Re: encapsulated protocols?

[Adam Shostack <adam () homeport org>]

Aleph One wrote:
| On Wed, 4 Feb 1998, Adam Shostack wrote:
| 
| >     To recap: I think packet filters are the wave of the mass
| > market future, because proxies do not offer enough speed for the
| > (hard to understand) security wins that they offer.  I think there
| > will be a variety of tools and applications to help you secure the
| > machines behind your packet filters.  Those tools and applications
| > will be a lot more useful where there are security features to build
| > on.  Securing Win31-98 will remain a huge pain in our craw for a long
| > time.
| 
| You conclude that proxies are not cost effective because they do no 
| understand the tunneling done over HTTP by certain protocols. 

        No, I conclude that *for the mass market* packet filters will
win because

1. They're faster
        This is inherent in the design of a proxy.  It must parse the
TCP/IP headers and the tcp stream, packet filters only need to parse
the headers.

2. The benefit of a proxy is hard to understand
        This was my experience as a consultant.  It usually took
upwards of half an hour to explain the benefits of a plug to a
technical manager well enough that they really saw what I meant.
Nothing that takes half an hour to explain wins in the mass market. 

3. Exploits are easier to write than proxies, and there are better
exploit cookbooks, and there are more people writing exploits than
proxies.

(N+1. They're less secure, and less secure almost always wins.)



| Following your line of thought applications such as Secure Networks
| Ballista, ISS's Internet Security Scanner and even Netect's product are
| useless as well since they can't defend you agains new or unknown
| vulnerabilities they do not yet test for.

        Thats not the way I'd state it, but yes, I can make the case
for every security tool out there being close to worthless.  As a Well
Known Expert said to me this summer, "I may have depressed myself out
of a job."  I choose to follow Bellovin, and quote 'It is not your
part to finish the task, yet you are not free to desist from it.'
(I'll happily expound on this over beer at the next conference we both
attend.)  Let me explain the value of tools like Ballista, ISS, and
Netective as I see them.

        Firewalls are becoming more porous for a variety of reasons.
These include the real world popularity of packet filters (and packet
filters running on NT.  Checkpoint has 50% of the market, and they see
a much larger customer demand for NT based firewalls.  I see NT as not
yet ready for prime time in the security domain.)  It also includes
the growth of extranets, intranet connections to partners/competitors,
etc.  (See MJR's Future of Firewalls off
http://www.clark.net/pub/mjr/pubs/index.shtml)

        Another reason I'm less and less fond of firewalls beyond
packet filters is that it concetrates your security efforts at what
I've come to believe is the wrong place.  A packet filter is useful
because it allows you to conenect to the internet without exposing
your intranet.  A proxy is useful for the same reason, but it offers
enhanced defense for the machines behind it.  This, in practice, leads
companies to fail to properly secure the machines behind it.  This
means that those machines are not secure against attack by employees,
temps, contractors, employees of your business partners, etc.  As the
extranet marketecure continues to win executive support without proper
consideration being given to security, this becomes more an more
dangerous.  Thus, I see a value in assessment tools that offer the
ability to rapidly check machines for vulnerabilities.

| The problem is that you view your firewall as a static component that does
| not change. Network security scanners like the ones you mentions have come
| with a subscription to updates that include new vulnerabilities as they
| are found. In a similar way, firewall should include a subscription to
| updates that would include new protocols and encapsulated protocols as the
| firewall vendor implementes them.

        Should != Do.

        I'll note that one of Netect's advantages is a push based
update mechanism that will allow us to update our customers very
quickly.  (This update mechanism is where we'll be partering with
PGP/NAI--every copy of Netective includes pgp to verify the updates as
they come in, and an install-update program to process them
in a secure and paranoid fashion.  That program is shipped crystal
box.)

| In this case you firewall vendor should send you an updated that deal with
| VXTreme (RealAudio, etc) streaming over HTTP.

        Proxies take longer to develop than exploits.  When a problem
is found, its easier to develop a test for the problem, and ship that
with pointers to vendor patches than it is to develop a new proxy and
ship that.  Both approaches are useful.  The proxy mechanism was
developed because it was easier to do than quickly updating all of
your machines.  I expect that a hybrid approach, based on packet
filters, fast vulnerability assessment, intrusion detection, and maybe
other things like strong encryption, the abandonment of application
programming in C, (and other fixed length string langagues) will
provide the security of the future.

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume