Firewall Wizards mailing list archives
Fwd: [Re: [Re: Firewall RISKS]]
From: "Ricardo E.Villadiego O." <ricardovilladiego () usa net>
Date: 5 Jun 99 17:15:05 EST
____________________________________________________________________ Get free e-mail and a permanent address at http://www.netaddress.com/?N=1
--- Begin Message --- From: Ricardo E. Villadiego O. <ricardovilladiego () usa net>
Date: 5 Jun 99 17:06:39 EST
-----By RVO ------------- Is just my oppinion... This is absolutely true; in fact, if firewalls solve your security problems, then Why do you need intrusion detection tools??? Traditionally: "Firewalls is a way to restrict access between the internet and your internal network, you tipically install a firewall at the point of maximun leverage, the point where your network connects to the internet" Today , this definition is not 100 % true, now you need make a complete assestment of your applications, work groups, TCP ports request by applications, etc in order to alocate firewalls within your internal network and of course, at the point of maximun exposure ( top of DMZ) in order to protect both, your internal network from inside attacks ( remenber that more that 65 percent of the attacks coming from inside your network ) and your external network. However firewall is only a part of the security plan that your company should have in mind, because as said the traditionall definition ( and any other) firewall is a way to restrict access ; this main , firewalls do not prevent attacks. probably after you setting up your firewall , the overall number of attacks agains your network may be increasing, bacause know, is obvious that you're tring to protect some, and hacker are very curious, they want to know ahat are you trying to protect?, and also you will have behind your network: joyriders, vandals, score keepers, and probably spies. Howevver is better some security that open doors.... Ricardo http://rvo.hypermart.net <http://rvo.hypermart.net> ----End By RVO ------- char sample <keithcha () clark net> wrote: At 11:00 AM 6/3/99 -0500, MIKE SHAW wrote:There are a number of problems with this advice...noted below (somesnipping):Firewalls do not "prevent" hacks, as most people believe. They simply reduce RISKS by reducing the number of ports or IP addresses that may be exposed inadvertently on the Internet. The remaining ports (such as e-mail, web, and FTP servers) can often be hacked.Firewalls can indeed prevent hacks, especially firewalls with an application proxy. An application proxy will block many known attacks and some attacks with the right signature, such as overflow attacks in a mail server. In addition, firewalls do extensive logging which aids in seeing an incoming hack before it occurs, as well as tracking down an intruder if someone does do a dirty deed.This largely depends on how well the application proxy was written (did it follow rules of good coding, handle bounds checking, unhandled exceptions ...etc.). This also assumes that the proxy utilizes a subset of commands required by the application. All things which are not easy to determine w/o source code availability. Beyond that the supposed "clean" proxy would have to run on a "clean" operating system. Again the source code availability issue. Without this certainty the firewall (when properly written and configured) can at best protect against known attacks and in some cases some unknown attacks. For example: A firewall which checked the input string size on the SMTP commands would be able to defend against buffer overruns.This is not an excuse to neglect patching applications, operating systems, or deleting default scripts. But to say that a firewall does not prevent hacks is misleading.In practice, firewalls probably increase RISKS overall. Consider a study of Berlin taxi drivers who were given anti-lock breaks: the taxi drivers started driving more aggressively, and had more accidents. Therefore, the study concluded that anti-lock actually INCREASES RISKS. What is really going on is that firewalls/ABS only decrease RISKS if behavior is left unchanged, but the added security encourages RISKy behavior.Good point at the end, but the analogy is critically flawed. A firewall is not an enhancement like ABS. It is an *essential* part of an overall security strategy. ABS and firewalls don't increase the risk, the behavior does. Relying on such a conclusion gives the impression that doing away with a firewall (or any security structure for that matter) might actually be a good thing.An excellent point. The problem with firewalls in general is that they are more often used *in place* of a coherent security strategy. :( Of the over 300 sites that I have dealt with only 3 have shown an overall security strategy and security process.The ColdFusion bug was not really Allaire's fault -- the bug was in a sample script that Allaire recommends be removed from a production web server. Almost every web-site creation package like ColdFusion has the same problem, including Microsoft's ASP scripting, FrontPage web hosting, and sample CGI programs. Administrators feel safe behind firewalls and do not diligently check their web servers for these problems. For the most part, crackers who intend to deface web pages or steal credit card information from web servers do not care about firewalls that might protect the target servers.Oh yeah? We have quite a few port scans run on our perimeter, and on a regular basis. The first thing a cracker will do is map your site looking for vulnerable ports/hosts. A solidly configured firewall will not only thwart these mapping attempts, but will protect against many exploits that may be tried. A cracker DOES care about a firewall, since it dramatically cuts down on his options.and the firewall may encourage the uninvited party to look elsewhere.Your points about only reducing risk are valid, but this is true of any security measure. To degrade the necessity and importance of a firewall is not helpful to anyone trying to justify and implement a security plan. What would be better is to simply recommend a complete and comprehensive security policy, with a well configured firewall as a majorpart. One amendment here an enforceable security policy enforced by an empowered individual w/in the organization. char ____________________________________________________________________ Get free e-mail and a permanent address at http://www.netaddress.com/?N=1
--- End Message ---
Current thread:
- Fwd: [Re: [Re: Firewall RISKS]] Ricardo E.Villadiego O. (Jun 14)