Firewall Wizards mailing list archives
Firewall RISKS
From: Robert Graham <robert_david_graham () yahoo com>
Date: Tue, 1 Jun 1999 19:49:56 -0700 (PDT)
I just posted this e-mail to the RISKS list, but I thought I'd copy it here, too. ------- In the past couple months, hundreds (if not thousands) of web sites using Allaire's ColdFusion have been hacked (their web pages have been defaced). When interviewed by the press, one site administrator said, "We are installing a firewall so that this won't happen again". However, firewalls do not protect against this particular hack. Explanation: Firewall technology is based on "port filters". The average web server has many ports open for a variety of reasons, but needs only port 80 in order to serve web pages. However, ColdFusion runs as part of the web server reachable at port 80. QED, placing a firewall in front of web server provides no protection against the ColdFusion hack. Firewalls do not "prevent" hacks, as most people believe. They simply reduce RISKS by reducing the number of ports or IP addresses that may be exposed inadvertently on the Internet. The remaining ports (such as e-mail, web, and FTP servers) can often be hacked. In practice, firewalls probably increase RISKS overall. Consider a study of Berlin taxi drivers who were given anti-lock breaks: the taxi drivers started driving more aggressively, and had more accidents. Therefore, the study concluded that anti-lock actually INCREASES RISKS. What is really going on is that firewalls/ABS only decrease RISKS if behavior is left unchanged, but the added security encourages RISKy behavior. The ColdFusion bug was not really Allaire's fault -- the bug was in a sample script that Allaire recommends be removed from a production web server. Almost every web-site creation package like ColdFusion has the same problem, including Microsoft's ASP scripting, FrontPage web hosting, and sample CGI programs. Administrators feel safe behind firewalls and do not diligently check their web servers for these problems. For the most part, crackers who intend to deface web pages or steal credit card information from web servers do not care about firewalls that might protect the target servers. Robert Graham http://www.networkice.com/advice _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
Current thread:
- Firewall RISKS Robert Graham (Jun 03)
- Re: Firewall RISKS Paul D. Robertson (Jun 03)
- Re: Firewall RISKS Adam Shostack (Jun 03)
- <Possible follow-ups>
- Re: Firewall RISKS Andrew Gilbert (Jun 03)
- Re: Firewall RISKS MIKE SHAW (Jun 03)
- Re: Firewall RISKS Stephen P. Berry (Jun 04)
- Re: Firewall RISKS Lance Spitzner (Jun 04)
- Transfering off-system firewall audit trails Steven W. Engle (Jun 14)
- Re: Transfering off-system firewall audit trails Lance Spitzner (Jun 15)
- Re: Transfering off-system firewall audit trails Christoph Schneeberger (Jun 16)
- Re: Transfering off-system firewall audit trails Richard Rees (Jun 15)
- Re: Firewall RISKS Stephen P. Berry (Jun 04)