brent timothy saner on 4 Aug 2017 13:34:01 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request for Best Practices]

On 08/04/2017 02:26 PM, wrote:
> In the message dated: Fri, 04 Aug 2017 09:34:37 -0400,
> The pithy ruminations from Rich Kulawiec on 
> <Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request for Best Practices]> were:
> => On Wed, Aug 02, 2017 at 01:05:33PM -0400, Rich Freeman wrote:
> => > What is the best way to go about this?  I assume you're talking about
> => > blocking outgoing traffic by default, since everybody already blocks
> => > incoming traffic by default.  It seems like you could spend a LOT of
> => > time playing whack-a-mole with firewall rules punching holes for
> => > legitimate traffic that way.
> => 
> => Not just blocking outgoing traffic by default -- which everyone should
> => have been doing for the last 15 years -- but only enabling traffic in
> => either direction based on port, protocol, origination host, origination
> => network, origination country, destination host, destination network,
> => destination country, volume, frequency, etc.: any and all criteria.
> Sure, if you can enumerate those rules, in sufficient detail and accuracy,
> and be responsive to changes. There will be changes in what should
> be permitted for the business need. 
> Security policies have very different meanings in different environments,
> but it sounds like you're making sweeping statements about policies that
> should be enabled by 'everyone'.
> => 
> => Yeah, that's a lot to ask, but every one of those things cuts down
> => on the attack surface -- which means when an exploit emerges it will
> => be much harder for someone to use it.  And since we know, a priori,
> => that exploits *are* coming, it's better to pre-emptively block them
> => rather than frantically try to patch when they arrive.
> Absolutely.
> => 
> => I suppose there are two things that become clear from that: the first is
> => that one size does not fit all.  The way you approach this for a server
> => farm is different from the way you approach it on a desktop.  The second
> => is that it requires that you know EXACTLY what network traffic you need,
> => why you need it, when you need it, where it's going, how much of it
> => there should be, etc.
> => 
> => Some folks say that the latter is hard or even impossible.  And that's
> => when I quote Ranum -- from that same rant:
> => 
> => 	"How can you call yourself a 'Chief Technology Officer' if you
> => 	have no idea what your technology is doing?"
> That's a nice sound-bite, a slogan, a goal.
> That is not a operational plan.
> And, you didn't quote his next sentence:
> 	A CTO isn't going to know detail about every application on
> 	the network, but if you haven't got a vague idea what's going
> 	on it's impossible to do [...] virtually any of the things in a
> 	CTO's charter.
> That directly contradicts your assertation that "it requires that you
> know EXACTLY what network traffic you need, why you need it, when you
> need it, where it's going, how much of it there should be, etc." Sure,
> that degree of enumerating goodness may be possible in some environments,
> such as on a dedicated application server with no user processes, but
> not in every real-world environment.
> Your statement that one size does not fit all is exactly correct.
> Having "an idea what your technology is doing" may lead to a security
> philosophy that is very different than what you are advocating. Try
> to remember that each element -- the security stance, the inbound
> and outbound network traffic, the applications, should be designed to
> support human beings with tasks they need to accomplish for the business,
> not designed to meet some abstract philosophy about computer security,
> no matter how well intentioned.
> Certainly, computer security is necessary to keep the machines available,
> and may sometimes be intrusive, but the bottom line is that computers
> should be tools to enable people to do things. The implementation of any
> security stance must balance the need to keep machines functional and
> data safe with the need to allow people to use those machines and data.
> In practical terms, maybe that means there's minimal outbound filtering
> (ie., blocking known-malicious sites, not a default 'deny' stance),
> or other policies that don't follow your recommendation.
> Mark 

Further, I'd argue a NIDS/NIPS system does, on a holistic level, the job
better and with way less human overhead most of the time; perhaps with a
caching proxy that will analyze web traffic dropped in as well... (This
is, of course, also debatable and certainly is not a one-size-fits-all.)

Either way, proposing a default-deny/default-drop for all outgoing
traffic for all networks, no questions asked, as the "best" policy is
madness. I'd like to think we've moved past that as a species and have
developed more elegant and robust approaches.

Attachment: signature.asc
Description: OpenPGP digital signature

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --