Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firewalls

From: randy <marchany () VT EDU>
Date: Fri, 12 Jul 2013 11:48:48 -0400
Reading the discussion on FW reminds me of the overarching problem with
using FW as "protection" devices and not understanding that they are only
useful "detection" devices. Consider the following examples:

1. whitelisting - you want to set up a list of authorized places a unit can
go on the net. The unit has a business need to access www.majorbank.com (I
sanitized the name). You set up the FW ACL to allow access to
majorbank.comaddress range. You test the ACL and discover that their
main www site is
degraded. After some investigation, you discover that majorbank hosts its
main page on akemai. Now you have to allow akemai and everything else that
akemai hosts. Ironically, only the main page is hosted by akemai.  Did this
increase or decrease your protection level?

2. FW admins vs software - There have been numerous discussions about which
ports to block. I've not seen any discussion on FW admins finding out what
ports are required by software packages. In some cases, the requirements of
2 software packages may end up leaving your machine wide open. For example,
a very old (+8 years) requirement for end users running Oracle/Banner,
Citrix server would require the following ports to be open:

*Oracle/Banner:*

Allow TNS_LISTENER and SSH to Oracle server (Allow 1521/tcp, 22/tcp)

Allow TEXAR Security for load balance check (allow 333/TCP)

Allow LSA to Domain Controllers (allow 1026/TCP, 1028/UDP, 1029/tcp)

Allow Active Directory (LDAP, LDAP/SSL) lookup to Domain Controllers (allow
port 389/udp & 389/tcp, 636/tcp)

Allow Network Time Protocol to Domain Controllers (allow 123/udp, 123/tcp)

*CITRIX:*

CITRIX initially connects on ICA (1494/tcp) and then negotiates a new
connection
to the server on a high port number (1023-65534) to separate out     multiple
client connections

Allow ICA to CITRIX server (allow all tcp)

3.  Clearly, there needs to be a list of what ports are required to be open
for software packages to work. Careful analysis needs to be done to see if
there are software combos that basically nullify your FW ACL. We have a
very old (2003) list on our www site:
http://www.security.vt.edu/briefs-online_templates/indexers/downloads/misc_downloads.html(click
on Firewall Ports and Protocols Summary) that lists common software
used back then and what ports/protocols needed to be open in order to run
those packages. I hope that FW admins have taken the time to thoroughly
investigate the port requirements of software running on their endpoints.

4. Ironically, the "fathers" of the IT Firewall (Cheswick, Bellovin, Ranum,
Zuk, Pensak, Presotto, Mogul, Reid, Vixie, Avolio) aren't fans of the
firewall anymore. A quote from the article "Who Invented the Firewall?" (
http://www.darkreading.com/management/who-invented-the-firewall/208803808)
states:
"Cheswick, lead member of the technical staff at AT&T Research, says he
hasn't personally used a firewall since the 1990s: "They are an economic
solution to weak host security. I want to see stronger host security," he
says. Even so, Cheswick says the firewall still has a place -- but as "just
another network element."

"The firewall as Bill and I described it in 1994 in our book is obsolete,"
says Bellovin, now a professor of computer science at Columbia University.
Having a guard at the front door today when there are thousands of
backdoors into the network just doesn't fly now, he notes. "I'm not saying
get rid of it at the door. It provides a low grade of access control for
low-value resources. But the real access control [should be] at the host.""

5. I do agree the FW is a necessary piece in a security architecture. But
for it to be effective, a lot of work needs to be done to make sure you
don't create a worse problem than the one you're trying to solve. I think
we need to remember that it is an effective DETECTION device and not an
effective PROTECTION device.  I see its usefulness in network forensics.
Since the EDU security environment is basically split between the standard
corporate security model (for our administrative systems like payroll, hr,
etc.) and the ISP model (most of us require our students to purchase their
own computers and connect to our nets), it seems to me we should focus on
what leaves the net rather than what comes into the net. For example, a
hacker compromises a machine - score: Hacker 1 Defender 0. The defenders
detects anomalous traffic to questionable site and blocks that callback -
score: Hacker 1 Defender 1 and tie goes to the defender. Is there a risk of
data leakage going undetected? Of course, but that's why you have
defense-in-depth. :-) I also believe host based FW are more effective
especially since wireless basically allows anyone to bypass your border
defenses.

I've ranted enough.

Randy Marchany

VA Tech IT Security Office & Lab
Previous By Date Next
Previous By Thread Next

Current thread: