Re: Dedicated vs "shared use" firewalls

[aja () SI ON CA (Anton J Aylward, CISSP)]

> -----Original Message-----
> From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of
> Forrest W. Christian
> Sent: Friday, February 25, 2000 12:19 AM
>
> I hope this is the right forum for this, but what brought this up was the
> entire Raptor discussion.

A more appropriate forum would be the firewalls list, or I think
the firewall-wizards list, firewall-wizards () lists nfr net

To summarise: in theory, yes, in practice, no, you are being
overly paranoid.  Yes, paranoid, your fears ARE irrational.

Certainly the minimalist approach is correct, but you are missing
out on a few things.

Firstly, there are many different types and styles of firewalling.
Secondly, when general purpose OS platforms are used as firewalls,
many features are disabled or removed, even at the kernel level.

You mention "listening ports".  Its not quite that simple.
Perhaps the ports that are listening are application proxies.
That is a correct firewall function.   Mail, for example, SMTP,
is a self proxying function, so unless the listener/relay/proxy
program has its own vulnerabilities (such as it is any version
of sendmail suffering from bug-of-the-month-club defects) this
is not an issue.

The ports that appear to be listening may also not actually be
listening, they may be forwarded though a filtering mechanism to the
DMZ.

Over the last decade I have seen 'firewalls' become more of a
marketing terms than a technology term.  The variety of techniques
that is used is quite diverse.  The model you outline, while quite
correct, is also one that represents a small part of this family
of techniques.  "Yes, it used to be, but we changed all that".

And as I say, installing a firewall greatly modifies the underlying system.

Other firewalls, such as Milky Way's Black Hole, only appear to
be running Solaris.  The OS has been 'Hardened' beyond the normal
techniques documented; the kernel has been modified and the applications
and tools such as perl and sendmail are very far removed from their
familiar counterparts.

But underlying all this is a difference in attitude.
For a technical mind, a firewall must be invulnerable.
That is not correct.   The firewall is there to implement the
security policies associated with the business practices.
Business, any business, assumes some risk in order to
operate.  Profit, if I may spout some classical economics,
is the return for taking risk.

Like it or not, management lays down policy as to what risks
are acceptable and how they should be managed.   Many technical
people look for technical perfection, but it will never be found.
In practice, we can't even keep ahead of the Black Hats.

A perfect firewall, as Marcus Ranum has commented, is actually
a pair of wirecutters applied to ALL wires associated with the
computer and network.   Yes, that renders the machine, the system
unusable.  That is his point.  In order to do business, there
needs to be communication.  This means the firewall has to allow
stuff in and out.  What and how is dictated by policy.
If there isn't a policy, then management is, foolishly, delegating
this decision to technical staff who are unaware of the business
objectives and will simply respond to the demands, reasonable
or unreasonable, of the other staff, salesmen and so on.
This is a common scenario and is why this is fraught with futility.

Finally let me quote on of my favourite authors with respect to the
idea that there are secure kernels, Pico-kernels or any other piece
of software that can't be hacked or penetrated.

        "There's no such thing as an impossible, only a thing
         the doing of which has not yet been found"

To adopt any other stance, with respect to ANY piece of equipment,
software, or organisation, is foolish.   To obsess about it is,
and I do mean this word in its true sense, not its overused
vernacular sense, paranoid.

We in the security profession may joke that we're "paid to be
paranoid".  No, we're not paid to be irrational.  We are paid
to be rational and reasonable.

--------------------------------------------------------------------
Anton J Aylward, CISSP          | "If you have only one layer of protection
System Integrity                        | you are only as safe as the next
InfoSec Auditing & Consulting   | next bug-de-jour"
Voice: (416) 421-8182           | - Brad M Powell, Snr Network Security
Architect,
aja () si on ca                         |   Sun Microsystems

> The way I understand raptor is that it is code that runs on NT.  This
> makes me really queasy for reasons to be discussed below.
>
> When I recommend a firewall solution, the core of the recommendation is
> that the firewall run on hardware which is dedicated to the firewall and
> that all non-firewall network functionality is either disabled or
> removed.   I personally usually recommend a FreeBSD-based NAT/ipfw
> solution which I have developed if cost is a concern to the user.  I have
> also recommended Cisco PIX and several other options for larger clients.
>
> I worry about firewall solutions which are generally implemented on
> systems which themselves may or may not be secure.   For example, some of
> the solaris/unix-based firewalls make me nervous because people tend to
> run them on the same solaris box they have web, mail, and other solutions
> on.   I worry along the same lines about any NT solutions as I do not feel
> secure about the underlying NT os architecture and the services which may
> be running on an NT box.
>
> I'm also paranoid enough that I usually will either restrict
> administrative access to the firewall to "physical connectivity"- ala the
> console or console port, or via a very very strict set of ips.  If I can't
> restrict the IP range, or at least restrict it to "inside" users, I do not
> enable the telnet service.   Thus insuring that in most cases at least the
> administrative part of the firewall won't be compromised.
>
> In the FreeBSD solution I sell, I run a very stripped down kernel
> (actually PicoBSD) which has very very little stuff in it.   In fact, the
> box doesn't have any open, listening IP ports.
>
> So, maybe to draw this to a close and to ask my real question here I can
> just say this:
>
> I am certain that the security of the underlying OS/security of the
> configuration of the underlying system is VERY important to the security
> of the firewall.
>
> So, that said, is it possible that NT (or pick any OS) based-firewalls are
> generally less secure than say, a PIX box, because the underlying OS is
> inherrently less secure?  Does anyone have any data (or real life
> experience) to back this up?   Does the tendency of NT to install/enable
> services "by itself" pose a real security threat?   Or, maybe better put,
> what seems to be the consensus on firewalls running on any given OS (as
> opposed to a certain firewall product)?
>
> - Forrest W. Christian (forrestc () imach com) KD7EHZ
> ----------------------------------------------------------------------
> iMach, Ltd., P.O. Box 5749, Helena, MT 59604      http://www.imach.com
> Solutions for your high-tech problems.                  (406)-442-6648
> ----------------------------------------------------------------------