Re: Firewall RISKS

[char sample <keithcha () clark net>]

At 11:00 AM 6/3/99 -0500, MIKE SHAW wrote:
> There are a number of problems with this advice...noted below (some snipping):
>
> >Firewalls do not "prevent" hacks, as most people believe. They simply
> >reduce RISKS by reducing the number of ports or IP addresses that may
> >be exposed inadvertently on the Internet. The remaining ports (such as
> >e-mail, web, and FTP servers) can often be hacked.
>
> Firewalls can indeed prevent hacks, especially firewalls with an 
> application proxy.  An application proxy will block many known attacks and 
> some attacks with the right signature, such as overflow attacks in a mail 
> server.  In addition, firewalls do extensive logging which aids in seeing 
> an incoming hack before it occurs, as well as tracking down an intruder if 
> someone does do a dirty deed.

This largely depends on how well the application proxy was written (did it 
follow rules of good coding, handle bounds
checking, unhandled exceptions ...etc.).  This also assumes that the proxy 
utilizes a subset of commands required
by the application.  All things which are not easy to determine w/o source 
code availability.  Beyond that the
supposed "clean" proxy would have to run on a "clean" operating 
system.  Again the source code availability issue.
Without this certainty the firewall (when properly written and configured) 
can at best protect against known attacks
and in some cases some unknown attacks.  For example: A firewall which 
checked the input string size on the SMTP commands would be able to defend 
against buffer overruns.

> This is not an excuse to neglect patching applications, operating systems, 
> or deleting default scripts.  But to say that a firewall does not prevent 
> hacks is misleading.
> >In practice, firewalls probably increase RISKS overall. Consider a
> >study of Berlin taxi drivers who were given anti-lock breaks: the taxi
> >drivers started driving more aggressively, and had more accidents.
> >Therefore, the study concluded that anti-lock actually INCREASES RISKS.
> >What is really going on is that firewalls/ABS only decrease RISKS if
> >behavior is left unchanged, but the added security encourages RISKy
> >behavior.
>
> Good point at the end, but the analogy is critically flawed.  A firewall 
> is not an enhancement like ABS.  It is an *essential* part of an overall 
> security strategy.  ABS and firewalls don't increase the risk, the 
> behavior does.  Relying on such a conclusion gives the impression that 
> doing away with a firewall (or any security structure for that matter) 
> might actually be a good thing.

An excellent point.  The problem with firewalls in general is that they are 
more often used *in place* of a coherent security strategy.  :(  Of the 
over 300 sites that I have dealt with only 3 have shown an overall security 
strategy and
security process.


> >The ColdFusion bug was not really Allaire's fault -- the bug was in a
> >sample script that Allaire recommends be removed from a production web
> >server. Almost every web-site creation package like ColdFusion has the
> >same problem, including Microsoft's ASP scripting, FrontPage web
> >hosting, and sample CGI programs. Administrators feel safe behind
> >firewalls and do not diligently check their web servers for these
> >problems. For the most part, crackers who intend to deface web pages or
> >steal credit card information from web servers do not care about
> >firewalls that might protect the target servers.
>
> Oh yeah?  We have quite a few port scans run on our perimeter, and on a 
> regular basis.  The first thing a cracker will do is map your site looking 
> for vulnerable ports/hosts.  A solidly configured firewall will not only 
> thwart these mapping attempts, but will protect against many exploits that 
> may be tried.  A cracker DOES care about a firewall, since it dramatically 
> cuts down on his options.

and the firewall may encourage the uninvited party to look elsewhere.

> Your points about only reducing risk are valid, but this is true of any 
> security measure.  To degrade the necessity and importance of a firewall 
> is not helpful to anyone trying to justify and implement a security 
> plan.  What would be better is to simply recommend a complete and 
> comprehensive security policy, with a well configured firewall as a major part.

One amendment here an enforceable security policy enforced by an empowered 
individual w/in the organization.

char