RE: mitigating the lack of a firewall

["Burden, James" <JBurden () caiso com>]

Sorry it has taken a week for me to reply to this, but I for one could not
believe I saw mjr's response...

IMHO, there are two pieces to this puzzle.  The first is the business side,
to determine the worth of the data or enterprise.  This must be weighed
against how much you can spend on security.  The business must determine
what type of risk it is willing to take in order to do business on the big
I.

The second part consists of security theory.  Defense-in-depth is always
greater than a single server.  A single server residing on its own, is not a
security solution.  Other details and tools MUST be included.  Such as a
competent system admin who maintains the server, loads patches, reads the
logs, etc.  It does not matter if we are talking about NT or UNIX.  There
needs to be a security policy in place stating was is permitted or denied.
Next we need tools to trouble-shoot whatever may happen, such as sniffers
and people who can use them.  

As far as the lack of firewall if the server itself is as strong as a
firewall.  I do believe this to be true (unless there was only one server
supporting a Mom & Pop organization...).  If you have several servers within
this DMZ, then you basically have multiple doors to guard against an attack.
If we use the analogy of the 1400-1600's, where you have a keep with one
door that is barred and defenses, possibly surrounded by a castle,
surrounded by the local farms and a small wall, etc.  This is
defense-in-depth.  However, when ever possible the defense tries to limit
the egress points to one.  The fewer places to defense the more
concentration you can hold.  If you try to hold a huge perimeter, you will
probably fail.  

In the security realm, we usually use ACLs on our perimeter.  Perhaps a
sniffer or IDS system on our uplink to the ISP.  Then a firewall that we can
monitor.  Perhaps another NIDS system on the inside to tell if there are any
security policies that were broken.  Then, you must rely on your host based
IDS, system monitoring and the System Admin for each of the servers.  There
are still more tools that can be used on the server.  Tripwire, ESM,
vulnerability scanners, and etc should be used.  I do not think this is a
totally exhaustive list (as training comes to mind). 

The bottom line is that I do not think anyone could say, that I have a
server standing all by itself, and say that have done due diligence to their
employer.  There are many other questions that must be answered.

Jim


-----Original Message-----
From: Aaron D. Turner [mailto:aturner () vicinity com]
Sent: Monday, February 14, 2000 3:22 PM
To: Bruce H. Nearon
Cc: firewall-wizards () nfr net
Subject: Re: mitigating the lack of a firewall



Well that depends.  Is the site 100% static?  If it has cgi's or ASP
scripts, those might be exploitable.  Does it need to talk to/run a
SQL server, dns server, etc?  Again, potential expoits.  What kind of
DoS attacks?  Some DoS attacks run very CPU expensive queries which
will make your server un-responsive, while others are network based.  
A firewall isn't likely to stop people from hammering your site, but
it can help stop syn attacks.

The reality is that a server protected by a firewall is more secure
than one not protected.  However a firewall isn't the silver bullet
that stops all attacks.  Wether you need a firewall is dependant on
the kind of site, the company, and the purpose.

-- 
Aaron Turner        aturner () vicinity com  650.237.0300 x252
Security Engineer                         Vicinity Corp.        
Cell: 408-314-9874  Pager: 650-317-1821   http://www.vicinity.com

On Sat, 12 Feb 2000, Bruce H. Nearon wrote:

> Suppose an Internet site does not have a firewall.  Can a securely
> configured IIS 4.0 server running under securely configured NT 4.0
> protect the site from unauthorized access and denial of service attacks?
>
> Bruce Nearon, CPA
> The Cohn Consulting Group
> Roseland, New jersey