Firewall Wizards mailing list archives
Re: [Theory] Time for a new FWTK? (long)
From: Bennett Todd <bet () rahul net>
Date: Tue, 2 Dec 1997 05:45:08 -0800
1997-12-01-20:54:35 Rick Giering:
To me, a firewall is supposed to : 1) protect against private information flowing out 2) protect against malicious applets flowing in 3) controlling what content internal users can access 4) protect against malicious users gaining access inside. 5) protect against DOS attacks on machines available for public use. 6) Add your own "supposed to" here...
Whereas to me, a firewall is supposed to 1-N) implement the security policy
[...] the current generation of firewalls is focused on tracking and understanding the application level protocols and the data that flows through them. Good examples are SMTP, FTP, and HTTP.
Yup indeed. What else can you do?
This might have worked at one time when there were a few "standard" protocols that were fairly simple but not today. And, this approach won't work in the future as more and more developers use RPC technology instead of a simple ASCII conversation style protocol. I'm dreading the day when CIFS (ie MS File sharing) is a "standard" and people will expect Firewalls to protect them.
Oh ho! Sounds like you've gotten yourself trapped in hell: ``if a protocol exists, then it must be useable between company machines and the internet''. That is _Not_ part of this complete security policy.
1) Users and their management will continue to ignore security just like they ignore power, water, air conditioning and other "facility" kinds of things.
Strange. At my company ignoring security isn't an option. I'm the security admin, I should know:-). Now when negotiating updates to the security policy, and responding to requests for new services and whatnot, I'm obliged to learn enough so I can lay out the risks in detail for business management, so they can weigh them against benefits. But the tradeoffs do get looked at. The firewall still strips out all Java and Javascript, though there have been requests to bypass that functionality in various ways. We've serviced those requests in various ways; in one case I set up a sacrificial host outside the DMZ, accessible via special ssh tunnel, as a hardware ``sandbox''. In another I mirrored a specific heirarchy into the inside, using a wget run on the outside and ftp-ing the bundle in.
2) Business Management (higher than IT management!) will continue to view data security as an IT concern instead of a true business concern. This view will flow down through middle management to the "troops."
That part I have trouble seeing. At least where I work, the computers are regarded as being critical for business operations; hence their availability and reliability is business-critical. What's more, there's some business-critical data on these systems whose correctness and confidentiality is again worth $$$ to us. Hence security is bolted right on to the bottom line. Making that link perfectly clear and communicating it well and often is the job of the security admin and whatever senior management is above them.
3) Users will continue to want "cool" and useful applications/applets without having to worry about security issues. If security does get in the way, it'll be sacrificed in order to get the applet to work.
Weird, weird, weird. Our users get lines drawn for them at the point just before they start endangering the business, and they don't have the option of ignoring those lines. -Bennett
Current thread:
- Re: [Theory] Time for a new FWTK? (long) Rick_Giering_at_mpg003 (Dec 01)
- Re: [Theory] Time for a new FWTK? (long) David Collier-Brown (Dec 03)
- Re: [Theory] Time for a new FWTK? (long) Bennett Todd (Dec 03)
- Re: [Theory] Time for a new FWTK? (long) Ted Doty (Dec 03)
- <Possible follow-ups>
- Re[2]: [Theory] Time for a new FWTK? (long) Rick_Giering_at_mpg003 (Dec 03)
- Re: Re[2]: [Theory] Time for a new FWTK? (long) Bennett Todd (Dec 03)
- Re[2]: [Theory] Time for a new FWTK? (long) Rick_Giering_at_mpg003 (Dec 03)