Firewall Wizards mailing list archives
Re: Defense in Depth to the Desktop
From: Chris Pugrud <cpugrud () yahoo com>
Date: Mon, 13 Dec 2004 12:16:11 -0800 (PST)
[apologizing in advance because the coffee has finally kicked in and I may have been a little more flippant than appropriate] --- "Paul D. Robertson" <paul () compuwar net> wrote:
Coming late to the party...
Then the party has just begun...
I don't think I'd characterize it as large amounts, most organizations have paid lip service to perimeter defenses, buying what they felt they had to, but never putting real effort into configuring it, keeping it up to date, or validating it over time. Thisis the classic "eggshell" weakness of network security, hard and crunchy ontheoutside, soft and chewy on the inside. The Strong Internal Network DefenseI don't think I'd use eggshell to denote hard ;)
But I would. It's relatively hard compared to what's inside, but, as you note above, it's not actively reinforced, tested, or updated, so it's probably pretty weak on an absolute scale. I recently performed an assessment for a customer that began with them bragging about how tight their firewall ruleset was. After the assessment I complimented the "tightness" of the ruleset but noted that all of their "DMZ" servers were dual-homed. One interface on the Internet, one on the inside, completely bypassing the firewall.
I've only ever seen internal firewalls implemented at extremely large organizations. Making it a routed network helps some with the MS stuff, but it's so uncommon to see internal routing in small companies who don't have the admin resources to not be totally killed by a big malware event.
I prefer to work with organizations in the 100-300 size. They usually have limited internal routing and some decent hardware (depending on position in Hype/Budget/Funding scale). I was just searching for something that is a bit easier to explain and apply to the people that write the checks and is more effective than sacrificing rubber chickens at dawn (err, I mean nifty do buzzword compliant gimmick of the week).
Unless, for instance your administrators are remote, and they need to have access to the client's registry from a server they remote into...
There are accomodations for this scenario when you get to the analysis. I on;y presented the 2 cell compartment model for illustrative purposes. I guess you still get what you pay for.
In addition to the firewall, the client systems are fully isolated fromeachother by layer 2 controls (private vlans). The servers may be similarly isolated, but doing so is minimally effective and damaging to server toservercommunications.Why not just turn off automatic ARP on the clients and statically ARP them to the router? (Hmmm, can you do that in Windows?)
You can do something "security" usefull in Windows? It is much easier, direct, and simple to do it in the switch where I can do it once and I know it will continue to work as programmed despite MS patch o' the day.
Consider the introduction of a zero day worm virus [*2] into such a networkbyan infected client. The client can attack all of the servers, and all oftheservers may become infected. The infected client can not attack any of the other clients because of the layer 2 isolation. The infected servers cannotattack any of the clients because of the firewall. The end result is thatoneclient and the servers, a small subset of the organization, are infected.Thisis much less devastating, and much easier to clean up, than if the entire network was infected.Not if the worm is especially destructive, infect the servers and you've killed the business if the critical business resources are on the servers.
Sure, the business is down, but only the servers have to be cleaned up, not X thousand client systems. I've seen (ok, heard it) it happen too many times where organizations had to send the entire workforce home so they could methodically work through the building disinfecting and patching every single end user system in the entire organization. I'd much rather have limited functionality and only have to clean up 20-120 servers.
[*2] The infamous zero day worm virus is invoked as a worse case analysis because it invalidates anti-virus and patch defense mechanisms. Sincewormsare increasingly targeting necessary network ports, personal firewalls arealsoequally invalidated as a defense mechanism. Marcus can gleefully dance on their graves.I'm not sure this assumption carries fully- personal firewalls generally allow per-process outbound traffic blessing- so the worm would have to hook a service that's allowed to communication outbound- while that's been done, it's certainly still true that personal firewalls are useful in limiting the damage from most "downloaded and clicked" stuff, which is where a good chunk of the risk exists. The rest of the risk is the laptop that just walked in hibernated and infected, and the VPN user- heck, quarantining the laptops for 90 mins when they first come in would probably do about as well as anything...
How many hundred times a day is a user going to "click" to access the organizational file server, email server, and porn (err proxy) server before they just enable some dangerously broad default allows? I recognize some value for personal firewalls, but I think that using personal firewalls, especially on deskbound organizational systems, puts us on the wrong side the tail chasing treadmill. You are talking about a lot of money and management and application management and helpdesk headaches that could be much more easily and cheaply and sanely managed at the core router/firewall/rubber chicken substitute.
Analysis The primary design of the model is to focus security resources on theservers.No organization can reasonably maintain strict control over client systems,butthey do have absolute control over making sure that servers are currentlyWere it that easy- I've seen plenty of "we can't update that server because $critical application will fail."
Sure, that a risk that's easier to accept, to know that one system will be vulnerable and you can focus your energy on getting that one system updated and protected. That's a bit more difficult to do if your attention is "focused" on a few thousand desktops in various states of patch/AV/user disfigurement.
You could probably get about the same level of protection by assigning /32 addresses to the clients and only giving them a route to the router- no need to tax the switches with newfangled-VPN-foo at all. You still get some broadcast stuff, and you don't' want gratuitous ARP on, but I bet it'd have about the same effect. You could then add interface routes to the local host for those you wanted to interconnect at the local admin level.
Because this newfangled-VPN-foo (well, it's only a few years old (supported in Cisco switches at a minimum)) does that much easier and less messily than hyper-subnetting (/30 clients with router) or anything else I've seen. I'm in process of prepping a post about layer 2 isolation (aka private vlans) that does a much better job of articulating their virtues and uses than my previous attempt.
Application protocols that are broken are peer to peer systems and any kindofdesktop file sharing. This is strongly viewed as a good thing in most organizations. If I was an attacker going after juicy data the first placeI Shared stuff is becoming popular inside, like Netmeeting- I'm not sure this is a good long-term strategy (I'm not sure it's not a great one too.)
Better to just cut it off at the knees before the lusers get used to it. Seriously. The only way I maintain my sanity is the regular howls of laughter administered by user "requests" to do some thing assinine that is clearly not an actual business objective. Now when legitimized (not necessarily legitimate) business objectives elicit howls it is clearly time to polish the resume. Chris -- apologizing in advance because the coffee has finally kicked in and I may have been a little more flippant than appropriate _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Defense in Depth to the Desktop, (continued)
- Re: Defense in Depth to the Desktop Magosányi Árpád (Dec 11)
- protection models Chris Pugrud (Dec 11)
- Re: Defense in Depth to the Desktop Rogan Dawes (Dec 07)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 07)
- RE: Defense in Depth to the Desktop Ben Nagy (Dec 07)
- RE: Defense in Depth to the Desktop Chris Pugrud (Dec 07)
- RE: Defense in Depth to the Desktop Scott Stursa (Dec 11)
- RE: Defense in Depth to the Desktop Chris Pugrud (Dec 11)
- RE: Defense in Depth to the Desktop Chris Pugrud (Dec 07)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 13)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 13)
- Re: Defense in Depth to the Desktop Frederick M Avolio (Dec 13)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 14)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 14)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 14)
- Re: Defense in Depth to the Desktop Devdas Bhagat (Dec 14)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 14)
- Re: Defense in Depth to the Desktop Devdas Bhagat (Dec 14)
- Re: Defense in Depth to the Desktop Frederick M Avolio (Dec 14)