Re: Firewall RISKS

["Stephen P. Berry" <spb () meshuga incyte com>]

-----BEGIN PGP SIGNED MESSAGE-----


In message <s7566058.032 () sbscorp com>, "MIKE SHAW" writes:

> In addition,
> firewalls do extensive logging which aids in seeing an incoming hack before 
> it occurs, as well as tracking down an intruder if someone does do a
> dirty deed.
> This is not an excuse to neglect patching applications, operating systems, or 
> deleting default scripts.  But to say that a firewall does not prevent hacks
> is misleading.

Without getting into the (what looks to be largely a semantic)
argument about whether or not firewalls `prevent hacks', I'll suggest
that if you're relying on your firewall for attack auditing, you're
probably Wrong.

Firewalls are mechanisms for policy enforcement.  Auditing information
that comes out of them isn't necessarily useless, but there are 
many things which they will be intrinsically unable to tell you.  I.e.,
what traffic your firewall is passing that it shouldn't be.  An IDS
machine configured such that it sets off an alarm whenever it sees a
packet that should've been blocked by the firewall will almost invariably
give you more interesting information about actual intrusions than your
firewall logs will.


> Good point at the end, but the analogy is critically flawed.  A firewall is 
> not an enhancement like ABS.  It is an *essential* part of an overall
> security strategy.

Codswallop.  Posit:  You're setting up a network into which you wish
to allow exactly two sorts of inbound traffic:  SMTP and DNS.  You
configure two dedicated boxen, one to run (say) postfix and one to run
(for example) bind 8.2 .  You turn off all other services on the machines,
and you're using an OS you know how to harden.  You configure your border
router to drop all traffic directed at these two boxen that is not
directed at either port 25 or port 53 (respectively).

Explain where a firewall would be -essential- in such a setup.


> Your points about only reducing risk are valid, but this is true of any 
> security measure.  To degrade the necessity and importance of a firewall
> is not helpful to anyone trying to justify and implement a security plan.  
> What would be better is to simply recommend a complete and comprehensive 
> security policy, with a well configured firewall as a major part.

Not all complete and comprehensive security policies need include a
firewall at all, much less one as a major part.  In fact, in many
instances such a policy would -preclude- the use of firewalls[1].

Note that I'm not advocating the notion that firewalls are not or
cannot be part of a well-devised security policy---I think that would be
just as specious as the line you're advocating.






- -Steve

- -----
1     Ever implimented a security infrastructure which contained (intentional)
      8" air gaps?  Firewalls are no substitute.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBN1cheSrw2ePTkM9BAQE5MgP/cZvWZNHxOPlbeNz/pSkx6JWFOOwzSdXL
AuJRl95gzjxqdZOs8BbzV2HwzJG7/UITq+pvDXnMimdlTykQpq+AghoSWPDcoLNo
44Lbue5Dl2up7PB0U1C0DoBcHTx8mgYGrYwaDaGhZQj8G7m+P7lcFp4MoEljn/Tt
eLWien6PKFQ=
=tRya
-----END PGP SIGNATURE-----