Bugtraq mailing list archives
Fw: Fw: No Security is Bad Security
From: sseidler () EASTERNDATACOMM COM (Scott Seidler)
Date: Mon, 8 Feb 1999 15:22:59 -0500
Aleph - Im reforwarding this to you as submitted on friday - it is a rebuttal to JIM MAZE's comments re the post i made earlier. He seems to be unreachable using his listed email at: jmaze () ezsafe com. I havent seen it posted so im assumoing it lost in the void. thanks, --Scott <cut> THIS IS A REBUTTAL FOR JMAZES POST OF FRIDAY FEB 04, 1999----------
From: Scott Seidler <sseidler () easterndatacomm com> To: jmaze () ezsafe com Cc: BUGTRAQ () netspace org Subject: Re: Fw: No Security is Bad Security Date: Friday, February 05, 1999 12:26 PM HI Jim, I agree wholeheartedly in a number of the things you mention in your
post.
Some things were left out because of a salesly sounding post - which got the original post bounced by Aleph. The point i was trying to make re: cost and security is loosley this: If
a
company is not willing to shell out some additonal money to implement a proper solution for their environment. They should expect a greater possibility of a compromise. In our typical client base, where a small company wants a 56K or
fractional
T1 link to the internet. They have a hard time shelling out cash for the monthly access alone (and at that speeds we are not talking all that much money). These customers tend to not want to implement what they deem to be more expensive solutions. They typically have NO security other than maybe some filtering (and often thats a maybe), or at best are willing to add firewall software to their router. Unfortunatley - their router is also the smallest and least expensive in the line. The extra burden of the added software in an environment that has a number of pcs makes handling firewalling tasks and often default gateway tasks a heavy burden to this unit. Add the usual dual use of routing to remote sites and supporting the internet link into the same router - and you can give yourself an overburdened box that if compromised leaves your any other site remotley connected to you as vunerable as youve become. Is a PC based solution good for them too? absolutely - If its implemented properly like you said - Again Im agreeing with you. Unfortunatley - these types of customers - my customers (small-mid) have little if any internal support staff in IS and most weve seen are not up
to
par or already overburdened to properly install - or at least upkeep a software based solution. And often by the time you explain the costs of
the
pc to run it, operating system costs (most of our customers are NOT
willing
to run Linux or BSD) and the cost of the software itself - its not much more to get a hardware based platform thats simpler to set up and offers top rated support. We typically use the Cisco PIX firewall in most of our customer applications. It has many options that appeal to alot of environments and has a tremendous reputation CHeck out this little sniglet from a
recent
email i recieved from Cisco announcing NSA testing results: <snip>The PIX Firewall underwent an arduous seven month product testing
scenario
that mapped the PIX security targets (ST) against the user application scenario prescribed by the Government's Protection Profile. The PIX Firewall Security Target was found to comply to the requirements at CC Evaluation Assurance Level 2 (EAL2) , as defined in the Common CriteriaforInformation Technology Security Evaluation (CC), Version 2.0. The PIX Firewall has subsequently become the first, and only, Firewall to be certified as conforming to the US Government Application Level Firewall Protection Profile for Low Risk Environments.<snip> .. Not to mention the throughput through the unit rated to T3. Its really simple to install as it comes completely shut down to the outside world with only a handful of commands to create a one way firewall - whereas a
OS
would need to be "stripped down" as you mentioned, and specifically setup for the Firewalls use. Unfortunalety - putting the customers in-house capabilities aside - the time it takes to set up a pc based solution and configure even free OS
into
it with free security software (factoring the time it takes as well to
get
some technical support on the set up etc.) a Hardware based solution like the PIX for a street price of about 8K ends up cheaper every time weve looked at it. So I guess i do really agree with what you said - IF the inhouse
personnel
have the time and knowhow to gather the systems, the software, and IF
they
have the time to invest to set it all up and keep it locked with fixes
and
patches. (and there are the bugs). IF they can do all that and not
include
a dollar value on their time, then it wont cost that much money for good security. Unfortunatley, these are not our typical customers, as a matter of fact,
it
isnt ANY of our customers. So to get back to the original point i was making re: money and security that seemed misleading: IF you have the time and IF you have the expertise and IF your company will even allow you to use Freeware (most wont) then you COULD spend little money and get a great security solution IF you dont factor the customers time. For our customer base - this isnt a solution. Oh, and lastly -- IF you thinks selling a Cisco product (any Cisco
product)
is a high margin sale - then you dont sell Cisco. -- Scott sseidler () easterndatacomm com Your post is attached:::: ----------From: Jim Maze <smail () NETWORKSECURITY NET> To: BUGTRAQ () netspace org Subject: Re: Fw: No Security is Bad Security Date: Thursday, February 04, 1999 4:12 PM Hey Aleph, I have a few comments to add regarding this post. Scott Seidler wrote:It seems that the more you can spend on a firewall and other
security
measures, the better you are at protection.This is misleading. This is why many companies spend hundreds of thousands of dollars on state-of-the-art security solutions only to
wind
up a victim of a successful attack because they are still vulnerable
due
to poor implementation. The level of security achieved from a particular security solution is not directly tied to cost. I've seen Mom-and-Pop shops that are using free security measures such as Linux based firewalls, s/key authentication, SSH, and TCP wrappers that are much more secure than your average Firewall-1 implementation. The key
is
implementation, not cost. Now, if more expensive commercial solutions ARE implemented correctly, they often do offer significant advantages over some of the freeware tools out there, but unfortunately many security consulting firms are focused on pushing the products out the door rather than proper and careful implementation of the products.While no firewall will claim 100% protection, we have learned thatsomeare better than others for simple reasons. Software based firewalls, while they usually have more options tointegratedirectly, might require a more technical suport base internally than most smaller companies or agencies mayhave.Additionally, the daily upkeep and constant vigil to find out about software patches and vunerabilities tend to be secondary (or third,
or
fourth, etc) to the daily jobs of most systems people. Thus old bugsandoften blatant overlooks become the doorway with the "open forbusiness"sign hanging above them. Unfortunately, basing a firewall on a multpile use operating system(NT,UNIX, etc) can leave unexpected doorways open and allows foropportunityfor "pilot error" mistakes. Just the time to keep up with them all istoogreat for most system managers.Again, implementation is more important than the particular platform, vendor, or technology. If a software based firewall is configured properly, it will not be vulnerable to 99.9% of the bugs out there.
Why?
Because a proper implementation of a software firewall includes a stripped down OS that contains only the basic kernel and networking componenets necessary for the firewall to operate. While I am a big advocate of regularly patching systems, it is often not necessary to apply most patches on a software firewall, simply because the patched binaries are not installed to begin with. I agree that multiple use OS based firewalls have the *potential* to become a victim of an OS bug, but it's not very likely if the device is implemented properly.So far we have implemented successfully many hardware based
firewalls.
Thepositives on this type of platform far outweigh the marginal extra
cost
forthe purchase price. These are single function - Firewall only - typesofdevices. Some hardware based platforms have no user accessable operating
system
tohave potential open ended problems with, and right out of the box
they
seemto set up with limited commands when acting as a one way onlyfirewall. Ofcourse there are many more programming options in these units that gowaybeyond the scope of this posting and are, as Aleph has pointed out tome onthe first issue of this email (appreciated by the way Aleph -
thanks),
toovendor specific to really elaborate on.No argument here - I agree completely.Suffice to say that Network Address Translation (NAT) and ProtocolAddressTranslation (PAT) are not the only things to base a Firewall purchase on. There are many other options and hooks thatmake areally good firewall, such as interaction with other devices (routers, high end authentication, encryption, etc.).While debating over software vs. hardware, you haven't touched on the whole issue of choosing the right underlying firewall technology for a given environment. While things like NAT and PAT and interoperability with other security devices are definitely important, the underlying technology used by the firewall should be one of the major deciding factors as well. For example, you may want to use an application
gateway
firewall for perimeter security while using stateful packet filtering internally where more flexibility is required. Many comanies (and consulting companies) overlook this issue.Addtionally, Two types of products that allow for on-line monitoring/reporting/ detection and also allow for security audits
and
eventesting of vunerablities are a must for any budget that can affordthem.You can try Cisco (http://www.cisco.com) or Network Associates (http://www.nai.com/default_ngc.asp) for examples of these products. Some of these fit really well into the big router manufactureroperatingsystem schemes by even allowing an automatic rewrite to the ACL (access control list) to block a detected party. And dontforgetthe ever possible "page me when you find something wierd" option too. Both of these systems are not inexpensive with price tags of around
10k
forthe systems I have seen. I have had great feedback on these types of products from my
customers
-especially the firewalls and felt i could dissiminate the info to myfellowBugtraq-ers.Again, I agree.....but for organizations with a smaller security
budget,
freeware tools should be presented as an alternative to high-cost commercial products. As security professionals, our focus should be on providing the best possible solutions to our customers that fit into their security budget - not just on pitching high-margin product lines. That's my nickel. -maze
Current thread:
- Re: Fw: Fw: No Security is Bad Security Jim Maze (Dec 09)
- Re: Fw: Fw: No Security is Bad Security Jon Ribbens (Feb 13)
- <Possible follow-ups>
- Fw: No Security is Bad Security Scott Seidler (Feb 03)
- Re: Fw: No Security is Bad Security Jim Maze (Feb 04)
- Fw: Fw: No Security is Bad Security Scott Seidler (Feb 08)