Re: Sony: No firewall and no patches

["Dobbins, Roland" <rdobbins () arbor net>]

On May 10, 2011, at 10:45 PM, Thor (Hammer of God) wrote:

> There are any number of topological deployment scenarios where firewalls certainly provide security in depth and 
> added security, irrespective of what Mr. Kaeo's opinion on the matter is.

The only one I can think of is between a middleware server and a front-end server or a middleware server and a back-end 
server; and even then, if an attacker has successfully compromised the middleware server, the tame's already over.  
Certainly not in front of servers routinely connected to by client machines.

That isn't just Merike's opinion, btw - it's a well-known BCP in the global opsec community (as distinct from the 
infosec community).  Her preso simply codifies what folks who perform Internet opsec for a living already know.

>  If one can design a secure access model using router ACLs then right on, but that doesn't mean that other models 
> don't work.

It means they're unnecessary, and instantiating an unnecessary stateful DDoS chokepoint in front of a server is a net 
security loss, not a gain.

> I'm unclear as what you mean by "no state to inspect in the first place" in regard to firewalls in front of servers - 
> my TMG box most certainly inspects state when I access assets via the firewall.


How does inserting a stateful firewall in front of a Web server help, given the stateless nature of HTTP and the fact 
that all incoming connections to the server are unsolicited?  Same for a DNS server.  There is no state for the 
firewall to inspect in order to determine whether to pass/fail those packets, stateless ACLs in hardware-based 
routers/layer-3 switches are the way to go.

All the talk of exfiltration via a covert channel is irrelevant, given that a) when the httpd on the server stops 
responding, that's a big giveaway that there's a problem, and b) that if the attacker is in control of a remote host to 
which he wishes to exfiltrate data, he can simply initiate an inbound connection and then generate the appropriate 
outbound responses, since he's effectively in charge of both ends of the connection, and c) there're far easier and 
less visible/onerous ways to exfiltrate data, anyways.

There are no stateful firewalls emplaced in front of the extremely popular servers/services accessed by gazillions of 
Internet users on a daily basis - at least, the ones that stay up, heh.  And every time I get a call from someone 
screaming 'the IDC and everything in it is down', it's because there's an unnecessary stateful firewall fronting the 
whole thing, and it's trivially easy for an attacker with even a very small botnet to take down said stateful firewall 
with programmatically-generated attack traffic which will conform to all the firewall rules and 'inspectors' and 
whatnot, but which will fill up the firewall state-tables, crowd out legitimate traffic, and eventually cause said 
firewall to fall over.

Stateful firewalls make perfect sense in front of endpoint networks comprised of client machines which shouldn't 
receive unsolicited connections across some defined policy boundary.  They make no sense in front of servers, but folks 
have been conditioned to think that firewalls are some kind of universal security panacea.  Which is especially ironic 
in the context of this thread, given that Sony have publicly stated that their servers were in fact exploited by 
traffic which passed straight through their stateful firewalls.

;>

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

                The basis of optimism is sheer terror.

                          -- Oscar Wilde

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/