On Tue, 1 Jun 1999, Mark Wallace wrote:
> First, either I was fiendishly clever and lured Paul into my trap, or
> else I was simply unclear. [Egotism demands that I believe the former,
Maybe we're reading different lists, I see no trap.
> while the rest of you may content yourselves with the latter
> explanation.
> Paul accused me of assuming that there existed a network administrator.
>
> I plead guilty as charged. One of the points I was trying to make is
> that "Firewall" is a system - not hardware or software, but Hw, Sw,
> Policy, and professional people. If your firewall is a box
> thrown on a wire, then you might as well just tie dead chickens
> to the wire. (Actually given that there is scientific evidence for
> Santeria, I'd bet on the dead chickens before the black box on the
> wire).
Once again, you say there have to be clueful people, but miss the point of
where to get them. Your view doesn't reflect *current* reality for the
*majority* of firewalls out there, and it's getting _worse_ not better.
> We've discussed in gruesome details the failings of the hw & Sw, but
> I was trying to assert that security analysis should also examine
> the wetware of the firewall, and the "paperware" (policy).
So, you're advocating building analysis of protocol safety based on who
the current firewall administrator is, and their continuous employment?
Three words:
Doomed to fail.
If the hardware and software aren't up to snuff, no ammount of
administrator clue or policy writing will fix the firewall.
> I moved from that to trying to explain that the firewall administrator
> can learn alot from what happens after the users say " I want protocol
> X." I know admins who will fall down like dominoes. I know admins who
> can fight that battle and win. I've trained both kinds.
I've never trained an admin who will fall down like a dominoe. Do you get
a bonus from management for that? ;)
> The difference between them? In reality, it is a matrix of things,
> but underlying that matrix is credibility. And the biggest source
No, it's integrity.
> of that credibility is knowledge of what must be protected. If you're
No, more important is knowing how to protect things, and how to analyze
vulnerability and risk. I've analyzed new protocols in a few instances
before they were done. In that case, what's going to be protected isn't
necessarily known yet. You can still give a level of assurance and risk
exposure.
> protecting an unofficial fan-site devoted to a rock star, then you're a
> fool to go to the mat over everything. If you're protecting data
Since I happen to know someone who admins official sites of rock stars,
and I have some clue of their last compromise, I'll ask you to explain how
you feel that having multitudes of compromised sites helps *anyone*,
because their last compromise appears to have been through a less secure
site where the site administrator had _No Clue_. When the packet-chasing
lawyers get one good precident every site set up your way will be in
court. Once again, you're preaching that administrators keep their back
yards clean by dumping their trash over the fence. Wonder why the
neighborhood's getting polluted?
> which has national security, medical or other information which can
> cost lives, then by all means, sweat the small stuff.
Meanwhile, don't bother about security because you're not likely to have
clue? I've done the national security thing- I *know* what it takes to do
that every single day, do you? My current employer has nothing to do with
national security, and doesn't even have a great deal of valuable
information assets. Unlike you, they seem to think that there's still a
great deal of value to the business in engineering infrastructure, not
waiting until something's important to worry about it.
> Armed with that knowledge, you can go to management and say, "If you
> permit protocol X, then I cannot guarantee the integrity of this
You once again assume that an administrator can tell the difference and do
a competent risk analysis. _That_simply_isn't_so_for_the_bulk_of_sites._
You're trying to instill a lot of preconcieved predicates here. I'm not
accepting them.
> information." [Aside: Integrity is, in my experience more persuasive
> than confidentiality or availability for most situations.] If you're
Then you have a certain class of users, because I've seen cases where all
three come up on top, or any one of them do.
> not persuasive, then simply write a memo, circulate it to the data
> owners, and continue earning your salary. There is no point protecting
> information that educated data owners don't care about.
You seem to be missing the fact that an exploit that gains privileged
access may result in compromise of the data that either they, or someone
they do business with, or even an innocent third party. So, since you're
assuming a clued admin, now you're assuming clued admins should be happy
running insecure sites. I don't buy that either.
> Paul touches on a couple of other points. First the question "Can we
> reasonably expect attacks to come in via the firewall?" I believe I
> explicitly said that modems and other "compliance defects" have to be
> dealt with. But I can't expect the firewall to solve those problems.
No, Paul points out that it's quite specious to say "We'll ignore all
attacks that don't specificly come through the firewall and still try to
argue that the firewall is only a single component of an overall security
infrastructure."
> [Aside: If I decide to be anal retentive and make the firewall so
> secure that it is a de-facto attack on the availability of network
> resources, then I deserve the additional work I get.] Yes, I must
Would those be legitimate network resources, or illegitimate ones? All
the extra work (if you're concerned about security) will come from trying
to trend analyze and detect and provide protection for 50 silly protocols
instead of 4. If you're not doing that, you really need to re-examine the
"value" you're bringing to the table.
> develop a policy forbidding network connections except through a
> firewall, and I must monitor and enforce that policy.
So how do you contend that's easier for 50 *bad* protocols than it is for
2 bad and 2 good ones?
> Finally I'd like to offer a few more thoughts on the potential
> utility of a well administered firewall.
If you mean well-administered like "built to be secure" that's one thing,
if you mean well-administered like "know we're letting a bunch of crap
though it, it's another. I can put a poor administrator in front of a
good firewall and expect some level of assurance, but not visa versa.
> First, a proxy can be thought of as a friendly Man-In-The-Middle
> attack. It is considerably more difficult to mount a MITM attack
> against a circuit that already has a MITM.
No it isn't. IP is a peer-to-peer protocol, MITM attacks are trivial in
most cases. The *only* place a proxy provides MITM protection is against
the explicit proxy settings in the client. Please illustrate how a proxy
provides MITM protection for (a) HTTP, (b) FTP, (c) SMTP, or (d) DCOM
(your choice).
> Second, even a plug proxy should protect against a class of
> malformed packets.
If you look back, I've been touting the benifits of transport layer
protection for a lot of years. That's trivially overcome if you
compromise a higher layer though.
> Good points Paul - But I believe that my firewall will keep out
> the anklebiters, and allow me to concentrate on the threats which
(a) Congratulations on feeling that you can keep all the script kiddies
out. I feel sorry for you when they get to the better scripts.
(b) My firewall keeps everyone yours does out and then some. I'm still
not happy with it.
> are more chilling to me. And I've seen the alternatives, and no
> matter how chilled I am by PHB's, and by e-commerce, I'm more
> chilled by the networks that I've seen without a firewall.
So, you don't like networks without firewalls, but you think that every
firewall is going to have a clued administrator. How do you propose to
suddenly clue a few hundred thousand people? Or are we suddenly in for
the "I'm a consulutant and I'm here to help!" speech?
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
