Firewall opinions wanted please

• Previous message (by thread): Firewall opinions wanted please
• Next message (by thread): Firewall opinions wanted please
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Mar 17, 2004 at 02:01:59PM -0500, Matthew Silvey said something to the effect of:
> On Wed, Mar 17, 2004 at 11:57:33AM -0600, Rachael Treu wrote:
> > 
> > As for your assertion that firewalls "reduce the overall security of the 
> > 'net."...can you please elaborate on that, as well?  Other factions might/do
> > argue that it's the other team refusing to lock their doors at night that
> > are perpetuating the flux of bad behavior as a close second to the ignorant
> > and infected.
> > 
> 
> 
> to extend an abstraction:
> 
> these factions are arguing about the lock on the door, but it is the door
> that is important. it is a feature of the house, a means of entering and   
> exiting. if you argue that all doors must have a lock then you can no longer
> have the freedom of design and creation to decide whether your house will
> have a door for pigeons, hamster, cats, or humans without deciding how each
> specific door can be accessed by each specific creature.

By that rationale, why must any houses have doors at all?  

Further, your analogy doesn't, I feel, hold water in this case.
Let's reverse that portion of said abstraction.  I said all doors must
have locks and all edges filters.  I did not expound upon to what extent
those edges are filtered.  Saying that the doors must be locked does not
have anything to do with whether the doors are for pigeons, hamster, cats, 
or humans...  Access control balances this equation.  You can lock a 
pigeon door with a key that the pigeon can bear and the hamster...

Okay...this is getting absurd.  Let's revert to netspeak.  :)

Access control. 

"if you argue that all doors must have a lock then you can no longer
have the freedom of design and creation to decide whether your house will
have a door for pigeons, hamster, cats, or humans without deciding how each
specific door can be accessed by each specific creature."
  
Exactly.  Absolutely!  What is wrong with that?  That is my point.  

This is not an "information wants to be free" argument, guys.  You have a 
network connection, you have a responsibility to ensure that you manage
your risks and also that you do not enable it to be used to harm others.

You build a corporate intranet server and I want to get into it.  Are you 
going to let me?  Or are you going to design it with the intent that only 
corporate hamsters...er...employees can access that specific door.  How 
about your home network?  Mind if I do a little recon and raid your personal 
systems for password and personal info harvesting?  Do you _use_ passwords, 
for that matter?  If the argument is really about a means of entering and 
exiting and not locking or restricting access, then why bother?  Do you
lock the front door to your house?

These wide-swinging doors of which you speak are not practical in terms
of government intelligence.  Or physical border control.  If your doors--
which given what you are describing are actually doorless doorways and more 
closely resemble gaping maws--were appropriate edge deployments, then guards 
should drop from perimeter and border walls, passwords should come off 
machines, encryption should die, ATM PINs should be decommissioned, and so 
on and so forth.  Inarguably people complain that passwords are annoying to
maintain and enter and that firewalls are in the way a lot of the time.  
Thankfully, many of those complaining are outsiders and intruders that 
shouldn't be getting in, too.  I imagine that vehicle thieves find door locks
to be a bit of an impairment to their livelihood, too.

This is about access control.  Not everything out there is meant to be
collected and used by everyone else.  Why do you have doors?  So that 
people can get in.  Why do you lock them?  So that only the appropriate
people can.  The tenet of effective network security is to make the 
holes punched into a network small enough to prevent unauthorized access,
but not so small that functionality is impaired.  

It is the goal of security engineers (the decent ones at least) to 
determine how things like access controls can best serve and protect, 
interoperate with, and withstand the rigors of the network, not the other 
way around.  Now...how is it that a firewall deployed to protect the 
deployer's network is crushing the fundamental network purism or kills 
our inner rogue or pens in our data (free range packets, anyone?)  These
methodologies are not conjured up in order to irritate those managing
the movement of traffic (legitimately).  This is about flow control of 
payload, as are stoplights and turnstyles and credit card companies asking
for your mother's maiden name and photo IDs and taking a number at the 
butcher or DMV...

> if you're selling services that consist of pushing http/dns/smtp/pop3 traffic 
> then you have a much easier time inserting and using any kind of filtering
> system. but if your preventative system stifles the development of new 
> applications then you have a losing situation. any kind of filtering 
> automatically creates a roadblock for network application development. 

If there is no network, there is no netapp development.  Denial of 
Service then presents something other than a roadblock?  Or the hijacking or
prevention of development details and trade secrets?  The owning of a
device or deletion of throngs of data to make room for warez...?  Bandwidth
consumption due to other security violations...?

Develop in-house, behind edge filters.  The only development that edge
filtering gets in the way of is rootkits that the nefarious are testing.
Make use of a competent security professional who knows how to tweak 
filters properly for the task at hand and you won't have any "roadblocks"
except for those trying to roadblock the criminal element...

> all
> in all the cost of the IT staff is probably less than the cost of lost 
> development time. it sucks, but any delays on a development schedule can 
> translate to potential revenue lost. 

And what kind of cost do you think is realized by your providers who are
required by contract and law to maintain security teams and respond to
security incidents?  You are merely passing the buck here and shifting
collateral damage.

I'm going to try to climb down from this soapbox now.  Remember...we're
all friends here.  Neither side wants to halt innovation or network
utilization.

--ra

-- 
k. rachael treu, CISSP       rara at navigo.com
..quis costodiet ipsos custodes?..

• Previous message (by thread): Firewall opinions wanted please
• Next message (by thread): Firewall opinions wanted please
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]