Re: Reactive Firewalls

[tqbf () joshua enteract com]

At Wed, 11 Feb 1998 10:09:31 -0600 Rick Smith Wrote:

> Sidewinder is reactive only to the point of trying to collect additional
> information and send alerts to the site admin.

Point taken, so understand that I don't refer to Sidewinder when I say:

> These decisions are based on
> information collected from processes inside Sidewinder, and try to deduce
> when an outsider is doing something bad. 

Careful there. Just because information was obtained from "within"
Sidewinder doesn't make it trusted. This is a common misconception people
have had prior to reading our paper with regards to WheelGroup's
NetRanger; people assume that, since it's wrapped up with a router (I
don't know the specific architecture of NetRanger WRT the BorderGuard 
it ties into), it's not a "passive monitor". From our perspective, 
traffic monitors are:

        Active if they are an active participant in the protocol 
        they're monitoring; ie, a TCP proxy can be an active monitor,
        as it becomes a connection endpoint and thus "normalizes" 
        (excuse my hijacking of math terminology) packet flow to the
        actual destination, or, 

        Passive in almost any other case I can think of, including the
        case where packets are being analyzed inside of a router before
        being forwarded on.

The big difference here is that there are traffic analysis conclusions you
can come to when you're an active participant (for instance, the
reassembly of a series of IP fragments) that you cannot come to as a
passive monitor (without significant secondary sources of information).

Sidewinder is (from what I understand of it, and I'm sure you'll correct
me) an application gateway firewall built around proxies. If you obtain
traffic information from Sidewinder at the right level, you may have a
reliable basis to draw conclusions about the presence of attacks. 

However, if you watch packets using a packet capture device, or as they
pass through Sidewinder-OS's equivalent of ipintr(), your monitoring
components are passive with respect to the actual traffic.

How does this fit in with the posts we've seen regarding reactive
firewalls? When Aleph speaks about "reactive" firewalls, I assume he
refers to systems that are driven by some sort of attack detection system,
which dynamically reconfigure access control devices. WheelGroup NetRanger
is a perfect example of this, especially because people really do
configure NetRanger as a "dynamic reactive firewall".

If your reactive firewall works like NetRanger does, it's driving access
control devices off of traffic analysis results obtained from an
unreliable source (passive analysis). It's not just that you get false
positives by doing this --- an attacker can, with a bit of finesse, slip
past systems configured like this, and, without any skill whatsoever, can
force the system into blacklisting innocent addresses (hence Aleph's
"non-authenticated possible bogus data" comment). 

This takes us to:

> There could be a false alarm
> problem with this, but that's true of any security measure.

The false alarm problem is much more serious with "adaptive" security
systems, because mistaken false alarms can be leveraged by an attacker to
perform network-level denial of service attacks. The fact that the
false-positive problem is so obviously hard to defend against speaks to
the fact that "adaptive network security" is dangerous and immature.

You seem to agree with me on this anyways. I just wanted to clarify.

-----------------------------------------------------------------------------
Thomas H. Ptacek                                        Secure Networks, Inc.
-----------------------------------------------------------------------------
http://www.enteract.com/~tqbf                           "mmm... sacrilicious"