Re: [Theory] Time for a new FWTK? (long)

[Bennett Todd <bet () rahul net>]

1997-12-01-20:54:35 Rick Giering:
>      To me, a firewall is supposed to :
>         1) protect against private information flowing out 
>         2) protect against malicious applets flowing in
>         3) controlling what content internal users can access
>         4) protect against malicious users gaining access inside.
>         5) protect against DOS attacks on machines available for public 
>            use.
>         6) Add your own "supposed to" here...

Whereas to me, a firewall is supposed to

          1-N) implement the security policy

>      [...] the current generation of firewalls is focused on tracking
>      and understanding the application level protocols and the data
>      that flows through them. Good examples are SMTP, FTP, and HTTP.

Yup indeed. What else can you do?

>      This might have worked at one time when there were a few "standard" 
>      protocols that were fairly simple but not today. And, this approach 
>      won't work in the future as more and more developers use RPC 
>      technology instead of a simple ASCII conversation style protocol. I'm 
>      dreading the day when CIFS (ie MS File sharing) is a "standard" and 
>      people will expect Firewalls to protect them.

Oh ho! Sounds like you've gotten yourself trapped in hell: ``if a
protocol exists, then it must be useable between company machines and
the internet''. That is _Not_ part of this complete security policy.

>         1) Users and their management will continue to ignore security just 
>      like they ignore power, water, air conditioning and other "facility" 
>      kinds of things.

Strange. At my company ignoring security isn't an option. I'm the
security admin, I should know:-). Now when negotiating updates to the
security policy, and responding to requests for new services and
whatnot, I'm obliged to learn enough so I can lay out the risks in
detail for business management, so they can weigh them against benefits.
But the tradeoffs do get looked at. The firewall still strips out all
Java and Javascript, though there have been requests to bypass that
functionality in various ways. We've serviced those requests in various
ways; in one case I set up a sacrificial host outside the DMZ,
accessible via special ssh tunnel, as a hardware ``sandbox''. In another
I mirrored a specific heirarchy into the inside, using a wget run on the
outside and ftp-ing the bundle in.

>         2) Business Management (higher than IT management!) will continue 
>      to view data security as an IT concern instead of a true business 
>      concern. This view will flow down through middle management to the 
>      "troops."

That part I have trouble seeing. At least where I work, the computers
are regarded as being critical for business operations; hence their
availability and reliability is business-critical. What's more, there's
some business-critical data on these systems whose correctness and
confidentiality is again worth $$$ to us. Hence security is bolted right
on to the bottom line. Making that link perfectly clear and
communicating it well and often is the job of the security admin and
whatever senior management is above them.

>         3) Users will continue to want "cool" and useful applications/applets 
>      without having to worry about security issues. If security does get in 
>      the way, it'll be sacrificed in order to get the applet to work.

Weird, weird, weird. Our users get lines drawn for them at the point
just before they start endangering the business, and they don't have the
option of ignoring those lines.

-Bennett