Firewall Wizards mailing list archives

Firewall RISKS

From: Robert Graham <robert_david_graham () yahoo com>
Date: Tue, 1 Jun 1999 19:49:56 -0700 (PDT)

I just posted this e-mail to the RISKS list, but I thought I'd copy it
here, too. 
-------

In the past couple months, hundreds (if not thousands) of web sites
using Allaire's ColdFusion have been hacked (their web pages have been
defaced). When interviewed by the press, one site administrator said,
"We are installing a firewall so that this won't happen again".

However, firewalls do not protect against this particular hack.

Explanation: Firewall technology is based on "port filters". The
average web server has many ports open for a variety of reasons, but
needs only port 80 in order to serve web pages. However, ColdFusion
runs as part of the web server reachable at port 80. QED, placing a
firewall in front of web server provides no protection against the
ColdFusion hack.

Firewalls do not "prevent" hacks, as most people believe. They simply
reduce RISKS by reducing the number of ports or IP addresses that may
be exposed inadvertently on the Internet. The remaining ports (such as
e-mail, web, and FTP servers) can often be hacked.

In practice, firewalls probably increase RISKS overall. Consider a
study of Berlin taxi drivers who were given anti-lock breaks: the taxi
drivers started driving more aggressively, and had more accidents.
Therefore, the study concluded that anti-lock actually INCREASES RISKS.
What is really going on is that firewalls/ABS only decrease RISKS if
behavior is left unchanged, but the added security encourages RISKy
behavior. 

The ColdFusion bug was not really Allaire's fault -- the bug was in a
sample script that Allaire recommends be removed from a production web
server. Almost every web-site creation package like ColdFusion has the
same problem, including Microsoft's ASP scripting, FrontPage web
hosting, and sample CGI programs. Administrators feel safe behind
firewalls and do not diligently check their web servers for these
problems. For the most part, crackers who intend to deface web pages or
steal credit card information from web servers do not care about
firewalls that might protect the target servers.

Robert Graham
http://www.networkice.com/advice



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Current thread:

Firewall RISKS Robert Graham (Jun 03)
- Re: Firewall RISKS Paul D. Robertson (Jun 03)
- Re: Firewall RISKS Adam Shostack (Jun 03)
- <Possible follow-ups>
- Re: Firewall RISKS Andrew Gilbert (Jun 03)
- Re: Firewall RISKS MIKE SHAW (Jun 03)
  - Re: Firewall RISKS Stephen P. Berry (Jun 04)
    - Re: Firewall RISKS Lance Spitzner (Jun 04)
    - Transfering off-system firewall audit trails Steven W. Engle (Jun 14)
    - Re: Transfering off-system firewall audit trails Lance Spitzner (Jun 15)
    - Re: Transfering off-system firewall audit trails Christoph Schneeberger (Jun 16)
    - Re: Transfering off-system firewall audit trails Richard Rees (Jun 15)

(Thread continues...)