Firewall Wizards mailing list archives
Re: Botnets, IRC servers and firewalls?
From: Paul Robertson <proberts () patriot net>
Date: Wed, 4 Feb 2004 11:14:37 -0500 (EST)
On Wed, 4 Feb 2004, Marcus J. Ranum wrote:
CIO: "So, why aren't we applying any controls to outgoing traffic?" Security guy: "Because we can't make the networking guys do it. They say it can't be done!" CIO: "Get the networking guys in here!" Networking guy: "You rang?" CIO: "Let's put some access controls in outgoing traffic, OK?" Networking guy: "Can't do it. It'd KILL PERFORMANCE!"
Funnily enough- I've seen the exact same dialog probably more than 100 times for _ingress_ filtering. At one point, I had a whole "Cisco switching modes and extended access lists" dance I'd go through to convince someone that the border router they already owned could do just fine blocking a lot of stuff that didn't need to show up inside the DMZ. I think we're over that hurdle for the most part now, so it's time to tackle egress filtering again. :)
On routers the complaint is that it takes up too many resources and slows the box down to a crawl.Which, of course means "you bought the wrong box" not "take out the filters" but nobody wants to hear that particular song. And, mythical router/switch slowdowns are the primary historical reason why almost nobody has any internal segmentation or security partitioning. And why so many organizations become crusty toast as soon as a worm gets through their crunchy shell and into their soft chewy interior.
It's not just "You bought the wrong box," it's "You don't know jack about the box you bought!" I remember doing an incident response gig at a large customer site and going through the "You can block >85% of your risk on your router, we can make the change in place and not drop a packet, and it won't impact performance- just give me a chance" thing- Spent time with the router guy, popped up a set of filter rules we _thought_ would work, starting with the big permits, then ending with a permit any any log - to profile the traffic- ran that set for half an hour, caught one machine he'd missed, dropped a new permit, then took out the permit any any log. Router CPU was about the same (>90% of traffic matched the first rule,) and they were way better off than when they'd started. Zero downtime, minimal risk, and it was the right thing to do. Time to talk them into it- 1.5 hours, time to implement, 2 minutes to build the ruleset, 20 minutes to profile the traffic, 2 seconds to implement and 2 minutes to switch rulesets. Granted, they already had a log server and were logging from the router.
A user interface problem. Simple policies are simple to encode in rules. Byzantine policies are difficult. Simple policies are also easier to audit and faster to execute. They're also derided as "draconian". Eventually we will call them "darwinian"
I've talked to people who changed router filtering rules 8x a day (!) I've always been of the opinion that if you've got a complex or often-changed config, you messed up bigtime.
The virii, worms, and trojans will do it, since appealing to reason appears to have failed.
It's VIRUSES Mr. Skript Kiddie :-P http://www.perl.com/language/misc/virus.html /me ducks Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Botnets, IRC servers and firewalls?, (continued)
- Re: Botnets, IRC servers and firewalls? Victor B. Williams (Feb 02)
- Re: Botnets, IRC servers and firewalls? Mordechai T. Abzug (Feb 02)
- Re: Botnets, IRC servers and firewalls? Paul Robertson (Feb 02)
- Re: Botnets, IRC servers and firewalls? Marcus J Ranum (Feb 02)
- Re: Botnets, IRC servers and firewalls? Mordechai T. Abzug (Feb 02)
- Re: Botnets, IRC servers and firewalls? Paul Robertson (Feb 02)
- Re: Botnets, IRC servers and firewalls? Gadi Evron (Feb 03)
- Re: Botnets, IRC servers and firewalls? Paul Robertson (Feb 03)
- Re: Botnets, IRC servers and firewalls? R. DuFresne (Feb 03)
- Message not available
- Re: Botnets, IRC servers and firewalls? Marcus J. Ranum (Feb 04)
- Re: Botnets, IRC servers and firewalls? Paul Robertson (Feb 04)
- Re: Botnets, IRC servers and firewalls? Marcus J. Ranum (Feb 04)
- Re: Botnets, IRC servers and firewalls? Paul Robertson (Feb 04)
- Re: Botnets, IRC servers and firewalls? Joseph S D Yao (Feb 05)
- Re: Botnets, IRC servers and firewalls? Chris Blask (Feb 04)
- Re: Botnets, IRC servers and firewalls? Jeremiah Cornelius (Feb 04)
- Re: Botnets, IRC servers and firewalls? Chris Blask (Feb 04)
- Message not available
- Re: Botnets, IRC servers and firewalls? Marcus J. Ranum (Feb 04)
- Re: Botnets, IRC servers and firewalls? Mark Tinberg (Feb 05)
- Re: Botnets, IRC servers and firewalls? Paul Robertson (Feb 03)