Firewall Wizards mailing list archives
Re: Firewall RISKS
From: "Stephen P. Berry" <spb () meshuga incyte com>
Date: Fri, 04 Jun 1999 19:51:50 -0700
-----BEGIN PGP SIGNED MESSAGE----- In message <s757b5fd.076 () sbscorp com>, "MIKE SHAW" writes:
You keep mixing the argument over whether a firewall is necessary with whether a firewall should be misconfigured. Of course a misconfigured firewall is a bad thing, but the fact that you can misconfigure a firewall doesn't mean you don't get one. And now you assume that someone who can't properly configure a firewall can configure, monitor, and interpret an intrusion detection system?
No. I'm not talking about a misconfigured firewall.
Codswallop. Posit: You're setting up a network into which you wish to allow exactly two sorts of inbound traffic: SMTP and DNS. You configure two dedicated boxen, one to run (say) postfix and one to run (for example) bind 8.2 . You turn off all other services on the machines, and you're using an OS you know how to harden. You configure your border router to drop all traffic directed at these two boxen that is not directed at either port 25 or port 53 (respectively). Explain where a firewall would be -essential- in such a setup.
I can't. But your example is probably relevant in < .01% of the environments in the real world. Plop about 10 windows 95 boxes behind that perimeter with users chomping at the bit to run the latest Backorifice trojan screensaver and see how long your servers stay secure in that environment.
I wasn't talking about a misconfigured firewall, but you appear to be talking about a misconfigured infrastructure. In any case, even if you do insist on dropping ten toys onto the same segment as your SMTP/DNS/whatever servers, if you've set them up as I've described it doesn't really matter. If I'm not worried about exposing my DNS server to the world, why would I worry about exposing it to my internal network[1]? And if you're worried about Bad Things happening to your wintel Boxen and are expecting a firewall to prevent them, then you're already suffering from a GCE[2].
I've actually seen a live hack demonstration that exploited a very similar situation, once a client windows NT box was compromised. In this example, the hacker was able to place a trojan that initiated a telnet session over port 53 from the client box. Once in, the hacker placed keyloggers in and was able to springboard off of this client into the host and do whatever he wanted. From there it would be very easy to compromise the routers involved given enough patience, and there goes the whole security structure.
You seem to be trying to fix an essentially braindead infrastructure with a firewall. If you've designed your quote security unquote architecture such that compromise of a single desktop is bankrollable into a compromise of the entire enterprise, you've got problems that firewalls aren't going to solve for you.
Not all complete and comprehensive security policies need include a firewall at all, much less one as a major part. In fact, in many instances such a policy would -preclude- the use of firewalls[-].
Policies on thier own can accomplish nothing. In the prior example, 50 memos about "not running executables from email" would not have prevented an end user devoted to seeing a cute cartoon everytime their screen saver came on. ("just this once...it's from my friend....it's a trusted source....") In your own words: "Firewalls are mechanisms for policy enforcement". If you can't enforce a policy, what good is it?
Firewalls -are- mechanisms for policy enforcement. So is an 8" air gap. And login(1). And possibly thumbscrews, depending on your employer's attitude toward the lusers. Firewalls are not the -only- mechanims for policy enforcement. Some policies (as I said before) cannot be enforced by firewalls and indeed some policies (functionally or explicitly) preclude the use of firewalls. In fact, in some lines of work -most- (sane) security policies preclude the use of firewalls. Don't get me wrong, I happen to think firewalls are just swell for some applications. But your assertion that a firewall is an essential (or rather `*essential*') part of any security infrastructure is just flat out wrong.
Note that I'm not advocating the notion that firewalls are not or cannot be part of a well-devised security policy---I think that would be just as specious as the line you're advocating.
TCP/IP and the internet are based off designs that never had security in mind and are inherently insecure in their current form.
This is more or less true. And it is for this reason (among others) that a firewall is insufficient for some security applications. - -Steve - ----- 1 Mod some denial of service possibilities and suchlike. 2 Gross Conceptual Error. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBN1iQvirw2ePTkM9BAQGczAQAzLn6+vLDqMDUaHnyigc81Ex+Bfo7pCDp 3sWIIio8D/MFwO/a5iLXrZA11icjWfp/OJSwjYT95DbAYdn1QVJzTZ5FO3m8UnA/ ZLJEwR5wzm8CMCbQtPN/W8l17ZuO/T3P24QIAN/SaUi5F/lXFrkbiUByUuWNynB/ txLweVFelFE= =TGtF -----END PGP SIGNATURE-----
Current thread:
- Re: Firewall RISKS, (continued)
- Re: Firewall RISKS Lance Spitzner (Jun 04)
- Transfering off-system firewall audit trails Steven W. Engle (Jun 14)
- Re: Transfering off-system firewall audit trails Lance Spitzner (Jun 15)
- Re: Transfering off-system firewall audit trails Christoph Schneeberger (Jun 16)
- Re: Transfering off-system firewall audit trails Richard Rees (Jun 15)
- eSafe Protect desktop experince Mark Lemmo (Jun 14)
- Re: Firewall RISKS Stephen P. Berry (Jun 14)
- Re: Firewall RISKS Stephen P. Berry (Jun 14)
- Re: Firewall RISKS Tim Kramer (Jun 16)
- Re: Firewall RISKS Stephen P. Berry (Jun 20)
- Re: Firewall RISKS Stephen P. Berry (Jun 21)