Firewall Wizards mailing list archives
Re: Firewall RISKS
From: "MIKE SHAW" <mas () sbscorp com>
Date: Fri, 04 Jun 1999 11:17:59 -0500
Firewalls are mechanisms for policy enforcement. Auditing information that comes out of them isn't necessarily useless, but there are many things which they will be intrinsically unable to tell you. I.e., what traffic your firewall is passing that it shouldn't be. An IDS machine configured such that it sets off an alarm whenever it sees a packet that should've been blocked by the firewall will almost invariably give you more interesting information about actual intrusions than your firewall logs will.
You keep mixing the argument over whether a firewall is necessary with whether a firewall should be misconfigured. Of course a misconfigured firewall is a bad thing, but the fact that you can misconfigure a firewall doesn't mean you don't get one. And now you assume that someone who can't properly configure a firewall can configure, monitor, and interpret an intrusion detection system? Firewall logging is not the end-all, but it's much more useful than the logging a router can produce.
Codswallop. Posit: You're setting up a network into which you wish to allow exactly two sorts of inbound traffic: SMTP and DNS. You configure two dedicated boxen, one to run (say) postfix and one to run (for example) bind 8.2 . You turn off all other services on the machines, and you're using an OS you know how to harden. You configure your border router to drop all traffic directed at these two boxen that is not directed at either port 25 or port 53 (respectively).
Explain where a firewall would be -essential- in such a setup.
I can't. But your example is probably relevant in < .01% of the environments in the real world. Plop about 10 windows 95 boxes behind that perimeter with users chomping at the bit to run the latest Backorifice trojan screensaver and see how long your servers stay secure in that environment. A firewall won't prevent that dangerous behavior but can be extremely effective in rendering the trojan useless or reducing damage if it does occur. I've actually seen a live hack demonstration that exploited a very similar situation, once a client windows NT box was compromised. In this example, the hacker was able to place a trojan that initiated a telnet session over port 53 from the client box. Once in, the hacker placed keyloggers in and was able to springboard off of this client into the host and do whatever he wanted.
From there it would be very easy to compromise the routers involved given
enough patience, and there goes the whole security structure.
Not all complete and comprehensive security policies need include a firewall at all, much less one as a major part. In fact, in many instances such a policy would -preclude- the use of firewalls[1].
Policies on thier own can accomplish nothing. In the prior example, 50 memos about "not running executables from email" would not have prevented an end user devoted to seeing a cute cartoon everytime their screen saver came on. ("just this once...it's from my friend....it's a trusted source....") In your own words: "Firewalls are mechanisms for policy enforcement". If you can't enforce a policy, what good is it?
Note that I'm not advocating the notion that firewalls are not or cannot be part of a well-devised security policy---I think that would be just as specious as the line you're advocating.
TCP/IP and the internet are based off designs that never had security in mind and are inherently insecure in their current form. A *properly configured* firewall will prevent misuse of many of said protocols, enforce certain security polcies, and provide valuable forensic info in the event of a attempted/successful hack. In so doing It dramatically reduces certain risks while completely doing away with others and is a *necessary part* of any real-world security strategy. Don't get me wrong. Your points about admin behavior and the firewall as a 'silver bullet' are very valid. What bothers me is that I see many many integrators out there saying "you don't need a firewall....." to customers so that they can knock a few K off the cost of a net connection and get the contract. Especially in a business situation, not at least recommending a firewall is downright unethical. -Mike
Current thread:
- Re: Firewall RISKS, (continued)
- Re: Firewall RISKS Stephen P. Berry (Jun 04)
- Re: Firewall RISKS Lance Spitzner (Jun 04)
- Transfering off-system firewall audit trails Steven W. Engle (Jun 14)
- Re: Transfering off-system firewall audit trails Lance Spitzner (Jun 15)
- Re: Transfering off-system firewall audit trails Christoph Schneeberger (Jun 16)
- Re: Transfering off-system firewall audit trails Richard Rees (Jun 15)
- Re: Firewall RISKS Stephen P. Berry (Jun 04)
- eSafe Protect desktop experince Mark Lemmo (Jun 14)
- Re: Firewall RISKS Stephen P. Berry (Jun 14)
- Re: Firewall RISKS Stephen P. Berry (Jun 14)
- Re: Firewall RISKS Tim Kramer (Jun 16)
- Re: Firewall RISKS Stephen P. Berry (Jun 20)