[lug] Firewall what a flare of experience

Chris M chrism at peakpeak.com
Tue Aug 1 15:58:09 MDT 2000 

> On Tue, Aug 01, 2000 at 02:53:15PM -0600, Chris M wrote:
>> [...]
>>> BUT:
>>> Those vendors are expert in security and they will supplement the OS they
>>> chose with proprietary code to make their product as watertight as they can.
>>> For basic firewalling needs Linux can do a good job as long as the
>>> administrator who configures the firewall knows what she/he is doing.  And
>>> THIS IS THE SORE POINT - many Linux firewalls are set up by folks who aren't
>>> specifically trained in network security.
>> 
>> That is not necessarily true.  Many are set up by top-flight people.
> 
> And those are hacked? Hmmm ....

Think about it.  Every year some big outfit like the FBI or some government
agency (or the New York Times) that has an IT budget that rivals the GNP of
some countries manages to get hacked from the outside. These are outfits
that can buy the best, and have good people.

They are not using Linux for firewalls, if they were, they wouldn't be
around long.

> 
>>> If you hire a security expert to
>>> configure your Linux firewall then it will be strong.  It will have scritps
>>> that check logs and alarm you about intrusion attempts (without too many
>>> false
>>> alarms).  But for that amount of money you could also look into a commercial
>>> firewall, especially since port forwarding is still experimental in Linux
>>> (very useful for DMZs = De-Militarized Zones).
>>> 
>>> AND THE TRUE RISK:
>>> Your employees behind the firewall.
>> 
>> Forget them, the discussion is about firewalls.  You can't keep people from
>> running with scissors.  You tell them not to do it is all.  Then hide all
>> the scissors and make it known what happens when they are caught, put
>> filters everywhere, etc.
> 
> And you _really_ think that a firewall can compensate for silly behaviour?\

No one said that.  But without one, you may as well publish a list of
passwords on the web.

> None of the recent incidents (Melissa/ILOVEYOU) or reportings on the CERT
> mailing list would have been caught by a firewall.

So what, the firewalls weren't hacked in these cases either. Try to stay on
the topic OK? We're discussing the merits of Linux as a firewall, we aren't
discussing biometric access, viruses, or anything but the merits of Linux as
a firewall.

> Let's face it: firewalls
> where designed to defend the first wave of attacks (in the 80th and 90th).
> Todays problems are different (mobile code, lack of separation between data
> and code ...). If your toilet can execute scripts chances are high that
> someone
> will abuse it.

If I can telnet to my toilet something has gone really wrong.

> 
>>> There are plenty of VBA (Visual Basic for
>>> Applications) scripts that can embed themselves during regular browsing.
>>> These scripts do all kinds of little tricks and they have the same kind of
>>> access as the user who infected his (mostly) Internet Explorer.  The only
>>> script I have encountered so far collected information about user's browsing
>>> habits and then tried to upload that info to a main web site.  Very benign -
>>> and detected through a proxy server (the script attempted to upload its info
>>> without a password enough times to trigger network security).  Much worse
>>> things could have happened here!
>> 
>> Many firewalls make an attempt to filter these now.  Linux does not
>> presently.
> 
> Sorry, but you follow marketing mumble. I have been told this on every single
> firewall marketing booth during the last two years--from marketing people.
> I have looked enough at filter code (i wrote some myself) to know how
> ridiculous
> this is: 
> 
> - Todays viruses move to fast. By the time your scanner gets the
> updated virus database it's to late. Most of the recent viruses
> took less than 24h to travel arround the world. No chance.

Note the key phrase "make an attempt."  Still better than nothing.

> 
> - Encryption. Put your malicious code on a webpage that's served by
> an SSL enabled server  ('Oh look, the litle keypad is locked, so it's
> extra secure, isn't it!'). No scanner i know of can crack SSL.
> Or PGP-encrypt your mail (and that's something i would strongly
> suggest to everone sending bussiness related mails). No chance
> for the scanner ...
> 
> BTW, and just for the record: There _are_ scanners for Linux.

Linux lacks the maturity of other products in this arena, and while many
people in a Windows environment run robust virus scanners that prevent many
problems, Linux servers just don't have much on them these days.  Survey how
many people running Exchange server are scanning for viruses (not perfect,
but better than nothing) versus the number of people using scanners on Linux
hooked into sendmail.  An order of magnitude difference.

> There are a handfull of 'open/free' products (www.freshmeat.net) as
> well as commercial products (i just had a look at SAVI from Sophos,
> pretty good for what it attempts, but no chance against encoded streams).
> 
>>> ADVICE:  Disable VBA, only run the latest Java VM, you may even look into
>>> running a browser with less functionality.  I am daring enough to run
>>> Netscape
>>> but I don't run IE or Outlook Express for e-mail.
>> 
>> Note that these are problems on the most heavily traveled platforms.  And
>> you can force this with SMS can't you?
> 
> Well, this is the key point: Security _is_ inconvenience (inssecure cars
> are way more comfortable!). _This_ is the price a company has to pay for
> it's network security. No firewall/scanner/whatsoever can compensate for
> that.

Doesn't have to.  You can't do business without one.  An hour of downtime at
a typical company dwarfs the cost of a PIX.

> 
>>> 
>>> CONCLUSION:
>>> If you really want to be safe buy some consulting time from an established
>>> network security expert (there are some on this list and I am NOT one of
>>> them).  They can tell you what to buy and they can also point out security
>>> risks that you may not even think of.
> 
> Right. And read Spaford/Garfinkel (who say the same ...)
> 
>> And you will get all this when you buy a commercial firewall from a
>> reputable integrator.
> 
> In my experience, the firewall often eats up all the budget and
> then the important consulting won't happen.

I don't sell firewalls to companies like that :)

Chris

More information about the LUG mailing list