Re: Middleboxes can only do the middle work

["Darden, Patrick S." <darden () armc org>]

Nice recap.  I still like the idea of a "middleware" app proxy 
using a whitelist approach; however, as even the best and most 
security conscious programmers quite simply make mistakes--not 
to mention all the languages, libraries, and frameworks out there 
that programmers must use, which were never meant to be secure 
in the first place.  E.g. an http proxy that insisted on sane 
input, with only alphanumeric and maximum of 128 chas, otherwise 
it just drops the whole http get/put/etc.  A lot of old CGIs 
would suddenly become usable again. ;-)

Perimeter firewalls are necessary.  OS hardening is necessary.
But none of it matters if the apps you are running are riddled
with buffer overflows and etc. waiting to happen....

I'm definitely not disagreeing with you, although it might sound
like it.

--p

-----Original Message-----
From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com]On Behalf Of Dave
Piscitello
Sent: Tuesday, April 01, 2008 2:45 PM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] Middleboxes can only do the middle work


Several recent threads call attention to the elephant in the conference 
room no one talks about.

Firewalls are middleboxes (some RFC that says this so I'm certain it is 
true). They are one element in a line of defense, and from an attacker's 
viewpoint, one line of defense that has to be breached (for some set of 
attacks). Even the stone stupid attackers spend few cycles breaching 
firewalls today because it is much easier to go after code that is 
written by folks with little security clue, using grossly generous 
language constructs, with amazingly few access controls enforced on the 
hosting computer. Paul Melson's "epic fail from the beginning" and 
Marcus' "bad ideas happening fast" are spot on.

This doesn't mean firewalls are obsolete, but it does (finally) provide 
ample evidence for even the most obdurate network designers that "the 
perimeter will save us" is seriously overtaken by events. This is a good 
thing: and after only two decades, we are actually turning our attention 
to considering remedies closer to communications endpoints.

The problem we still face is one of addiction. The historical comfort 
and debatable success that perimeter enforcement solutions provided 
created "a box in the middle will cure our application woes" mentality 
that persists today. What we really get each time we substitute a 
middlebox for secure programming and secure OS (implementation and 
configuration) is symptomatic relief, not cure.

The security industry is eager to build middleboxes that don't quite 
cure the woes but narcotize users sufficiently that they are happy to 
buy expensive boxes, flog configurations, study traffic logs, buy more 
boxes, flog configurations... Feed the addiction. As long as users are 
buying the drugs and doping themselves senseless so they can ignore the 
root causes at the endpoints, we shouldn't anticipate that things will 
improve dramatically.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards