Firewall Wizards mailing list archives

Re: Firewall RISKS

From: "Stephen P. Berry" <spb () meshuga incyte com>
Date: Sun, 06 Jun 1999 12:04:02 -0700

-----BEGIN PGP SIGNED MESSAGE-----


In message <Pine.GSO.4.02.9906041510010.24702-100000 () dimension net>, Lance Spit
zner writes:

On Thu, 3 Jun 1999, Stephen P. Berry wrote:

Firewalls are mechanisms for policy enforcement.  Auditing information
that comes out of them isn't necessarily useless, but there are 
many things which they will be intrinsically unable to tell you.  I.e.,
what traffic your firewall is passing that it shouldn't be.  An IDS
machine configured such that it sets off an alarm whenever it sees a
packet that should've been blocked by the firewall will almost invariably
give you more interesting information about actual intrusions than your
firewall logs will.

FW logs are just as valuable as IDS logs.  As most FWs deny everything,
except that which is expreselly allowed, the logs can show you what
vulnerabilities people are scanning for, information your IDS will
never see since the packets are blocked.


Well, the IDS sensor(s) -behind- the firewall(s) won't tell you about
(unsuccessful) scans (originating outside your internal network(s)).  That's
what your external IDS sensor(s) are for.

This information can be critical
in keeping current with latest exploits/tools.  I am not say FW logs
are more/less important then IDS logs, I am saying they share an equial
value.


Firewall logs are best, in my opinion, for offering corroborative
evidence alongside the logs generated by tools specifically designed
to look for things like scans (which firewall logging mechanisms
generally are not).

Just as your policy enforcement should rely as little as possible on
single points of failure, so should your policy auditing.

(for example) bind 8.2 .  You turn off all other services on the machines,
and you're using an OS you know how to harden.  You configure your border
router to drop all traffic directed at these two boxen that is not
directed at either port 25 or port 53 (respectively).
Explain where a firewall would be -essential- in such a setup.

Ahh, your router is the Firewall.  Most Firewalls deny traffic, your 
router is now denying traffic.  It does NOT matter what the 
platform/application is (ipchains on Linux, FW-1 on Solaris, 
ACL's on a router) you are now Firewalling.


While I think that in fact this does some violence to the general
usage of the term `firewall' in practise (if a vendor tried to sell
you, say, a Cisco 760 as a firewall, would you think that was
reasonable, or would you feel like the vendor was doing something
vaguely shady[1]?), for the sake of the arguement, I'll cheerfully
stipulate the point[2].  Assume your router...er, your -firewall-...has
no blocking rules whatsoever.

Given that the machines are configured in the manner in which I
described, demonstrate how a firewall (even using your definition[3])
would be -essential-.






- -Steve

- -----
1     Mod getting that feeling in general from firewall (and other
      IT security product) vendors.
2     As a side point, since many folks set their border routers up
      to do things like block (obviously) spoofed traffic, block
      source routed traffic and suchlike even if they have a dedicated
      firewall machine (i.e., something running a product like Gauntlet
      or Firewall1), would you feel comfortable describing this as
      a two firewall architecture?
3     Mind you, I am not denying that many firewall products are essentially
      just ornery routers for which you can easily obtain a compiler.  I
      just believe that `router with an ACL' isn't what is generally meant
      when the word `firewall' is used[4].
4     And you may make the case that this is just another reason why the
      word `firewall' shouldn't be used without explicit definition when
      used in technical discussions.




-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBN1rGHSrw2ePTkM9BAQE+QwP9FmUdjruOXarNaamKEV8jBdmCIr5TAuq+
Z8B8qSl/jSeovsLoZoc78LkWzsL1GgKrBL8FvgIxDEo9YChXpadG1arvyoRGY5j9
z1teyQBezQn1wKWyH1/RLv7UCnpDJViHkNSOIw7QUAllLN2KEr8xeicV/TmQSJH/
qah32fcapmk=
=d+Va
-----END PGP SIGNATURE-----

Current thread:

Re: Firewall RISKS, (continued)
- Re: Firewall RISKS Adam Shostack (Jun 03)
- Re: Firewall RISKS Andrew Gilbert (Jun 03)
- Re: Firewall RISKS MIKE SHAW (Jun 03)
  - Re: Firewall RISKS Stephen P. Berry (Jun 04)
    - Re: Firewall RISKS Lance Spitzner (Jun 04)
    - Transfering off-system firewall audit trails Steven W. Engle (Jun 14)
    - Re: Transfering off-system firewall audit trails Lance Spitzner (Jun 15)
    - Re: Transfering off-system firewall audit trails Christoph Schneeberger (Jun 16)
    - Re: Transfering off-system firewall audit trails Richard Rees (Jun 15)
    - eSafe Protect desktop experince Mark Lemmo (Jun 14)
    - Re: Firewall RISKS Stephen P. Berry (Jun 14)
  - Re: Firewall RISKS char sample (Jun 04)
- Re: Firewall RISKS ark (Jun 04)
- Re: Firewall RISKS MIKE SHAW (Jun 04)
  - Re: Firewall RISKS Stephen P. Berry (Jun 14)
- Re: Firewall RISKS Stephen P. Berry (Jun 14)
- Re: Firewall RISKS MIKE SHAW (Jun 14)
- Re: Firewall RISKS MIKE SHAW (Jun 15)
  - Re: Firewall RISKS Tim Kramer (Jun 16)
- Re: Firewall RISKS Stephen P. Berry (Jun 15)
- RE: Firewall RISKS kevin . sheldrake (Jun 16)

(Thread continues...)