On May 10, 2011, at 10:45 PM, Thor (Hammer of God) wrote: > There are any number of topological deployment scenarios where firewalls > certainly provide security in depth and added security, irrespective of what > Mr. Kaeo's opinion on the matter is.
The only one I can think of is between a middleware server and a front-end server or a middleware server and a back-end server; and even then, if an attacker has successfully compromised the middleware server, the tame's already over. Certainly not in front of servers routinely connected to by client machines. That isn't just Merike's opinion, btw - it's a well-known BCP in the global opsec community (as distinct from the infosec community). Her preso simply codifies what folks who perform Internet opsec for a living already know. > If one can design a secure access model using router ACLs then right on, but > that doesn't mean that other models don't work. It means they're unnecessary, and instantiating an unnecessary stateful DDoS chokepoint in front of a server is a net security loss, not a gain. > I'm unclear as what you mean by "no state to inspect in the first place" in > regard to firewalls in front of servers - my TMG box most certainly inspects > state when I access assets via the firewall. How does inserting a stateful firewall in front of a Web server help, given the stateless nature of HTTP and the fact that all incoming connections to the server are unsolicited? Same for a DNS server. There is no state for the firewall to inspect in order to determine whether to pass/fail those packets, stateless ACLs in hardware-based routers/layer-3 switches are the way to go. All the talk of exfiltration via a covert channel is irrelevant, given that a) when the httpd on the server stops responding, that's a big giveaway that there's a problem, and b) that if the attacker is in control of a remote host to which he wishes to exfiltrate data, he can simply initiate an inbound connection and then generate the appropriate outbound responses, since he's effectively in charge of both ends of the connection, and c) there're far easier and less visible/onerous ways to exfiltrate data, anyways. There are no stateful firewalls emplaced in front of the extremely popular servers/services accessed by gazillions of Internet users on a daily basis - at least, the ones that stay up, heh. And every time I get a call from someone screaming 'the IDC and everything in it is down', it's because there's an unnecessary stateful firewall fronting the whole thing, and it's trivially easy for an attacker with even a very small botnet to take down said stateful firewall with programmatically-generated attack traffic which will conform to all the firewall rules and 'inspectors' and whatnot, but which will fill up the firewall state-tables, crowd out legitimate traffic, and eventually cause said firewall to fall over. Stateful firewalls make perfect sense in front of endpoint networks comprised of client machines which shouldn't receive unsolicited connections across some defined policy boundary. They make no sense in front of servers, but folks have been conditioned to think that firewalls are some kind of universal security panacea. Which is especially ironic in the context of this thread, given that Sony have publicly stated that their servers were in fact exploited by traffic which passed straight through their stateful firewalls. ;> ----------------------------------------------------------------------- Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com> The basis of optimism is sheer terror. -- Oscar Wilde _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
