Firewalls - Ease of Use and Maintenance?

Peter Kristolaitis alter3d at alter3d.ca
Thu Nov 10 16:04:19 UTC 2011


Your hypothetical scenario assumes you're the only organization 
compromised by the flaw (or one of very few), and not #3972 on the list, 
in which case the company could go bankrupt before a court can hear your 
case, and the "liability protection" they offered you is worth the 
electrons it's printed on.    It's great if you're a Fortune 50 and have 
the legal, political and financial clout to be #1 on the lawsuit list, 
but nearly worthless for most organizations.

- Peter


On 11/10/2011 10:39 AM, -Hammer- wrote:
> OK. Right off the bat you know I can't and won't. But in some places 
> it is common practice to make sure agreements are in place to make 
> sure all parties are protected based on how a product is 
> expected/designed to perform. I can't say more than that. Realize I'm 
> speaking about things that are solely on the vendor. Not "Did you 
> configure the ACL properly?"
>
> What you can Google is the names of companies who have settled out of 
> court against various trolling lawsuits vs the names of companies that 
> are still in litigation. There is a mix of both manufacturer/vendor 
> and end customer. It all depends on the case.
>
> This shouldn't surprise you. If Toyota makes a defective brake and you 
> slam into someone else, your insurance covers you. Eventually, if the 
> issue scales out to the point that it is obvious that Toyota made a 
> defective brake and it is not your fault, some insurance companies 
> collectively will go to the government or directly to the manufacturer 
> for compensation. This is no different. If you sell me a FW and it 
> catches on fire thru no fault of my own and then the public finds out 
> that FWs are catching on fire all over the place, it's a good bet that 
> that FW vendor will be getting some lawsuits. If a FW vendor reports a 
> product to work a certain way and instead thru a massive vulnerability 
> or development oversight it does not the same applies. Software. 
> Hardware. Physical (fire). Logical (vulnerability). I'm not saying 
> that it happens all the time and I'm not even saying it's a general 
> practice. What I'm saying is it happens. And depending on your 
> business vertical it could be a very real consideration.
>
> COMPLETELY 100% MADE UP HYPOTHETICAL SCENARIO:
>
> I put a FW in. I put proper L3 ACLs in. I block 443 inbound. I didn't 
> say I block HTTPS. I block 443. I test it by telnetting from the 
> Internet to 1.1.1.1:443 and I am unable to connect. Looks good. A 
> month later our CEO is surfing the Internet. Thru a development 
> oversight in the product, when I NAT or PAT him to the Internet his 
> source port is not pulled from the Ephemeral range but is instead 
> sourced as port 443. He of course goes to sites riddled with Malware 
> because that's what CEOs do. They click on links. So the Malware 
> website initiates a new TCP session to destination port 443 with his 
> NATted IP. The state table has an entry for that IP and 443 and even 
> though this is a new TCP session the FW lets it thru. The malware site 
> bad guys are able to retrieve confidential information about a merger 
> and publish it. The other company that we were merging with sues us 
> because the information is leaked to the public and adversely impacted 
> their stock value. Everything in the above paragraph is able to be 
> documented thru forensics and it is indisputable that the FW was 
> properly configured and should have blocked it but didn't. The FW did 
> NOT perform as advertised/designed. This is NOT the fault of me or my 
> company. If a few thousand dollars is at stake nothing may come of 
> this. If tens or hundreds of millions of dollars are at stake I 
> promise you that our lawyers will be contacting the manufacturer whose 
> product did not perform as advertised. They will compensate (in one 
> way or another) us for our losses. It's a big ugly world full of lots 
> of lawyers.
>
> -Hammer-
>
> "I was a normal American nerd"
> -Jack Herer
>
>
>
> On 11/10/2011 09:14 AM, Richard Kulawiec wrote:
>> On Thu, Nov 10, 2011 at 08:52:22AM -0600, -Hammer- wrote:
>>> The other high cost of "free" that people sometimes overlook is
>>> liability.
>> Please point to an instance (case citation, please) where a commercial
>> firewall vendor has been successfully litigated against -- that is, held
>> responsible by a court of law for a failure of their product to provide
>> the functionality that it's claimed to provide.
>>
>> ---rsk
>>
>>





More information about the NANOG mailing list