"Stephen Gutknecht (firewalls)" wrote:
>
> or am I overlooking something big here?
I don't think so.
The desktop firewall market is in its infancy. A lot of work remains
to be done to improve the architecture and implementations.
The products have vulnerabilities as the recent reports have shown.
Identical file names are the least of the problems. Would the average
user discriminate between iexplore.exe and iexplorer.exe?. What would
the average user answer for rtvscn95.exe or some other vague name?
What happens when a trojan replaces and emulates a service like
netbios-name-query? When one hooks IE, winsock, or some other permitted
application and/or socket? Neglecting trojans for a moment, what
happens when the user permits their newly downloaded (and possibly buggy
or misconfigured) ftp server, web server, file server, peer music server,
multiplayer game, etc. to "act as a server"?
I've heard that some products don't even check traffic in the outgoing
direction apparently trusting the desktop to be secure. IMHO, mass-market
desktop security products have more to fear from the machine they're
installed on than the other side of the wire :)
Any security mechanism on a discretionary access control system (all of
today's desktops), is subject to the code run on the machine. As soon as
one architecture problem is fixed (the file name problem for example),
there will always be another one that allows code to undermine the
product. If the security product can do it, user run code can undo it.
We're just obfuscating the inherent security limitations of a general
purpose programmable computer with access control performed by an end
user...the user intent on ease of use, entertainment, and/or complete
freedom of code choice and communications.
Shoot, if we could adequately secure the desktop, the benefits of inline
firewalls would decrease substantially.
If undermining the operation of the protective software becomes too
complex, there is always the brute force method:
if (protective_software installed) (
if (removing it requires a reboot or is obvious to user) {
sleep(until midnight or until keyboard and mouse inactive four hours)
}
else {
remove_protective_software();
emulate_protective_software();
install_payload();
}
}
Tripwire for the masses anyone? :)
As far as the difference between products like Checkpoint and desktop
firewalls, I'd say the main ones are attempted plug-n-play operation and
the ability to determine more desktop context of network traffic by
virtue of their presence on the desktop themselves. Inline firewalls
simply don't have that context available to them so there is the potential
for desktop firewalls to implement new types of access controls and
intelligent decisions.
Don't get me wrong. I run and recommend desktop firewalls as part of a
defense in depth policy. But if people are complaining because they're
"not secure" they'd better not hold their breath.
People need to understand that you can't build an infinitely high fence
which means some amount of time, money, and/or motivation will break
through whatever you put up. Security is relative...not absolute.
Nothing is secure.
--
Gary Flynn
Security Engineer - Technical Services
James Madison University
Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/info-security/engineering/runsafe.shtml
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
