Re: Firewall RISKS

["MIKE SHAW" <mas () sbscorp com>]

> Firewalls are mechanisms for policy enforcement.  Auditing information
> that comes out of them isn't necessarily useless, but there are 
> many things which they will be intrinsically unable to tell you.  I.e.,
> what traffic your firewall is passing that it shouldn't be.  An IDS
> machine configured such that it sets off an alarm whenever it sees a
> packet that should've been blocked by the firewall will almost invariably
> give you more interesting information about actual intrusions than your
> firewall logs will.

You keep mixing the argument over whether a firewall is necessary with 
whether a firewall should be misconfigured.  Of course a misconfigured 
firewall is a bad thing, but the fact that you can misconfigure a firewall 
doesn't mean you don't get one.  And now you assume that someone 
who can't properly configure a firewall can configure, monitor, and 
interpret an intrusion detection system?  Firewall logging is not the end-all,
 but it's much more useful than the logging a router can produce.

> Codswallop.  Posit:  You're setting up a network into which you wish
> to allow exactly two sorts of inbound traffic:  SMTP and DNS.  You
> configure two dedicated boxen, one to run (say) postfix and one to run
> (for example) bind 8.2 .  You turn off all other services on the machines,
> and you're using an OS you know how to harden.  You configure your border
> router to drop all traffic directed at these two boxen that is not
> directed at either port 25 or port 53 (respectively).

> Explain where a firewall would be -essential- in such a setup.

I can't.  But your example is probably relevant in < .01% of the environments 
in the real world.  Plop about 10 windows 95 boxes behind that perimeter with 
users chomping at the bit to run the latest Backorifice trojan screensaver and 
see how long your servers stay secure in that environment.  A firewall won't 
prevent that dangerous behavior but can be extremely effective in rendering 
the trojan useless or reducing damage if it does occur.

I've actually seen a live hack demonstration that exploited a very similar 
situation, once a client windows NT box was compromised.  In this example,
 the hacker was able to place a trojan that initiated a telnet session over port
53 from the client box.  Once in, the hacker placed keyloggers in and was 
able to springboard off of this client into the host and do whatever he wanted.
> From there it would be very easy to compromise the routers involved given
enough patience, and there goes the whole security structure.

> Not all complete and comprehensive security policies need include a
> firewall at all, much less one as a major part.  In fact, in many
> instances such a policy would -preclude- the use of firewalls[1].

Policies on thier own can accomplish nothing.  In the prior example, 
50 memos about "not running executables from email" would not have 
prevented an end user devoted to seeing a cute cartoon everytime 
their screen saver came on.  ("just this once...it's from my friend....it's 
a trusted source....")  In your own words: "Firewalls are mechanisms 
for policy enforcement".  If you can't enforce a policy, what good is it? 

> Note that I'm not advocating the notion that firewalls are not or
> cannot be part of a well-devised security policy---I think that would be
> just as specious as the line you're advocating.

TCP/IP and the internet are based off designs that never had security
in mind and are inherently insecure in their current form.  A *properly 
configured* firewall will prevent misuse of many of said protocols, enforce 
certain security polcies, and provide valuable forensic info in the event of a 
attempted/successful hack.  In so doing It dramatically reduces certain 
risks while completely doing away with others and is a *necessary part* 
of any real-world security strategy.  

Don't get me wrong.  Your points about admin behavior and the firewall 
as a 'silver bullet' are very valid.  What bothers me is that I see many 
many integrators out there saying "you don't need a firewall....." to 
customers so that they can knock a few K off the cost of a net connection 
and get the contract.  Especially in a business situation, not at least
recommending a firewall is downright unethical.

-Mike