Firewall Wizards mailing list archives
Re: Middleboxes can only do the middle work
From: "Darden, Patrick S." <darden () armc org>
Date: Wed, 2 Apr 2008 12:56:02 -0400
Nice recap. I still like the idea of a "middleware" app proxy using a whitelist approach; however, as even the best and most security conscious programmers quite simply make mistakes--not to mention all the languages, libraries, and frameworks out there that programmers must use, which were never meant to be secure in the first place. E.g. an http proxy that insisted on sane input, with only alphanumeric and maximum of 128 chas, otherwise it just drops the whole http get/put/etc. A lot of old CGIs would suddenly become usable again. ;-) Perimeter firewalls are necessary. OS hardening is necessary. But none of it matters if the apps you are running are riddled with buffer overflows and etc. waiting to happen.... I'm definitely not disagreeing with you, although it might sound like it. --p -----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com]On Behalf Of Dave Piscitello Sent: Tuesday, April 01, 2008 2:45 PM To: Firewall Wizards Security Mailing List Subject: [fw-wiz] Middleboxes can only do the middle work Several recent threads call attention to the elephant in the conference room no one talks about. Firewalls are middleboxes (some RFC that says this so I'm certain it is true). They are one element in a line of defense, and from an attacker's viewpoint, one line of defense that has to be breached (for some set of attacks). Even the stone stupid attackers spend few cycles breaching firewalls today because it is much easier to go after code that is written by folks with little security clue, using grossly generous language constructs, with amazingly few access controls enforced on the hosting computer. Paul Melson's "epic fail from the beginning" and Marcus' "bad ideas happening fast" are spot on. This doesn't mean firewalls are obsolete, but it does (finally) provide ample evidence for even the most obdurate network designers that "the perimeter will save us" is seriously overtaken by events. This is a good thing: and after only two decades, we are actually turning our attention to considering remedies closer to communications endpoints. The problem we still face is one of addiction. The historical comfort and debatable success that perimeter enforcement solutions provided created "a box in the middle will cure our application woes" mentality that persists today. What we really get each time we substitute a middlebox for secure programming and secure OS (implementation and configuration) is symptomatic relief, not cure. The security industry is eager to build middleboxes that don't quite cure the woes but narcotize users sufficiently that they are happy to buy expensive boxes, flog configurations, study traffic logs, buy more boxes, flog configurations... Feed the addiction. As long as users are buying the drugs and doping themselves senseless so they can ignore the root causes at the endpoints, we shouldn't anticipate that things will improve dramatically. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Middleboxes can only do the middle work Dave Piscitello (Apr 02)
- Re: Middleboxes can only do the middle work Darden, Patrick S. (Apr 02)