seen who put
> a firewall in, and believe it is going to somehow protect
> the incoming traffic. 

> [snip]

> I'm not saying that "firewalls are dead" because this
> problem has always been there and firewalls DO serve
> a purpose. The fact is that sites with firewalls get broken
> into less often that sites without. But - are a majority
> of firewall users falsely confident?

I'm not going to comment on the rest of Marcus's posting because
its just so true.  WhaI am going to address, and these quotes
illustrate my point, is something a little different.

I'm taking the liberty of moving this to a "philosophical" mode
rather than a technical one because I feel that is the way Marcus
is headed, and its his list so he can press the delete button if he 
feels I'm too far outside the charter - and you're welcome to edit out
this sentence.

Those on the list in North America will be familiar with the Dilbert
comic strip by Scott Adams.  Those in other countries can look at
http://www.unitedmedia.com/comics/ for some examples.   I mention
this because of a theme in his book "The Dilbert Principle".  

After the purge of the middle management bulge in the 80's and early
'90s, and associated downsizing, he comments, people are not being 
promoted into middle management.   These are not the technical
wizards, who are needed in their current positions to keep the 
company running.   Also because of budget cuts, these people are
receiving no training as managers.    I gather from his comments
that Adams receives a lot of e-mail about this.

So we have a layer of middle managers who are guided by the trade
press and by salesmen.  Remember the days of 'you never get fired 
for buying IBM', cos the IBM salesman always told the manager when
an 'upgrade' was required, and probably prepared the budget request
for him?  Well, they've come again - sort of.

Imagine a manager who connects his department to the Internet,
because the trade press told him he had to in order to stay
competitive.   And of course he needs a firewall to keep the
hackers out.  (Perhaps he should have read the Ernst & Yung reports
on computer security!)  So now he can report to the board that
this has all been successfully achieved.

Now I have to admit I've never been in a site where the tick-off
list has proceeded this far but the firewall was still in the
packing crate.   After all, many of the vendors of low end 
systems are box-pushers.  Like in the early days of PCs, they 
make their money by moving product, not wasting time installing it,
configuring it, developing and deploying 'policies'.   Thank
heavens, else I'd be out of a lot of work!

What has happened here?
The media, driven by marketing, has repeated an age old cycle.
It begins with an over simplification, because they don't
believe their audience could understand the 'facts', and an 
accompanying debasement of terminology.

Some of the things that are being marketed as 'firewalls' are
a long way removed from what is described in Cheswick & Bellovin.
The compromises that are involved in scaling it all down into one 
box - for marketing convenience - is not always to the benefit of
the security needs.  I've discussed the false confidence that
GUI interfaces instill ("Oh, I understand this" - yes you understand 
how to work the GUI, you don't understand how split DNS, proxy,
store and forward, chrooting.... work, you don't understand perimeter
protection) in Chapman's list.

Yes, Marcus, I firmly believe that the overwhelming majority of 
firewall users are falsely confident.  I firmly believe that 
without a documented security policy, and a firewall expressly
configured to meet this and tested for conformity and flaws,
a firewall is a placebo.  OK, a fools paradise.

Just as downsizing - or whatever you want to call it when the 
company starts small and lean and grows - has resulted in many
system administrators actually being programmers with a _little_
more experience who have been 'rubber stamped' as such with no
training or additional awareness ("Oh, you need the root password 
to do that, here you are...") so the same is happening with
security.   I'm not saying the same things happens with
security administrators, no, its even worse.  many small sites
don't even have someone responsible for security.  A network or
system administrator is told to take care of the firewall.

No policy, no training, no understanding, no time.

No accountability.
No commitment on the part of management.

Why?

Becuase its all been a media and sales hype circus, which has
derailed the professional aspect.  Just as anyone who can 
enter formulas in a spreadsheet thinks he's a programmer,
so anyone who can operate the GUI is put in charge of the firewall.
Often more than one person, perhaps with conflicting agendas.

I quite a support for this being a marketed stance - probably in
response to this being actual customer needs - the recent review of
firewalls which appraised them on how easy the GUI was to use and ignored
their resistance to attack being just one example of this.

Perhaps we should aggressively work to discontinue the use of the term
firewall.  Cerainly in my presentations I ask the audience what THEY 
think a firewall is or does, and the ensuing mix of answers makes it
very apparent that different people have different needs.  This makes
it easy for me to point out that vendor A's firewall may not meet
user Z's needs because it was designed for user W's.

However I don't think marcus is going to rename this list
'perimeter-protection-policies-and-equipment-wizards'.

No, firewalls are not going to go away.   Firewalls as we know them
may cease to exist, but now the media and marketeers have latched
onto the buzzword and inculcated it into managements's brain, it will
remain with us.  Unless we do a serious job of re-education.  Add 
lets face it, we've enough on our hands educating management about 
the need for security and basic security awareness in the first place.

Sigh.

/anton


## Reply End ##
--------------------------------------------------------------------------
Anton J Aylward                  | "Quality refers to the extent to which 
The Strahn & Strachan Group Inc  | processes, products, services, and 
Information Security Consultants | relationships are free from defects, 
Voice: (416) 494-8661            | constraints and items which do not add
  Fax: (416) 494-8803            | value." - Dr. Mildred G Pryor, 1995