Firewalls - Ease of Use and Maintenance?

Thu Nov 10 15:39:29 UTC 2011

OK. Right off the bat you know I can't and won't. But in some places it 
is common practice to make sure agreements are in place to make sure all 
parties are protected based on how a product is expected/designed to 
perform. I can't say more than that. Realize I'm speaking about things 
that are solely on the vendor. Not "Did you configure the ACL properly?"

What you can Google is the names of companies who have settled out of 
court against various trolling lawsuits vs the names of companies that 
are still in litigation. There is a mix of both manufacturer/vendor and 
end customer. It all depends on the case.

This shouldn't surprise you. If Toyota makes a defective brake and you 
slam into someone else, your insurance covers you. Eventually, if the 
issue scales out to the point that it is obvious that Toyota made a 
defective brake and it is not your fault, some insurance companies 
collectively will go to the government or directly to the manufacturer 
for compensation. This is no different. If you sell me a FW and it 
catches on fire thru no fault of my own and then the public finds out 
that FWs are catching on fire all over the place, it's a good bet that 
that FW vendor will be getting some lawsuits. If a FW vendor reports a 
product to work a certain way and instead thru a massive vulnerability 
or development oversight it does not the same applies. Software. 
Hardware. Physical (fire). Logical (vulnerability). I'm not saying that 
it happens all the time and I'm not even saying it's a general practice. 
What I'm saying is it happens. And depending on your business vertical 
it could be a very real consideration.

COMPLETELY 100% MADE UP HYPOTHETICAL SCENARIO:

I put a FW in. I put proper L3 ACLs in. I block 443 inbound. I didn't 
say I block HTTPS. I block 443. I test it by telnetting from the 
Internet to 1.1.1.1:443 and I am unable to connect. Looks good. A month 
later our CEO is surfing the Internet. Thru a development oversight in 
the product, when I NAT or PAT him to the Internet his source port is 
not pulled from the Ephemeral range but is instead sourced as port 443. 
He of course goes to sites riddled with Malware because that's what CEOs 
do. They click on links. So the Malware website initiates a new TCP 
session to destination port 443 with his NATted IP. The state table has 
an entry for that IP and 443 and even though this is a new TCP session 
the FW lets it thru. The malware site bad guys are able to retrieve 
confidential information about a merger and publish it. The other 
company that we were merging with sues us because the information is 
leaked to the public and adversely impacted their stock value. 
Everything in the above paragraph is able to be documented thru 
forensics and it is indisputable that the FW was properly configured and 
should have blocked it but didn't. The FW did NOT perform as 
advertised/designed. This is NOT the fault of me or my company. If a few 
thousand dollars is at stake nothing may come of this. If tens or 
hundreds of millions of dollars are at stake I promise you that our 
lawyers will be contacting the manufacturer whose product did not 
perform as advertised. They will compensate (in one way or another) us 
for our losses. It's a big ugly world full of lots of lawyers.

-Hammer-

"I was a normal American nerd"
-Jack Herer

On 11/10/2011 09:14 AM, Richard Kulawiec wrote:
> On Thu, Nov 10, 2011 at 08:52:22AM -0600, -Hammer- wrote:
>    
>> The other high cost of "free" that people sometimes overlook is
>> liability.
>>      
> Please point to an instance (case citation, please) where a commercial
> firewall vendor has been successfully litigated against -- that is, held
> responsible by a court of law for a failure of their product to provide
> the functionality that it's claimed to provide.
>
> ---rsk
>
>
>    