1999-03-29-04:31:21 Frank Knobbe:
> Our discussions and judgements should not just focus on the protocols but
> review the implementation of the discussed requirement/application.
In security analysis, there's rarely enough time to thoroughly examine, in
comprehensive detail, every facet of every question. So we've come up with
some convenient shortcuts. Many of them are of the form "if the spec is
defective, I'm not even gonna bother looking at the implementation"; specs are
simpler than implementations. If the spec is clean, then yes, we have to look
at the implementation. But if the spec is fundamentally flawed, then there's
no point in wasting time looking at the implementation; a totally broken
protocol, or file format, or whatever can't be fixed by a clever
implementation; you need to redesign the spec.
> According to your reasoning, you see the security risks with
> NetMeeting in the protocols its using. For that reason, you deny
> NetMeeting any chance of discussion. You come down to 'Protocol
> flawed, Application out of question. Period'.
Yup, that's how competant security professionals get their job done.
> In my opinion, its a very arrogant attitude.
Arrogance has its place.
> If every list members would behave like this, then we would have the
> 'Firewalls Discussion List' successfully converted into a voting ballot for
> protocols. (User1: What about NetMeeting? User2: Don't use it, to unsecure.
> User3: Yeah, protocol sucks. Etc.)
That's what we have for defective products like Netmeeting, ICQ,
currently-available protocols for network-distributed database access, and
many others. Other topics actually require serious thought, so they are
the interesting bits. Of course when someone comes out trying to justify
netmeeting, with a lead post whining about how it's such a bother having to
sleaze past the firewalls, then we do come out sixguns a-blazing:-).
> This list charter reads: The Firewalls mailing list is for discussions
> of Internet firewall security systems and related issues. Relevant
> topics include the design, construction, operation, maintenance, and
> philosophy of Internet firewall security systems.
Yup, that's what we try to do here.
> In other words we can discuss the design and philosophy of a
> NetMeeting implementation. I don't want to hear 'No, don't use it. I
> don't use it either.'
Sorry about that. If you don't want to hear that, perhaps you should
unsubscribe from the Firewalls mailing list; there are too many knowlegeable
professionals here, not enough people who would advocate Netmeeting.
> If you don't have a suggestion on how to securely implement NetMeeting, then
> don't post.
If you don't like hearing "Netmeeting sucks, you'd have to be a moron to let
it through your company firewall" then unsubscribe from Firewalls. Or just let
the thread die.
> Again, I'm not trying to defend NetMeeting, I'm trying to defend the
> approach.
No go, if something is basically a stinking heap, the only useful thing to
talk about is exactly why, what risks it incurs, so we know what to tell
people asking for it. In this case, FOAD. Or the tactful equivalent "I'll be
glad to let Netmeeting through to a machine we'll set up for you in the DMZ,
just budget the network connectivity and hardware needed, lemme know where you
want me to install the machine."
> Now, can NetMeeting still be implemented securely without the user
> having to move to a different workstation? Yes, I think so. Here is my
> proposal: [ clean sketch of sacrificial-host-in-DMZ ]
Sweet. I've used the same hack myself, for a similar problem: someone insisted
on being able to be able to view applets from the internet. So I set 'em up a
sacrificial box to run a browser that could see internet applets, in the DMZ,
and gave 'em an ssh tunnel to that box. In fact, that's the tactful
restatement of FOAD.
I wouldn't set up a lashup like you describe, just because I wouldn't expose a
box running windows to the internet, but if someone else wanted to set it up,
that'd be the way to do it:-).
> Disadvantages [...] documents to be shared need to be uploaded separately
> (i.e. FTP).
Yup. When I set this up, I didn't provide the users with any mechanism for
file xfer at all, I made 'em request a manual xfer by a security admin. Turns
out that didn't end up being a problem, just threw the right shape speed-bump
in the way to prevent 'em from being tempted to use the DMZ host as their
primary workstation.
> As you can see it is possible to securely implement NetMeeting, even
> though the protocols used by it are not fit for transport back into
> the corporate network.
For sufficiently relaxed definitions of "secure" and "implement". At a site
that cares about security, the assumption would be "a box running windows
attached to the internet cannot be used for business purposes", so the admins
wouldn't waste the effort and expense of setting up something like this. But
at an entertainment site, where paying customers are purchasing the privilege
of playing on the internet, it might make sense. And more generally, "plant a
sacrificial host in the DMZ to run the broken app, and let users tunnel out
to that sacrificial machine" is the stock workaround for defective protocols.
Since it places the endpoint implementation of the protocol --- and all the
data it manipulates --- out where it can be ransacked by hooligans, it doesn't
arise often; only when people succeed in manufacturing an excuse for playing
on company time.
> If folks would just discuss alternatives instead of disregarding a
> discussion based on their opinion of the protocol used, then this list may
> see a higher volume once again (It's been relatively quiet lately). This
> would also give the list a higher value, because folks can train creativity
> and approach methods. As of now, the list transfers existing information
> (about protocols or firewall setups). It would be nice if it would also give
> the member the opportunity to collectively create new information such as
> design and implementation strategies...
I'm afraid you aren't going to see people abandoning useful short-cuts like
"if the protocol is defective, there's no point wasting time looking at the
implementation". And you probably aren't gonna see a lot of sympathy for the
initial poster's attitude "Netmeeting is so cool, I just had to tear holes in
the firewall to play with it. Isn't it cool!".
But I sympathize with the frustration you are feeling; creative design is
a heck of a lot more fun than rehashing known ground. Maybe we'll get more
interesting design topics in the future. I'm hoping so, myself.
-Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
