On Mon, 31 May 1999, Ben Nagy wrote:
>
> Comments (formatted badly) inline 8b
>
> There are clearly two schools of thought here. Just because I like
> arguments, I'll plough on 8). The reason I don't like FW manufacturers
> making decision about what firewalls allow and what they don't is because
> fundamentally I don't believe that they have the best interest of my
> (customers') business at hand. I know that you're advocating that vendors
> make decisions to _increase_ security without giving users an option, but I
No, I didn't say without an option. However it's entirely *too* easy to
void all firewall protection at this point in time with most firewalls.
If the Net becomes safer because people who want to do compeltely idiotic
things have to route that traffic around the firewall, then that's a good
thing though. Every site that gets compromised (a) Can be used to attack
my site and (b) Encourages more acts of compromise.
If it were a unilateral choice every time you open up some boneheaded
protocol, I'd be cheering you on with a beer in my hand. It isn't, and
it has an effect on other sites. Once again, we're stuck with the fact
that nobody in this industry wants to look at the big picture.
> don't think that's their place. If I develop some fancy proxy that I think
> santises an insane protocol, I'll be pretty pissed off if I can't get it
If you do that, don't you think that proxy should be a part of your firewall?
> through my firewall. Not to mention the fact that engineering out the
> possibility of making your firewall "insecure" is probably going to make it
> so inflexible as to be useless. I'm all in favour of the vendors shipping a
> secure out of the box config, and I would consider it irresponsible of them
> not to. However if an "advanced" user can't screw things up and get
> themselves in trouble there is something wrong.
If you're using that feature on a regular basis, you aren't building
firewalls, you're building firesieves. Once again, this doesn't provide
the industry with a reason to build better protocols.
> So are you saying we solve this by having vendors write firewalls that are
> less flexible instead of having more skilled administrators? Firewall
I'm saying more secure. That means less flexible, but the goal of a
firewall is _supposed_ to be security. You can gain flexability by going
around the firewall just fine. When you go around it, you *know* it's
not providing any protection, even if you're the average clueless
administrator. Firewalls are being deployed into companys that don't
have skilled PC administrators, how do you propose to turn them into
skilled firewall admins?
> companies aren't big brothers! They aren't bound by law to provide a product
> that cannot be subverted by an clueless administrator (thankfully), and at
Thankfully? Clean up from a few clueless administrators and your point
of view is likely to change.
> the end of the day, they exist to make money for their shareholders by
> selling more firewalls. Besides all that, I don't _want_ some arbitrary
At any cost? I don't think so. While some companys take that path,
fortunately all of them don't.
> company telling me that if I buy their firewall I cannot allow ports x - y
> or protocol z or whatever.
Then why buy a firewall? Surely you'd be *much* happier with a screening
router? Moreover, your customers would be much more aware of the risk
profile they're taking because they wouldn't confuse themselves with
companys deploying firewalls to provide security rather than flexibility.
If you want to pass every protocol in existance, then buy a router.
Routers do that very well.
A long time ago, I had a climbing partner who carried a 3 lb hammer and
fairly compete set of large and heavy tools half-way up a 14,000 ft mountain
just in case he needed them. The stove he rented didn't function. Up on the
glaciers a stove is an absolute necessity, a set of industrial strength tools
isn't. That's what we're left with though - a bunch of easy to make
insecure products "just in case" while work on the current batch of
protocols like HTTP and SSL is still lacking and apparently halted. Worse
yet, everyone seems happy with that situation.
'We have a firewall' used to mean 'Our network has some security, we've gone
through a protocol analysis and formulated a security policy, we're doing
as much right as we can given our business.' Now it means 'We paid some
company a few thousand dollars for some box, told some consultant to open
up every boneheaded protocol in the known Universe and we think we're
protected.'
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
