Firewalls - Ease of Use and Maintenance?
Peter Kristolaitis
alter3d at alter3d.ca
Thu Nov 10 16:04:19 UTC 2011
Your hypothetical scenario assumes you're the only organization
compromised by the flaw (or one of very few), and not #3972 on the list,
in which case the company could go bankrupt before a court can hear your
case, and the "liability protection" they offered you is worth the
electrons it's printed on. It's great if you're a Fortune 50 and have
the legal, political and financial clout to be #1 on the lawsuit list,
but nearly worthless for most organizations.
- Peter
On 11/10/2011 10:39 AM, -Hammer- wrote:
> OK. Right off the bat you know I can't and won't. But in some places
> it is common practice to make sure agreements are in place to make
> sure all parties are protected based on how a product is
> expected/designed to perform. I can't say more than that. Realize I'm
> speaking about things that are solely on the vendor. Not "Did you
> configure the ACL properly?"
>
> What you can Google is the names of companies who have settled out of
> court against various trolling lawsuits vs the names of companies that
> are still in litigation. There is a mix of both manufacturer/vendor
> and end customer. It all depends on the case.
>
> This shouldn't surprise you. If Toyota makes a defective brake and you
> slam into someone else, your insurance covers you. Eventually, if the
> issue scales out to the point that it is obvious that Toyota made a
> defective brake and it is not your fault, some insurance companies
> collectively will go to the government or directly to the manufacturer
> for compensation. This is no different. If you sell me a FW and it
> catches on fire thru no fault of my own and then the public finds out
> that FWs are catching on fire all over the place, it's a good bet that
> that FW vendor will be getting some lawsuits. If a FW vendor reports a
> product to work a certain way and instead thru a massive vulnerability
> or development oversight it does not the same applies. Software.
> Hardware. Physical (fire). Logical (vulnerability). I'm not saying
> that it happens all the time and I'm not even saying it's a general
> practice. What I'm saying is it happens. And depending on your
> business vertical it could be a very real consideration.
>
> COMPLETELY 100% MADE UP HYPOTHETICAL SCENARIO:
>
> I put a FW in. I put proper L3 ACLs in. I block 443 inbound. I didn't
> say I block HTTPS. I block 443. I test it by telnetting from the
> Internet to 1.1.1.1:443 and I am unable to connect. Looks good. A
> month later our CEO is surfing the Internet. Thru a development
> oversight in the product, when I NAT or PAT him to the Internet his
> source port is not pulled from the Ephemeral range but is instead
> sourced as port 443. He of course goes to sites riddled with Malware
> because that's what CEOs do. They click on links. So the Malware
> website initiates a new TCP session to destination port 443 with his
> NATted IP. The state table has an entry for that IP and 443 and even
> though this is a new TCP session the FW lets it thru. The malware site
> bad guys are able to retrieve confidential information about a merger
> and publish it. The other company that we were merging with sues us
> because the information is leaked to the public and adversely impacted
> their stock value. Everything in the above paragraph is able to be
> documented thru forensics and it is indisputable that the FW was
> properly configured and should have blocked it but didn't. The FW did
> NOT perform as advertised/designed. This is NOT the fault of me or my
> company. If a few thousand dollars is at stake nothing may come of
> this. If tens or hundreds of millions of dollars are at stake I
> promise you that our lawyers will be contacting the manufacturer whose
> product did not perform as advertised. They will compensate (in one
> way or another) us for our losses. It's a big ugly world full of lots
> of lawyers.
>
> -Hammer-
>
> "I was a normal American nerd"
> -Jack Herer
>
>
>
> On 11/10/2011 09:14 AM, Richard Kulawiec wrote:
>> On Thu, Nov 10, 2011 at 08:52:22AM -0600, -Hammer- wrote:
>>> The other high cost of "free" that people sometimes overlook is
>>> liability.
>> Please point to an instance (case citation, please) where a commercial
>> firewall vendor has been successfully litigated against -- that is, held
>> responsible by a court of law for a failure of their product to provide
>> the functionality that it's claimed to provide.
>>
>> ---rsk
>>
>>
More information about the NANOG
mailing list