Firewall Wizards mailing list archives
Re: A fun smackdown...
From: Chuck Swiger <chuck () codefab com>
Date: Thu, 19 May 2005 16:43:21 -0400
On May 19, 2005, at 3:11 PM, Paul D. Robertson wrote:
On Thu, 19 May 2005, Chuck Swiger wrote:On May 19, 2005, at 9:04 AM, Paul D. Robertson wrote:On Tue, 17 May 2005, Martin wrote:"Be liberal in what you accept; be strict in what you send."_All_ effective security controls break that tenet. The more liberal your controls, the more risk you assume.There is more to an effective security control than only denying stuff!No, there isn't in terms of the mitigation of risk. Anything else isn'tabout the security properties of the control, but about its operational effectiveness. _What_ you deny, _how_ well it's implemented, and whereyou deny it is in fact the essence of security. From guards with guns to firewalls to anti-virus, default deny or default except- either one works
^^^^^^
by blocking stuff (what you know is bad, or what you don't know is acceptable.)
"default accept", you mean? Sure, there are two general approaches: "deny all, and then have a list of stuff to permit", or "permit all, and then try to deny stuff known to be bad".
The former approach is a lot more likely to result in a secure system, but both approaches do more than just deny everything: what you accept, how well it's implemented, and where you accept stuff [to paraphase] is also the essence of security.
Choosing to provide remote shell access via SSH is better than using Telnet or a VPN. Choosing to provide POP or IMAP via SSL is better than choosing to provide remote mail access via plaintext with passwords passed in the clear. If you can live without either, by all means, forbid remote access.
I think you're over-valuing the utility of "deep protocol inspection",Um, what the heck does "deep protocol inspection" have to do with the fact that security controls are a denial technology? Where exactly did I sayanything about deep protocol inspection?
You are disagreeing with a design principle from the RFC's which discusses how to create robust software protocols. One could provide other examples.
Paul, and you seem to be ignoring the risks of denying legitimate connections which should have been permitted.No, again- Security works by denying things. That's got nothing to dowith falsely denying things, and everything to do with accepting risk. If I deny everything, my risk is lower than if I deny 90% of everything- butin either case, the security factor is about denying.
Paul, why *don't* people run their firewalls with a single "deny all" rule?
An effective security measure needs to implement the security policy. It needs to permit the types of access that legitimate users are allowed to have, for the system-- meaning the network, the firewall, and the server(s) or other equipment being used-- to work correctly.That doesn't change the fact that it all works by denying things, not byliberally accepting just anything that might come over the wire.
I didn't say, "accept anything", I said, accept the types of access that the security policy says are permitted.
This is just as important as denying access to stuff that is not permitted by the security policy.That's not a security property though, it's an operational property. Now,you can argue that denying too much impacts business, and I'd agree, because it doesn't conflict with what I said- 1. Security things work by blocking stuff. 2. The less stuff you block, the more risk you assume.
If my key doesn't open my front door, it's blocking legitimate access.A security system which prevents legitimate access is a broken security system.
Has "fixup protocol smtp 25" actually done much to prevent a vulnerableM$ Exchange box from being owned, or helped control the flow of spammy/virusized traffic significantly? Does it help control outboundI don't know what it does, since I don't field PIXes and have only workedon two in my entire life; but I _assume_ that it will block theMicrosoft-only SMTP extension that popped up a couple of months ago as avulnerability. Now, *if* it does, it *breaks* something that Microsoft Exchange Serverdoes when talking- see- that's the point, protection comes at the cost of breaking functionality once you get to the point where you've knocked outthe out-of-band stuff and you're just left with the in-band attacks.
I used Cisco's proxying of SMTP as a well-known example of a "security feature" which breaks legitimate protocol extensions (ESMTP), yet doesn't seem to really improve security, but if you aren't very familiar with it, I won't insist on debating this particular example. :-)
How about excessive ICMP filtering breaking path MTU discovery? -- -Chuck _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- A fun smackdown... Marcus J. Ranum (May 13)
- Re: A fun smackdown... Joseph S D Yao (May 15)
- Re: A fun smackdown... Martin (May 17)
- Re: A fun smackdown... Paul D. Robertson (May 19)
- RE: A fun smackdown... Ben Nagy (May 19)
- Re: A fun smackdown... Chuck Swiger (May 19)
- Re: A fun smackdown... Paul D. Robertson (May 19)
- Re: A fun smackdown... Chuck Swiger (May 19)
- Re: A fun smackdown... Paul D. Robertson (May 19)
- Re: A fun smackdown... Devdas Bhagat (May 19)
- Re: A fun smackdown... Paul D. Robertson (May 19)
- Re: A fun smackdown... Marcus J. Ranum (May 20)
- Re: A fun smackdown... Chuck Swiger (May 21)
- Re: A fun smackdown... Marcus J. Ranum (May 21)
- Re: A fun smackdown... Chuck Swiger (May 21)
- Re: A fun smackdown... Marcus J. Ranum (May 21)
- Re: A fun smackdown... Chuck Swiger (May 21)
- Re: A fun smackdown... Adam Shostack (May 21)
- Re: A fun smackdown... Martin (May 17)
- Re: A fun smackdown... Joseph S D Yao (May 15)