Fwd: [Re: [Re: Firewall RISKS]]

["Ricardo E.Villadiego O." <ricardovilladiego () usa net>]

____________________________________________________________________
Get free e-mail and a permanent address at http://www.netaddress.com/?N=1
> --- Begin Message ---
>
>
> From: Ricardo E. Villadiego O. <ricardovilladiego () usa net>
>
> Date: 5 Jun 99 17:06:39 EST
>
>
> -----By RVO ------------- 
> Is just my oppinion... 
>
> This is absolutely true; in fact, if firewalls solve your security 
> problems, then Why do you need intrusion detection tools??? 
>
> Traditionally: "Firewalls is a way to restrict access between the 
> internet and your internal network, you tipically install a firewall at 
> the point of maximun leverage, the point where your network connects to 
> the internet" 
>
> Today , this definition is not 100 % true, now you need make a complete 
> assestment of your applications, work groups, TCP ports request by 
> applications, etc in order to alocate firewalls within your internal 
> network and of course, at the point of maximun exposure ( top of DMZ) in 
> order to protect both, your internal network from inside attacks ( 
> remenber that more that 65 percent of the attacks coming from inside 
> your network ) and your external network. 
> However firewall is only a part of the security plan that your company 
> should have in mind, because as said the traditionall definition ( and 
> any other) firewall is a way to restrict access ; this main , firewalls 
> do not prevent attacks. probably after you setting up your firewall , 
> the overall number of attacks agains your network may be increasing, 
> bacause know, is obvious that you're tring to protect some, and hacker 
> are very curious, they want to know ahat are you trying to protect?, and 
> also you will have behind your network: joyriders, vandals, score 
> keepers, and probably spies. 
>
> Howevver is better some security that open doors.... 
>
> Ricardo 
> http://rvo.hypermart.net <http://rvo.hypermart.net> 
>
>
> ----End By RVO ------- 
>
>
> char sample <keithcha () clark net> wrote:
> At 11:00 AM 6/3/99 -0500, MIKE SHAW wrote:
> > There are a number of problems with this advice...noted below (some
> snipping):
> > > Firewalls do not "prevent" hacks, as most people believe. They simply
> > > reduce RISKS by reducing the number of ports or IP addresses that may
> > > be exposed inadvertently on the Internet. The remaining ports (such as
> > > e-mail, web, and FTP servers) can often be hacked.
> >
> > Firewalls can indeed prevent hacks, especially firewalls with an 
> > application proxy.  An application proxy will block many known attacks and 
> > some attacks with the right signature, such as overflow attacks in a mail 
> > server.  In addition, firewalls do extensive logging which aids in seeing 
> > an incoming hack before it occurs, as well as tracking down an intruder if 
> > someone does do a dirty deed.
>
> This largely depends on how well the application proxy was written (did it 
> follow rules of good coding, handle bounds
> checking, unhandled exceptions ...etc.).  This also assumes that the proxy 
> utilizes a subset of commands required
> by the application.  All things which are not easy to determine w/o source 
> code availability.  Beyond that the
> supposed "clean" proxy would have to run on a "clean" operating 
> system.  Again the source code availability issue.
> Without this certainty the firewall (when properly written and configured) 
> can at best protect against known attacks
> and in some cases some unknown attacks.  For example: A firewall which 
> checked the input string size on the SMTP commands would be able to defend 
> against buffer overruns.
>
> > This is not an excuse to neglect patching applications, operating systems, 
> > or deleting default scripts.  But to say that a firewall does not prevent 
> > hacks is misleading.
> > > In practice, firewalls probably increase RISKS overall. Consider a
> > > study of Berlin taxi drivers who were given anti-lock breaks: the taxi
> > > drivers started driving more aggressively, and had more accidents.
> > > Therefore, the study concluded that anti-lock actually INCREASES RISKS.
> > > What is really going on is that firewalls/ABS only decrease RISKS if
> > > behavior is left unchanged, but the added security encourages RISKy
> > > behavior.
> >
> > Good point at the end, but the analogy is critically flawed.  A firewall 
> > is not an enhancement like ABS.  It is an *essential* part of an overall 
> > security strategy.  ABS and firewalls don't increase the risk, the 
> > behavior does.  Relying on such a conclusion gives the impression that 
> > doing away with a firewall (or any security structure for that matter) 
> > might actually be a good thing.
>
> An excellent point.  The problem with firewalls in general is that they are 
> more often used *in place* of a coherent security strategy.  :(  Of the 
> over 300 sites that I have dealt with only 3 have shown an overall security 
> strategy and
> security process.
>
>
> > > The ColdFusion bug was not really Allaire's fault -- the bug was in a
> > > sample script that Allaire recommends be removed from a production web
> > > server. Almost every web-site creation package like ColdFusion has the
> > > same problem, including Microsoft's ASP scripting, FrontPage web
> > > hosting, and sample CGI programs. Administrators feel safe behind
> > > firewalls and do not diligently check their web servers for these
> > > problems. For the most part, crackers who intend to deface web pages or
> > > steal credit card information from web servers do not care about
> > > firewalls that might protect the target servers.
> >
> > Oh yeah?  We have quite a few port scans run on our perimeter, and on a 
> > regular basis.  The first thing a cracker will do is map your site looking 
> > for vulnerable ports/hosts.  A solidly configured firewall will not only 
> > thwart these mapping attempts, but will protect against many exploits that 
> > may be tried.  A cracker DOES care about a firewall, since it dramatically 
> > cuts down on his options.
>
> and the firewall may encourage the uninvited party to look elsewhere.
>
> > Your points about only reducing risk are valid, but this is true of any 
> > security measure.  To degrade the necessity and importance of a firewall 
> > is not helpful to anyone trying to justify and implement a security 
> > plan.  What would be better is to simply recommend a complete and 
> > comprehensive security policy, with a well configured firewall as a major
> part.
>
> One amendment here an enforceable security policy enforced by an empowered 
> individual w/in the organization.
>
> char
>
>
>
>
>
> ____________________________________________________________________
> Get free e-mail and a permanent address at http://www.netaddress.com/?N=1
>
> --- End Message ---