Re: Firewall administration.

[John McDermott <jjm () jkintl com>]

--- On Fri, 3 Oct 1997 11:56:39 -0700 (MST)  Rik Farrow <rik () spirit com> 
wrote:

> Firewalls are intended to be security devices, and are supposed to
> help keep networks safe.  What I find disturbing is the most popular
> firewall products are actually designed in an unsafe manner.  That
> is, the person configuring the firewall is encouraged to do the wrong
> thing.

This is my experience also.

> I have come up with what I call Farrow's corrolary to Murphy's law:
> good designs are difficult or impossible to use in an unsafe manner.
> Let's look at an example which has nothing to do with firewalls, but
> does provide an excellent example of unsafe design.  

<Very good example deleted>.

> Now for firewalls.  Many firewall products include point-and-click
> support for passing dangerous services through the firewall.  By
> Farrow's corrolary, these firewalls are designed unsafely--it is easy,
> even trivial, to do the wrong thing.  Given the public's general
> belief that having a firewall "makes their network safe", firewalls
> providing an interface which makes DOING THE WRONG THING EASY should
> be avoided.

The real issue as I see it (and the issue on which I would like to see 
firewall products evaluated) is, "How easy is it to implement the 
organization's security policy correctly."  The two operative items here 
are "security policy" and "correctly".

Security Policy.  I will not beat this to death as others have said it 
before, but the goal of a firewall is to help implement a security policy.  
It cannot, of course, implement all of a policy.  The problem comes with 
clients such as the one who told me "This is the real world.  Writing a 
security policy takes time I don't have.  All we can say is that we want to 
be secure." He works for a fairly large company.  After two years neither 
he nor his management has been willing to create a policy or hire someone 
to do it for them.

When I teach about firewalls, I try to emphasize the importance of a good 
policy.  About three years ago when I started teaching about security, many 
of the students had not even heard of security policy, now in my firewalls 
course about 25% have some sort of policy.  Things are getting better, but 
this is an area where we still really need to get the word out.

Correctly.  I like Rik's approach.  Firewall products should make it hard 
to do the wrong thing either easily or "by accident".  Operating systems 
and firewall products should be easy to configure in some kind of secure 
way at install time.  Clearly, one cannot have a product ready to match all 
possible policies out of the box, but some "least common denominator" 
should be the out-of-box default.  One issue to which I virtually always 
return is that of stance: for most of us "everything which is not 
explicitly permitted is prohibited" is generally correct.  Product vendors 
should make that their mantra...

> While having a GUI is not necessarily evil in itself, having any
> interface which makes it easy to configure a firewall in an unsafe
> manner is evil...

I second that.

> Rik Farrow
> rik () spirit com
--john

-----------------End of Original Message-----------------

-------------------------------------
Name: John McDermott
VOICE: 505/377-6293 FAX 505/377-6313
E-mail: John McDermott <jjm () jkintl com>
Writer and Computer Consultant
-------------------------------------