Re: FW appliance comparison - Seeking input for the forum

["Marcus J. Ranum" <mjr () ranum com>]

Patrick M. Hausen wrote:
> Why would you want a signature based IDS at all? They don't work.
> Period. Enumerating badness is a silly idea.

Who am I to argue?!  But I'd like to comment...

There is a value to signatures (and enumerating badness) if your purpose
is diagnosis rather than prevention. Like Paul said, if you haven't covered
prevention don't even _think_ about detection - but - if you _have_ covered
prevention then detection is useful if you want burglar alarms (detection of
policy violation) or big picture diagnosis. "You have thrown away 12,000
Code Red attacks" is more readable than "here are 60,000 logged packets
that you may want to look at - see attachment."

> Develop a policy that explicitely defines every kind of network
> traffic that is to be allowed to pass your perimeter. Application
> X using a "propriatary protocol"? Sorry, not allowed.

I'd actually recommend going a step further and have a second
policy tier for your internal traffic, enforced at your core. Obviously
it might be less restrictive than your perimeter policy, but not
necessarily. Every time I hear about some critical network
getting a worm infection, I want to scream. There are a few
practitioners today going around talking about "compartmenting
networks" as if it's a new idea. I'll spare you my powerpoints
from 1989 on "service oriented requirements analysis" but they're
someplace in my backup disks...  Ah. I have an updated version
from '95 but the song remains the same:
http://www.ranum.com/security/computer_security/archives/requirements-analysis.pdf

> Then use a firewall that only passes what is explicitly
> allowed and raises an alarm for everything that isn't.
> *Boom* as Steve Jobs would probably put it. Instant heuristic
> proactive unkown and future attack aware IDS.

Again, I agree 100%; the caveat is that most of the "firewalls" that
are out there have only minimal processing going on at Layer 7
and are really very little more than pimped-up routers with a
security interface atop a simple state-machine rulesbase. If
you pay an extra $60,000 you can get the same pimped-up
router with a silicon regex jump-up and some poorly translated
snort rules in it. It may not do a lot of security processing, but
it's fast!!

The original concept of firewalls, back when we were trying to
really make them secure, was that they were software devices
that enforced correctness at Layer 7 and applied additional
policy atop that. For example, the DEC SEAL FTP proxy
"understood" FTP bounce attacks (it detected when PORT ip
address decoded to a different address than the calling client)
and denied them. While that was a legitimate operation in terms
of the FTP RFC, basically the author of the firewall (that's me)
had decided that the IETF got the protocol wrong, and the
firewall wasn't afraid to unilaterally fix it. The Gauntlet SMTP
proxy, for example, "understood" only the barest minimum of
SMTP necessary to get Email back and forth and rejected
everything else. Layered above that were additional sanity
checks where the author of the firewall (that's me, again)
decided the guys who'd written the RFC had done it wrong.
I.e.: the proxy didn't think certain punctuation characters
were appropriate in an Email address and if you wanted to be
joe-newline () someplace com you could but your Email
was not going through the firewall. I actually had a mode that
rejected X.400 addresses but nobody thought that was as
funny as I did at the time - now everyone appreciates the
joke a lot better.

Anyhow, in firewalls, the design switched from conservative
default deny AT LAYER 7 to default permit. No longer did
your HTTP traffic have to look like HTTP - now it could look
like *anything* as long as it had a URL in front of it. Thus
the firewall became permeable to spyware, SOAP, trojans,
etc, etc.

Many customers considered this a big step forward. They
were wrong. But it's fast!

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards