Default routes: Good or bad? (WAS: Checkpoint for internet access )

[Ben Nagy <bnagy () sa volante com au>]

> -----Original Message-----
> From: Andrew J Bernoth/Boulder/IBM [mailto:bernoth () us ibm com]
> Sent: Saturday, 21 October 2000 7:11 AM
> To: Zarcone, Christopher
> Cc: firewall-wizards () nfr net
> Subject: Re: [fw-wiz] Checkpoint for internet access
[snip]
> With a proxy or socks server a secure network can have a 
> default route to a
> bit bucket, which means if someone's application doesn't know 
> how to use
> the proxy or socks services then it's not going anywhere. [...]
>
> However, I thinnk it still comes back to any application can 
> now direct
> itself to the nearest internet firewall has a good chance of 
> getting out.
> A quick glance on google.com shows me just under 6000 
> articles on "port 80
> hacks", sure some of these will probably be proxy/socks aware and can
> figure out what the best place to send my packet to from my 
> browser config
> file, but then some might not be that smart.

I'm really unconvinced that you're protecting yourself from anything here.
If someone is clueful enough to even conceptualise tunneling over HTTP they
will be able to check the "use proxy" box in the tool.

> Surely if I don't have a
> default route to the network I am at least protecting myself 
> from the "not
> so smart" hack?

The only real problem I have with your approach is that you require the
clients or the apps to be socks / proxy aware. If the client is SOCKS aware
then it will attempt to use it for any connection - so this buys you nothing
over having a default route and we may as well not discuss it.

Therefore your only security margin is where you can restrict your users to
apps that are proxy-aware (and proxy-able). That's probably not many
commercial or academic networks. 

Remember that you can use transparent proxy firewalls to provide you with
almost the same effect - but using a default gateway. That releases you from
the need to use apps that are explicity proxy aware and you can still turn
apps on and off at the proxy level. I would argue that the security of such
a network is as great as the no-gw model and that there is much more
flexibility.

All in all, I would personally resign myself to the fact that firewalls
aren't meant to keep people _in_ and that most attempts to use them to do so
are doomed to failure. A default route on each desktop doesn't seem so bad
to me. You can always (and should - especially for M$ networks) apply egress
filters to block stuff you know shouldn't be leaving. I agree that it lacks
the elegance of a null or nonexistant route, but it's effective in some
instances.

> Regards,
> Andrew J Bernoth
> bernoth () us ibm com
> "The views expressed above are my own and do not necessarily 
> reflect those
> of IBM"

Cheers,

--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304  Mobile: +61 414 411 520  

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards