Vulnerability Development mailing list archives
Re: Dedicated vs "shared use" firewalls
From: aja () SI ON CA (Anton J Aylward, CISSP)
Date: Mon, 28 Feb 2000 08:29:29 -0500
-----Original Message----- From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of Forrest W. Christian Sent: Friday, February 25, 2000 12:19 AM I hope this is the right forum for this, but what brought this up was the entire Raptor discussion.
A more appropriate forum would be the firewalls list, or I think the firewall-wizards list, firewall-wizards () lists nfr net To summarise: in theory, yes, in practice, no, you are being overly paranoid. Yes, paranoid, your fears ARE irrational. Certainly the minimalist approach is correct, but you are missing out on a few things. Firstly, there are many different types and styles of firewalling. Secondly, when general purpose OS platforms are used as firewalls, many features are disabled or removed, even at the kernel level. You mention "listening ports". Its not quite that simple. Perhaps the ports that are listening are application proxies. That is a correct firewall function. Mail, for example, SMTP, is a self proxying function, so unless the listener/relay/proxy program has its own vulnerabilities (such as it is any version of sendmail suffering from bug-of-the-month-club defects) this is not an issue. The ports that appear to be listening may also not actually be listening, they may be forwarded though a filtering mechanism to the DMZ. Over the last decade I have seen 'firewalls' become more of a marketing terms than a technology term. The variety of techniques that is used is quite diverse. The model you outline, while quite correct, is also one that represents a small part of this family of techniques. "Yes, it used to be, but we changed all that". And as I say, installing a firewall greatly modifies the underlying system. Other firewalls, such as Milky Way's Black Hole, only appear to be running Solaris. The OS has been 'Hardened' beyond the normal techniques documented; the kernel has been modified and the applications and tools such as perl and sendmail are very far removed from their familiar counterparts. But underlying all this is a difference in attitude. For a technical mind, a firewall must be invulnerable. That is not correct. The firewall is there to implement the security policies associated with the business practices. Business, any business, assumes some risk in order to operate. Profit, if I may spout some classical economics, is the return for taking risk. Like it or not, management lays down policy as to what risks are acceptable and how they should be managed. Many technical people look for technical perfection, but it will never be found. In practice, we can't even keep ahead of the Black Hats. A perfect firewall, as Marcus Ranum has commented, is actually a pair of wirecutters applied to ALL wires associated with the computer and network. Yes, that renders the machine, the system unusable. That is his point. In order to do business, there needs to be communication. This means the firewall has to allow stuff in and out. What and how is dictated by policy. If there isn't a policy, then management is, foolishly, delegating this decision to technical staff who are unaware of the business objectives and will simply respond to the demands, reasonable or unreasonable, of the other staff, salesmen and so on. This is a common scenario and is why this is fraught with futility. Finally let me quote on of my favourite authors with respect to the idea that there are secure kernels, Pico-kernels or any other piece of software that can't be hacked or penetrated. "There's no such thing as an impossible, only a thing the doing of which has not yet been found" To adopt any other stance, with respect to ANY piece of equipment, software, or organisation, is foolish. To obsess about it is, and I do mean this word in its true sense, not its overused vernacular sense, paranoid. We in the security profession may joke that we're "paid to be paranoid". No, we're not paid to be irrational. We are paid to be rational and reasonable. -------------------------------------------------------------------- Anton J Aylward, CISSP | "If you have only one layer of protection System Integrity | you are only as safe as the next InfoSec Auditing & Consulting | next bug-de-jour" Voice: (416) 421-8182 | - Brad M Powell, Snr Network Security Architect, aja () si on ca | Sun Microsystems
The way I understand raptor is that it is code that runs on NT. This makes me really queasy for reasons to be discussed below. When I recommend a firewall solution, the core of the recommendation is that the firewall run on hardware which is dedicated to the firewall and that all non-firewall network functionality is either disabled or removed. I personally usually recommend a FreeBSD-based NAT/ipfw solution which I have developed if cost is a concern to the user. I have also recommended Cisco PIX and several other options for larger clients. I worry about firewall solutions which are generally implemented on systems which themselves may or may not be secure. For example, some of the solaris/unix-based firewalls make me nervous because people tend to run them on the same solaris box they have web, mail, and other solutions on. I worry along the same lines about any NT solutions as I do not feel secure about the underlying NT os architecture and the services which may be running on an NT box. I'm also paranoid enough that I usually will either restrict administrative access to the firewall to "physical connectivity"- ala the console or console port, or via a very very strict set of ips. If I can't restrict the IP range, or at least restrict it to "inside" users, I do not enable the telnet service. Thus insuring that in most cases at least the administrative part of the firewall won't be compromised. In the FreeBSD solution I sell, I run a very stripped down kernel (actually PicoBSD) which has very very little stuff in it. In fact, the box doesn't have any open, listening IP ports. So, maybe to draw this to a close and to ask my real question here I can just say this: I am certain that the security of the underlying OS/security of the configuration of the underlying system is VERY important to the security of the firewall. So, that said, is it possible that NT (or pick any OS) based-firewalls are generally less secure than say, a PIX box, because the underlying OS is inherrently less secure? Does anyone have any data (or real life experience) to back this up? Does the tendency of NT to install/enable services "by itself" pose a real security threat? Or, maybe better put, what seems to be the consensus on firewalls running on any given OS (as opposed to a certain firewall product)? - Forrest W. Christian (forrestc () imach com) KD7EHZ ---------------------------------------------------------------------- iMach, Ltd., P.O. Box 5749, Helena, MT 59604 http://www.imach.com Solutions for your high-tech problems. (406)-442-6648 ----------------------------------------------------------------------
Current thread:
- Fwd: ANNOUNCEMENT: Lighting Firewall for Linux released, (continued)
- Fwd: ANNOUNCEMENT: Lighting Firewall for Linux released Grzegorz Stelmaszek (Feb 23)
- Re: Information on Raptor James Crooks (Feb 21)
- Re: Information on Raptor David J Laumann (Feb 21)
- Re: Information on Raptor Marcelo Amaral - ALTAVISTA.NET (Feb 21)
- Re: Information on Raptor CL: Nelson, Jeff (Feb 24)
- Re: Information on Raptor IC&S - Eelco van Beek (Feb 25)
- Re: Information on Raptor Daniel Liebster (Feb 25)
- Re: Information on Raptor Ben Grubin (Feb 24)
- Dedicated vs "shared use" firewalls Forrest W. Christian (Feb 24)
- Buffer overflows on Netware 4x and 5x Roland Kool (Feb 28)
- Re: Dedicated vs "shared use" firewalls Anton J Aylward, CISSP (Feb 28)
- Dedicated vs "shared use" firewalls Forrest W. Christian (Feb 24)
- Re: Information on Raptor Crother, Mark (Feb 24)