Firewall Wizards mailing list archives
Re: Firewall RISKS
From: "Stephen P. Berry" <spb () meshuga incyte com>
Date: Tue, 08 Jun 1999 18:45:42 -0700
-----BEGIN PGP SIGNED MESSAGE----- In message <s75d356d.031 () sbscorp com>, "MIKE SHAW" writes:
You seem to be trying to fix an essentially braindead infrastructure with a firewall. If you've designed your quote security unquote architecture such that compromise of a single desktop is bankrollable into a compromise of the entire enterprise, you've got problems that firewalls aren't going to solve for you.
Remember what I said about TCP/IP being inherently insecure. Add to that the insecurities in most major OS' (a couple in particular), and then knock the whole thing out of whack by making the system usable to the end user (which unfortunately often involves herds of wintel boxes).
Like I said.
This is the real world, and in the real world there is no such thing as a non-braindead infrastructure.
Speak for yourself. It is true that in the `real world' we seldom get to impliment ideal infrastructures. That does not mean that all nonideal setups have to be braindead. I'm beginning to rather strongly suspect that the `real world' to which you refer is composed almost entirely of low-end commercial and academic sites. But that's okay...I'll even stipulate your definition of the `real world', as I assume it includes folks at home using dialup ISPs. Say I'm using my machine at home as for dialup. It's running the latest rev of OpenBSD. Inetd(8) isn't running. I don't have any daemons accepting incoming connections. Demonstrate how a firewall is `essential' in my setup. Alternately, demonstrate how using an OpenBSD desktop for dialup is not a credible scenario in your `real world'.
You can tighten up your routers 'till the cows come home. You can patch your servers, scan for virii and make a bulletproof security policy. You know what? You're STILL vulnerable because the system is there to be used, and with that comes the possiblity for misuse.
Okay. Stipulated. Scribbling a firewall into the network diagram isn't going to change any of this. You've made some (basically valid) observations about containment. You are also basically correct in observing that firewalls can help in containing an intrusion. What you have not done (and what I don't believe you---or anyone else---can do) is demonstrate that firewalls are the -only- things that can be used for containment (they aren't), or that the fact that firewalls can be used for containment somehow leads to the conclusion that they're `essential' to all security infrastructures. Barring the demonstration of one of these propositions (or something like them), your arguments about containment are moot (in this context).
But, given the best (real world) security configuration possible, a Firewall will ALWAYS enhance that configuration, and that makes it *essential*.
Doing strip searches of the office droids will almost always (which is as close to your `ALWAYS' as I'm willing to creep) enhance the physical security of an operation. That doesn't mean that it is `essential'. Requiring one-time passwds for all login sessions will almost invariably enhance login security. One-time passwds aren't universally `essential', either. Stated more generally, the truth of `foo enhances bar' does not entail `foo is essential to bar'.
Don't get me wrong, I happen to think firewalls are just swell for some applications. But your assertion that a firewall is an essential (or rather `*essential*') part of any security infrastructure is just flat out wrong.
If I'm wrong, then I'm in good company. Every book I've read, every seminar/class and conference I've been to contain firewalls as an integral part of the complete security strategy.
Either you haven't been paying enough attention or you've been attending the wrong classes. I find it surpassingly difficult to imagine any security professional worth their salt stating that, unilaterally, firewalls are an -essential- part of -all- sane security infrastructures. If you rephrase that as a `frequently useful' part of `many' security infrastructures, you might have a winner (although it would still be a bit of a contentious issue---just not a clearly false one as you've presented). Ever heard the aphorism about how if your only tool is a hammer, all your problems start looking like nails?
Every site that I've seen that was serious about security has one.
Visit more. Look for ones, for example, whose security policies mandate the use Faraday cages. Ask the local sysadmin types how they feel about your firewall-in-every-pot maxim.
Firewalls -are- mechanisms for policy enforcement. So is an 8" air gap. And login(1). And possibly thumbscrews, depending on your employer's attitude toward the lusers.
Too medieval. I'd prefer some sort of shock treatment. But that's interestig. Would you argue that a login was not an essential part of a securty scheme?
Of course login(1) is not an essential part of a security policy. I can specify plenty of policies involving no machines which natively use login(1). I can specify (and have) that login(1) be replaced by a simple logging mechanism. What's your point? - -Steve -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBN13Gryrw2ePTkM9BAQFdfwP+JoWkWgFlSEns42oxMkEz4TRf9l+4gstl fJcqTCodGwe3RRNId0A+KFO4+1irci3W6U8SvS/1MtAx4/30FyehLVWHBmpKMmzT gm4ZM8jykQ3qjmZUbqr/DT/iwlsUNMxtzXROO7Hisf7sUwKuKLmjIaQeqcmcNrBq oJOcLXEdi3k= =yErZ -----END PGP SIGNATURE-----
Current thread:
- Transfering off-system firewall audit trails, (continued)
- Transfering off-system firewall audit trails Steven W. Engle (Jun 14)
- Re: Transfering off-system firewall audit trails Lance Spitzner (Jun 15)
- Re: Transfering off-system firewall audit trails Christoph Schneeberger (Jun 16)
- Re: Transfering off-system firewall audit trails Richard Rees (Jun 15)
- eSafe Protect desktop experince Mark Lemmo (Jun 14)
- Re: Firewall RISKS Stephen P. Berry (Jun 14)
- Re: Firewall RISKS char sample (Jun 04)
- Re: Firewall RISKS Stephen P. Berry (Jun 14)
- Re: Firewall RISKS Tim Kramer (Jun 16)
- Re: Firewall RISKS Stephen P. Berry (Jun 20)
- Re: Firewall RISKS Stephen P. Berry (Jun 21)