Re: Firewall RISKS

["Stephen P. Berry" <spb () meshuga incyte com>]

-----BEGIN PGP SIGNED MESSAGE-----


In message <s75d356d.031 () sbscorp com>, "MIKE SHAW" writes:

> > You seem to be trying to fix an essentially braindead
> > infrastructure with a firewall.  If you've designed your quote security
> > unquote architecture such that compromise of a single desktop is
> > bankrollable into a compromise of the entire enterprise, you've got
> > problems that firewalls aren't going to solve for you.

> Remember what I said about TCP/IP being inherently insecure.  
> Add to that the insecurities in most major OS' (a couple in 
> particular), and then knock the whole thing out of whack by 
> making the system usable to the end user (which unfortunately
> often involves herds of wintel boxes).  

Like I said.


> This is the real world, and 
> in the real world there is no such thing as a non-braindead infrastructure. 

Speak for yourself.

It is true that in the `real world' we seldom get to impliment ideal
infrastructures.  That does not mean that all nonideal setups have
to be braindead.

I'm beginning to rather strongly suspect that the `real world' to which
you refer is composed almost entirely of low-end commercial and academic
sites.  But that's okay...I'll even stipulate your definition of
the `real world', as I assume it includes folks at home using dialup
ISPs.

Say I'm using my machine at home as for dialup.  It's running the latest
rev of OpenBSD.  Inetd(8) isn't running.  I don't have any daemons
accepting incoming connections.

Demonstrate how a firewall is `essential' in my setup.  Alternately,
demonstrate how using an OpenBSD desktop for dialup is not a credible
scenario in your `real world'.


> You can tighten up your routers 'till the cows come home.  
> You can patch your servers, scan for virii and make a 
> bulletproof security policy.  You know what?
> You're STILL vulnerable because the system is there 
> to be used, and with that comes the possiblity for misuse.

Okay.  Stipulated.  Scribbling a firewall into the network diagram isn't
going to change any of this.

You've made some (basically valid) observations about containment.
You are also basically correct in observing that firewalls can help
in containing an intrusion.

What you have not done (and what I don't believe you---or anyone
else---can do) is demonstrate that firewalls are the -only- things that
can be used for containment (they aren't), or that the fact that firewalls
can be used for containment somehow leads to the conclusion that they're
`essential' to all security infrastructures.  Barring the demonstration
of one of these propositions (or something like them), your
arguments about containment are moot (in this context).


> But, given the best (real world) security configuration possible, 
> a Firewall will ALWAYS enhance that configuration, and that
> makes it *essential*.

Doing strip searches of the office droids will almost always (which
is as close to your `ALWAYS' as I'm willing to creep) enhance
the physical security of an operation.  That doesn't mean that it
is `essential'.  Requiring one-time passwds for all login sessions
will almost invariably enhance login security.  One-time passwds aren't
universally `essential', either.

Stated more generally, the truth of `foo enhances bar' does not
entail `foo is essential to bar'.


> > Don't get me wrong, I happen to think firewalls are just swell for
> > some applications.  But your assertion that a firewall is an essential
> > (or rather `*essential*') part of any security infrastructure is just
> > flat out wrong.

> If I'm wrong, then I'm in good company.  Every book I've read,
> every seminar/class and conference I've been to contain firewalls
> as an integral part of the complete security strategy.

Either you haven't been paying enough attention or you've been attending
the wrong classes.  I find it surpassingly difficult to imagine any
security professional worth their salt stating that, unilaterally,
firewalls are an -essential- part of -all- sane security infrastructures.
If you rephrase that as a `frequently useful' part of `many' security
infrastructures, you might have a winner (although it would still
be a bit of a contentious issue---just not a clearly false one as
you've presented).

Ever heard the aphorism about how if your only tool is a hammer, all
your problems start looking like nails?


> Every site that I've seen that was serious about security has one.

Visit more.  Look for ones, for example, whose security policies mandate
the use Faraday cages.  Ask the local sysadmin types how they feel about
your firewall-in-every-pot maxim.


> > Firewalls -are- mechanisms for policy enforcement.  So is an 8" air gap.
> > And login(1).  And possibly thumbscrews, depending on your employer's
> > attitude toward the lusers.

> Too medieval.  I'd prefer some sort of shock treatment.  
> But that's interestig.  Would you argue that a login was not an 
> essential part of a securty scheme?

Of course login(1) is not an essential part of a security policy.  I can
specify plenty of policies involving no machines which natively use
login(1).  I can specify (and have) that login(1) be replaced by a
simple logging mechanism.  What's your point?








- -Steve


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBN13Gryrw2ePTkM9BAQFdfwP+JoWkWgFlSEns42oxMkEz4TRf9l+4gstl
fJcqTCodGwe3RRNId0A+KFO4+1irci3W6U8SvS/1MtAx4/30FyehLVWHBmpKMmzT
gm4ZM8jykQ3qjmZUbqr/DT/iwlsUNMxtzXROO7Hisf7sUwKuKLmjIaQeqcmcNrBq
oJOcLXEdi3k=
=yErZ
-----END PGP SIGNATURE-----