Re: [PLUG] firewall risk

William H. Magill on Thu, 30 Jan 2003 12:30:34 -0500

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] firewall risk

From: "William H. Magill" <magill@mcgillsociety.org>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] firewall risk

Date: Thu, 30 Jan 2003 12:19:24 -0500

Delivery-date: Thu, 30 Jan 2003 12:30:34 -0500

Envelope-to: jeff@localhost

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

On Thursday, January 30, 2003, at 06:50 AM, Jeff Abrahamson wrote:
All the discussion about firewalls aside, if a machine is running no services available to the outside world, how can an attacker break in?

That is, suppose I make the naive argument that I only run sshd on port 22, so all other ports get denied anyway by dint of having nothing listening (not even inetd). Why bother with ip tables beyond masquerading?

(I'm pretty sure this is wrong, I just don't know why.)
The biggest problem with "firewalls" is that people think they work --automagically!

In reality, a "firewall" is no more effective than a single host with an IP visible on the net would be... because that's all a "firewall" is, it is not the "magic pill" most writers promote and naive users expect.

The difference between a "firewall" and a "firewall+host" is that they are TWO boxes. The benefit here is that if one cracks your "firewall," they still have to crack your host also. [Unless of course you use the same passwords on both or allow auto logins from one to the other, etc. :) ]

The key to protecting both a "firewall" and a single host is to keep the patches current! Anything, host or a so-called "firewall," is nothing more than an Operating System susceptible to cracking. "Firewalls" can be cracked just as easily as a host. [And "firewalls" which never get security updates are scary things. Personally, I would never trust one for that one reason alone... NOBODY ever gets it right the first time and "the first time" changes with every new attack.]

Having a "firewall" that admits everything but the kitchen sink - ftp, telent, http, https, ssh, nfs, ntp, nntp, just to pick on a couple of common ones - doesn't shield your back-side from anything. You still have to have a back-side system that is "solid." If you block ports on a "firewall" or on your local system, it doesn't much matter -- they are blocked. But if you allow them on one, you can, or need to, block them on the other. [Any open port, obviously, needs a current daemon patched to resolve the latest bugtrack report.]

Most consumer firewalls work on the principle of Security by Obscurity. The assumption is 1) that the cracker has no concept of how NAT works 2) that the hosts behind the firewall cannot be "guessed." Duh... how many hosts behind firewalls are located at the default addresses of 10.0.0.1 or one of the other non-routing ranges.

The idea that a "firewall" can be used to perform policy based routing -- ie blocking traffic from specific IP addresses is something that can be done, but 99% of the folks out there with "firewalls" have no clue what that is all about, let alone enough time and energy to maintain the situation. And think of the fun if there was an equivalent of Blackhole for IP addresses -- there would suddenly be vast portions of the net which were unreachable for some unknown reason. Support desks would go bananas.

Mac OS X and the secure Linux have the right idea... start out with a system that has all (or almost all) ports locked down and then only open those that you intend to use.

"Firewalls" are popular, and I would say "needed," with Windoz based environments simply because they are incredibly difficult, if not impossible to lock down, and something is better than nothing.

One last comment: The primary purpose of a REAL Firewall is to isolate the attack interface from your data. You don't really care if you firewall gets hacked because there is no data there, you simply wipe the disks and reload. Ignore all the nonsense of "watching the hackers" from the "Cuckoo's egg," you don't have the resources to do it. Depend upon a firewall to slow down an attack long enough for you to unplug your data.

All of your data is on an independent system, hopefully also well defended, which you can remove through physical isolation in the event of a crisis. You can literally "pull the plug" (from the Internet in this case) to protect your data -- which is the ONLY thing you care about. Customer service and the like are secondary to protecting the data. You can provide all the Customer Service you like, but if you have no data to serve up -- who cares.

... user friendly features are security holes, and security is never user friendly.

NOTE: "Firewalls" are those things sold for $100 or so by all your favorite "Zones." REAL Firewalls not only cost money (and are not sold by "Zones," but require substantial staff time to monitor and maintain. They are very different animals.

T.T.F.N. William H. Magill # Beige G3 - Rev A motherboard - 768 Meg # Flat-panel iMac (2.1) 800MHz - Super Drive - 768 Meg # PWS433a [Alpha 21164 Rev 7.2 (EV56)- 64 Meg]- Tru64 5.1a magill@mcgillsociety.org magill@acm.org magill@mac.com

_________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce General Discussion -- http://lists.netisland.net/mailman/listinfo/plug

Follow-Ups:

RE: [PLUG] firewall risk
From: "Eugene Smiley" <eugene@esmiley.net>

References:

[PLUG] firewall risk
From: Jeff Abrahamson <jeff@purple.com>

Prev by Date: Re: [PLUG] firewall risk

Next by Date: RE: [PLUG] firewall risk

Previous by thread: Re: [PLUG] firewall risk

Next by thread: RE: [PLUG] firewall risk

Index(es):

Date

Thread