Re: Re: Firewalls breaking stuff: [Was re: fwtk]

["Charles W. Swiger" <chuck () codefab com>]

On Saturday, July 20, 2002, at 10:31  AM, Marcus J. Ranum wrote:
> > I'll agree that OpenSSL almost certainly has bugs.  There are some other
> > alternatives, such as getting a hardware crypto-accelerator card or box,
> >  and
> > using that to perform SSL.
>
> Ah, you've fallen for the first fallacy of the appliance!!
> "It's hardware" - uh, no - it's probably a PC running *BSD inside,
> and it's running software - possibly OpenSSL or Bsafe (which has also
> had security holes)...

Most of the firewalls sold today are "hardware" running some "software", 
too.  Some of them are nothing more than a PC running *BSD and web-based 
firewall management app.  Let's say the SSL device is internal: on a PCI 
card, or is connected via the SCSI bus.  Even if the device is vulnerable,
 how is an attacker going to get to it?

[ Short of compromising and going through the HTTPS server machine, that 
is. ]

> SSL accelerators are _performance_ tools not security tools.

I'd agree with this.

But that doesn't mean a SSL cryptoaccelerator box is inherently more 
vulnerable to compromise than any other network appliance.  For instance, 
has anyone else had to update the firmware on their network switches for 
the SNMP vulerability?

> - So we started with you challenging the wisdom of implementing
>         only a subset of SMTP

We started with a criticism of security vendors who release software which 
doesn't implement protocols correctly.  One example was Cisco's MailGuard 
breaking SMTP, yes.

> - And I responded that that was a good thing because it let us
>         leave a bunch of complexity out of the picture

I haven't seen a real-world example why the munging of the SMTP protocol 
that Cisco's MailGuard performs is beneficial.  A reductionist approach is 
great for security, but there comes a point where the additional security 
gained doesn't justify the tradeoff in terms of cost, missing 
functionality, etc.

> - And you responded that we should get EVEN MORE COMPLEX by adding
>         mystical unauditable devices to the configuration because...?
>         it's better than just implementing a subset of SMTP?

Are the mystical unauditable devices sold by some security vendors better?
How could I audit the VPN solution you mention below?

> > Cryptoswift is one vendor I'm familiar with in that area.
> > Besides-- is there a better alternative than SSL, given the requirement 
> > above?
>
> Well, the original question was the wisdom of implementing a
> subset of SMTP on a secure gateway. I think that's still the
> best option. Now, if the next question is providing secure
> access to Email I'd say a VPN would work well for that,
> since there's a high likelihood that the customer will have
> other types of access they want to provide than just email, no?

People tend to want VPNs between branch offices or permanent home offices 
because they do take some effort to configure.  People don't tend to want 
VPNs when going to a trade show, or reading their mail from a client site,
 or from some other transient location.

-Chuck

       Chuck Swiger | chuck () codefab com | All your packets are belong to 
us.
       
-------------+-------------------+-----------------------------------
       "The human race's favorite method for being in control of the facts
        is to ignore them."  -Celia Green

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards