[lug] Firewall what a flare of experience

Nate Duehr nate at natetech.com
Wed Aug 2 11:16:58 MDT 2000 

On Tue, Aug 01, 2000 at 02:53:15PM -0600, Chris M wrote:
> 
> > Here is some food for thought:
> > Most of the commercial firewall appliances are based on BSD or Linux.  I spoke
> > with several vendors and this much seems to be fact.
> 
> Like which ones?  Be specific.  Show your work.

Just to add some info...

Nokia FireWall-1 appliances run IPSO, a BSD derivitive.  Just one
example.  "Commercial" is an interesting issue these days.  Big boys
like Cisco are building their own code for their own hardware.  (Just an
example...) Others have non-custom hardware and custom code, still
others use PC's with openly available code and call it "commercial".
You have to understand the underlying technology to properly evaluate
the product.

> > BUT:
> > Those vendors are expert in security and they will supplement the OS they
> > chose with proprietary code to make their product as watertight as they can.
> > For basic firewalling needs Linux can do a good job as long as the
> > administrator who configures the firewall knows what she/he is doing.  And
> > THIS IS THE SORE POINT - many Linux firewalls are set up by folks who aren't
> > specifically trained in network security.
> 
> That is not necessarily true.  Many are set up by top-flight people.

Agreed.  Linux firewalls are just as effective as many of the commercial
products when configuration is done properly.  Most folks are using
IPCHAINS on Linux which has the usual limitations of only being a
packet-filter firewall.  Some firewalls do state-tables for connections
and can do more interesting things than packet-filtering.  There are
Linux projects underway in the 2.3 kernels to do this also.  It all
depends on what you need the product to do, and to understand what you
need, you have to understand where the industry standards are today.

> > If you hire a security expert to
> > configure your Linux firewall then it will be strong.  It will have scritps
> > that check logs and alarm you about intrusion attempts (without too many false
> > alarms).  But for that amount of money you could also look into a commercial
> > firewall, especially since port forwarding is still experimental in Linux
> > (very useful for DMZs = De-Militarized Zones).
> > 
> > AND THE TRUE RISK:
> > Your employees behind the firewall.
> 
> Forget them, the discussion is about firewalls.  You can't keep people from
> running with scissors.  You tell them not to do it is all.  Then hide all
> the scissors and make it known what happens when they are caught, put
> filters everywhere, etc.

Security POLICY is far more important for an organization than the
choice of firewall.  What do you allow your employees to do?  What do
you monitor explicitly for inside and outside your network... the list
goes on.

You leave out that if your Linux talent on-board has the ability and the
time to learn, the Linux firewall you have them set up will be
customized to your organization easier and faster than multiple meetings
with a vendor.  

Either way, the price ends up about the same... home-grown or
outsourced.  Because no one accounts for the human costs of paying good
admins when they look at home-grown as their best alternative, and no
one looks at recurring maintenance costs of a shrink-wrapped solution
from a vendor.  When you take ALL factors into account, price becomes
similar and you really have a culture and technical product evaluation
question on your hands.

> > There are plenty of VBA (Visual Basic for
> > Applications) scripts that can embed themselves during regular browsing.
> > These scripts do all kinds of little tricks and they have the same kind of
> > access as the user who infected his (mostly) Internet Explorer.  The only
> > script I have encountered so far collected information about user's browsing
> > habits and then tried to upload that info to a main web site.  Very benign -
> > and detected through a proxy server (the script attempted to upload its info
> > without a password enough times to trigger network security).  Much worse
> > things could have happened here!
> 
> Many firewalls make an attempt to filter these now.  Linux does not
> presently.

The choice to run applications that allow VB scripts etc, has nothing to
do with the choice of firewall... unless by culture or technical
requirements elsewhere in your organization the risk is worth it.

VB filtering CAN be done by a proxying-firewall, but why?  Drop VBS from
mail, and educate your users that their machines are for WORK.  I would
bet that most places on the web folks go for WORK are not going to have
this type of malicious code.  Set POLICY.  Enforce it.

> > ADVICE:  Disable VBA, only run the latest Java VM, you may even look into
> > running a browser with less functionality.  I am daring enough to run Netscape
> > but I don't run IE or Outlook Express for e-mail.
> 
> Note that these are problems on the most heavily traveled platforms.  And
> you can force this with SMS can't you?

There are plenty of exploits for Netscape also.  Running Netscape makes
you no safer than running any other browser.  And yes, any IT group
worth their salt will find ways to keep the apps on the user desktop
upgraded.  (Login script installations on NT, etc etc etc...)

> > CONCLUSION:
> > If you really want to be safe buy some consulting time from an established
> > network security expert (there are some on this list and I am NOT one of
> > them).  They can tell you what to buy and they can also point out security
> > risks that you may not even think of.
> 
> And you will get all this when you buy a commercial firewall from a
> reputable integrator.

Asking for an outside professional opinion whether that organization
does the firewall installation or not is always prudent.  A full
security audit from a reputable firm may actually be what you need after
the installation.  If you're serious about security, anyway.  Some folks
(medical industry, banking) have specific certifications and folks who
do those certifications also.

> > Buy insurance if your life depends on the safety of your network because all
> > humans make mistakes and eWeek's OpenHack proved that once again (they used
> > the best of the best in equipment and made only one little mistake).
> > 
> > Ferdinand

Insurance usually does not cover cracking/hacking.  Check with your
carrier.  Lloyds of London is about the only place you can find this
type of insurance, and only if you use specified products and their
preferred security firms.

Look for security professionals with GIAC certifications from SANS.  The
certification requires that at least ten documented attacks from REAL
networks be documented, evaluated, etc.  The tests are published after
being sent in, so you can even review the person's work before hiring
them.  There are also "honors" available.  Last I looked there's only
about 200 people in the world that have this certification.

-- 
Nate Duehr <nate at natetech.com>

GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2
Public Key available upon request, or at wwwkeys.pgp.net and others.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20000802/9eedd7f3/attachment.pgp>

More information about the LUG mailing list