Re: Firewalling at the domain users level instead of network level

[Chuck Swiger <chuck () codefab com>]

Paul D. Robertson wrote:
> On Mon, 19 Jul 2004, Chuck Swiger wrote:
> [snip what I agree with...]
> > The second concern is a matter of policy: why do you want your firewall
> > to treat users differently?  If it's a bad idea for person A to do some
> > type of network connection, why should it be OK for person B to do so?
>
> There are a multitude of reasons, including Person B being more clued than
> Person A.

There exists a multitude of reasons, agreed.  To the extent that the reasons 
are valid and relevant to the situation at hand, then having a policy which 
reflects these per-user concerns is reasonable.

It was not quite my intent to say "don't ever use per-user firewall rules", so 
much as to say that it is worth asking why you need them and to closely 
evaluate the increased risks involved.  Having a realistic idea of how much 
security problems cost helps a great deal, too.  For that matter, even making 
a vague guess at downtime costs is helpful considering how few people seem to 
think about downtime, loss of data, data compromise and exposure, etc as 
potential costs in the first place.  [1]

> We don't tout the "Principle of equal privilege"
>
> Principle of least privilege works for people, applications and systems.

Oh, absolutely.

I note that several people in this thread have advocated the OP use a proxy 
like Squid which authenticates via AD/LDAP/whatever, and I would agree with 
that approach: you don't have the firewall trying to figure out "valid users", 
you have the firewall denying HTTP for everybody but a trusted proxy server, 
which itself can do fancier access control on protocol-specific parts of HTTP 
if need be (ie, virus scanning, content-filtering MIME types, Javascript, 
ActiveX controls, etc).

Those things are valuable, but I don't really want my firewall to do virus 
scanning, proxying, or anything else but routing/bridging traffic while doing 
packet filtering, NAT if such evil must be tolerated, and maybe some 
straight-through protocol-layer filters & inspection, if y'all really want 
them there.  A useful virus scanner needs to initiate traffic on a regular 
basis in order to update its definitions, and therefore must trust network 
data coming from outside; firewalls shouldn't initiate any connections 
gratuitously, much less change their rulesets and security capabilities based 
on data downloaded from outside the trusted network.

I could be wrong, though: there are vendors selling security products which 
seem to be commercially successful which violate my qualms about 'chatty' or 
'dynamic' security products.  [2]

> > If you restrict things so that only the services which you trust all
> > users to do are permitted, your security is likely to be much improved
> > compared to a policy based on an ever-growing pile of per-user rules
> > and exceptions.
>
> If you let one user have the Administrator password, why not all of them!?

ACK!!  For shame, Paul!  :-)

The right way to think about this is that there should be zero people who have 
the Administrator password, and only the simple necessity of needing to login 
as admin for the machine once in a while means that somebody-- hopefully an 
admin who cares about security-- has to know what the password is.

For that matter, MacOS X does a pretty good job of "not having an admin 
passord or root user at all" for a Unix-derived operating system. 
Recommending sudo by default and also providing reasonable integration of 
re-asking the user to type in a password to obtain privileges when running the 
GUI package installer or system patch tool beats the heck out of most 
alternatives in terms of security.

If Windows made components downloaded in IE bring up a password dialog before 
installing/running them, that platform's security would suck less than it 
currently does.  But I could be wrong about this, too: some people seem to 
think that a web browser which auto-downloads and runs plugins without asking 
for user confirmation just because you got emailed a link is fine and dandy 
and user-friendly and all. [3]

--
-Chuck

[1]: Perhaps I am biased towards concluding that "per-user firewall stuff 
isn't worth the cost", but if so, that bias is towards being too safe, and is 
thus more tolerable than being biased towards poor security.  I don't really 
trust Microsoft's ISA Server to be secure on the box itself, much less offer 
per-user firewall capabilities that I would choose to rely on over PF/IPFW.

[2]: Does anyone evaluate security products in terms of their security 
anymore, rather than their claimed feature set and performance?

Maybe the kindly vendor hosting their mailing list has some opinions, but 
there's a certain amount of pay-to-play with their certifications that's not 
so different from the ISO-17799 consultants and certifications we were just 
talking about in a parallel thread.  [ Not trying to pick on anybody, but fair 
is fair... ]

[3]: I could very easily rant about HTML mail and enforced marketting 
opportunities shanghai-ed upon the users of the most frequently used operating 
system, but this message is becoming too long as it is.  :-)
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards