Per Gustav Ousdal <[EMAIL PROTECTED]> writes:
>To sum up with a klisje' : We can never be 100% safe, but we can limit
>the threats.
Right. That's what I was saying. :)
Too many people think that firewalls are doing a whole lot more than
mere flow control. Most of the firewalls are just dynamic stream
gateways; very few do content and protocol parsing, and even those
are limited based on the designers' knowledge of attacks in the
protocols that are being analysed and proxied.
Take a look at the new stuff that's tunnelling over HTTP. The
developers of applications have discovered that if you look like
HTTP you can get around 99% of the firewalls that are already
installed. Who knows about specific weaknessess in those application
protocols? Nobody. Are the bad guys smart enough to realize that
they can tunnel stuff in/out over HTTP? Gosh, darn, I bet they
are! :)
Firewalls _are_ an effective tool for limiting the threats. They
help with (but don't solve) the incoming traffic problem by
channelling incoming traffic only to systems that are adequately
(one hopes!) secured to handle the traffic. In other words, they
replace a network security problem with an application security
problem, which is a fair trade since the scope of the problem
is reduced thereby.
Mark Teicher's premise is that:
"If the netowkr architecture was done correctly and the underlying
operating system was hardened to only allow that particular application's
protocol to be the only service enabled then it would be very hard to
actually get in.. "
Well, yeah. That's like saying, "If every application was written
in a type and space safe programming language, and had no security
holes, and there were no hackers, then it'd be hard to actually get
in.. "
The reality of the matter is that a large number of firewalls have
been installed to buy comfort for upper management, not to implement
security. Many sites simply do not understand, or choose to ignore,
the incoming traffic problem. They don't upgrade the software on
their critical servers behind their firewalls, or they freely download
and run code from wherever users feel appropriate. Those are the
points of attacks that work against firewalls and will continue to
work in the future. Anyone who has ever done a security audit of a
firewall will know that it's not the firewall that has the holes,
it's the machines behind it. The bad guys know this, too.
Another way (a scarier way) of looking at it is that every site
which has suffered a macro virus infestation or viral outbreak
in the last year, is a potentially trivial victim of a firewall
buster attack worm. How many sites have firewalls that _don't_
allow automatic outgoing connections for FTP, Telnet, or HTTP?
I know of a very small, and dwindling (thanks to user pressure)
handful.
Regards,
mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
