Re: Protecting publicly reacheable servers (e.g. HTTP)?

["Steven M. Bellovin" <smb () research att com>]

In message <200111221328.fAMDSNE49768 () hugo10 ka punkt de>, "Patrick M. Hausen" 
writes:
> Dear fellow wizards,
>
> Yesterday we got into a small internal arguement about
> wether protecting publicly reachable servers with
> currently available firewall products makes any sense
> or not.
>
> A large corporation asked for an offer for "housing" of
> a web and database server including hardware and software
> for the server itself and "firewall protection".
> The server is supposed to offer content to the public via
> HTTP.
>
> My reasoning has always been that - given the state of
> firewall products today - a static packet filter that
> blocks all but port 80 would be the most appropriate
> solution to offer some sort of protection to the server
> machine.
...

> So  basically, I have two questions to you all:
>
> 1. Do you aggree with me wrt to the firewall vs. packet filter topic?
>   What's the intention of all these companies offering more complicated
>   setups? Besides making money at the job, of course. I don't imply
>   they are consciously trying to sell a big unnecessary something.
>   They rather do think they sell something "good", IMHO.
>   So, what's the point?

You're almost certainly correct.  The only question is what other ports 
on the Web server "need" to be available -- say, for RPC on Solaris or 
Win2K, or for administrative access to the machine, perhaps to update 
content.  My vote is almost always for a packet filter in such a 
situation.

> 2. In the last couple of years a new type of device coined "layer 4 switch"
>   appeared and these things seem to have reached a certain level of
>   maturity and market penetration. I'm talking about load balancing
>   devices like e.g. Big IP.
>
>   Since these things actually look inside the HTTP requests to provide
>   (at least they claim to provide) session and cookie persistence and
>   similar stuff when distributing the requests to a farm of servers
>   - what do you think these boxes add to the security of the web
>   servers they "load balance"? Some claim to protect against certain
>   types of DoS attacks, too.

If they're designed to filter URLs and the like, they might help.  On 
the other hand, there's absolutely no reason that they themselves 
couldn't be vulnerable to, say, buffer overflows.  The more complex a 
device is, the more it's at risk, and that applies to hosts, firewalls, 
or load balancers.  The purpose of a firewall is to keep the bad guys 
away from buggy (or otherwise insecure, but generally buggy) software; 
if the firewall or other front-end is itself buggy -- well, you can 
finish the sentence by yourself.

                --Steve Bellovin, http://www.research.att.com/~smb
                Full text of "Firewalls" book now at http://www.wilyhacker.com


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards