Firewall Wizards mailing list archives
Re: Firewall RISKS
From: "Stephen P. Berry" <spb () meshuga incyte com>
Date: Thu, 03 Jun 1999 17:44:46 -0700
-----BEGIN PGP SIGNED MESSAGE----- In message <s7566058.032 () sbscorp com>, "MIKE SHAW" writes:
In addition, firewalls do extensive logging which aids in seeing an incoming hack before it occurs, as well as tracking down an intruder if someone does do a dirty deed. This is not an excuse to neglect patching applications, operating systems, or deleting default scripts. But to say that a firewall does not prevent hacks is misleading.
Without getting into the (what looks to be largely a semantic) argument about whether or not firewalls `prevent hacks', I'll suggest that if you're relying on your firewall for attack auditing, you're probably Wrong. Firewalls are mechanisms for policy enforcement. Auditing information that comes out of them isn't necessarily useless, but there are many things which they will be intrinsically unable to tell you. I.e., what traffic your firewall is passing that it shouldn't be. An IDS machine configured such that it sets off an alarm whenever it sees a packet that should've been blocked by the firewall will almost invariably give you more interesting information about actual intrusions than your firewall logs will.
Good point at the end, but the analogy is critically flawed. A firewall is not an enhancement like ABS. It is an *essential* part of an overall security strategy.
Codswallop. Posit: You're setting up a network into which you wish to allow exactly two sorts of inbound traffic: SMTP and DNS. You configure two dedicated boxen, one to run (say) postfix and one to run (for example) bind 8.2 . You turn off all other services on the machines, and you're using an OS you know how to harden. You configure your border router to drop all traffic directed at these two boxen that is not directed at either port 25 or port 53 (respectively). Explain where a firewall would be -essential- in such a setup.
Your points about only reducing risk are valid, but this is true of any security measure. To degrade the necessity and importance of a firewall is not helpful to anyone trying to justify and implement a security plan. What would be better is to simply recommend a complete and comprehensive security policy, with a well configured firewall as a major part.
Not all complete and comprehensive security policies need include a firewall at all, much less one as a major part. In fact, in many instances such a policy would -preclude- the use of firewalls[1]. Note that I'm not advocating the notion that firewalls are not or cannot be part of a well-devised security policy---I think that would be just as specious as the line you're advocating. - -Steve - ----- 1 Ever implimented a security infrastructure which contained (intentional) 8" air gaps? Firewalls are no substitute. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBN1cheSrw2ePTkM9BAQE5MgP/cZvWZNHxOPlbeNz/pSkx6JWFOOwzSdXL AuJRl95gzjxqdZOs8BbzV2HwzJG7/UITq+pvDXnMimdlTykQpq+AghoSWPDcoLNo 44Lbue5Dl2up7PB0U1C0DoBcHTx8mgYGrYwaDaGhZQj8G7m+P7lcFp4MoEljn/Tt eLWien6PKFQ= =tRya -----END PGP SIGNATURE-----
Current thread:
- Firewall RISKS Robert Graham (Jun 03)
- Re: Firewall RISKS Paul D. Robertson (Jun 03)
- Re: Firewall RISKS Adam Shostack (Jun 03)
- <Possible follow-ups>
- Re: Firewall RISKS Andrew Gilbert (Jun 03)
- Re: Firewall RISKS MIKE SHAW (Jun 03)
- Re: Firewall RISKS Stephen P. Berry (Jun 04)
- Re: Firewall RISKS Lance Spitzner (Jun 04)
- Transfering off-system firewall audit trails Steven W. Engle (Jun 14)
- Re: Transfering off-system firewall audit trails Lance Spitzner (Jun 15)
- Re: Transfering off-system firewall audit trails Christoph Schneeberger (Jun 16)
- Re: Transfering off-system firewall audit trails Richard Rees (Jun 15)
- Re: Firewall RISKS Stephen P. Berry (Jun 04)
- eSafe Protect desktop experince Mark Lemmo (Jun 14)
- Re: Firewall RISKS Stephen P. Berry (Jun 14)