[lug] Firewall what a flare of experience

rm at mamma.varadinet.de rm at mamma.varadinet.de
Tue Aug 1 15:32:24 MDT 2000


On Tue, Aug 01, 2000 at 02:53:15PM -0600, Chris M wrote:
>[...]
> > BUT:
> > Those vendors are expert in security and they will supplement the OS they
> > chose with proprietary code to make their product as watertight as they can.
> > For basic firewalling needs Linux can do a good job as long as the
> > administrator who configures the firewall knows what she/he is doing.  And
> > THIS IS THE SORE POINT - many Linux firewalls are set up by folks who aren't
> > specifically trained in network security.
> 
> That is not necessarily true.  Many are set up by top-flight people.

And those are hacked? Hmmm ....

> > If you hire a security expert to
> > configure your Linux firewall then it will be strong.  It will have scritps
> > that check logs and alarm you about intrusion attempts (without too many false
> > alarms).  But for that amount of money you could also look into a commercial
> > firewall, especially since port forwarding is still experimental in Linux
> > (very useful for DMZs = De-Militarized Zones).
> > 
> > AND THE TRUE RISK:
> > Your employees behind the firewall.
> 
> Forget them, the discussion is about firewalls.  You can't keep people from
> running with scissors.  You tell them not to do it is all.  Then hide all
> the scissors and make it known what happens when they are caught, put
> filters everywhere, etc.

And you _really_ think that a firewall can compensate for silly behaviour?
None of the recent incidents (Melissa/ILOVEYOU) or reportings on the CERT
mailing list would have been caught by a firewall. Let's face it: firewalls
where designed to defend the first wave of attacks (in the 80th and 90th).
Todays problems are different (mobile code, lack of separation between data
and code ...). If your toilet can execute scripts chances are high that someone
will abuse it.

> > There are plenty of VBA (Visual Basic for
> > Applications) scripts that can embed themselves during regular browsing.
> > These scripts do all kinds of little tricks and they have the same kind of
> > access as the user who infected his (mostly) Internet Explorer.  The only
> > script I have encountered so far collected information about user's browsing
> > habits and then tried to upload that info to a main web site.  Very benign -
> > and detected through a proxy server (the script attempted to upload its info
> > without a password enough times to trigger network security).  Much worse
> > things could have happened here!
> 
> Many firewalls make an attempt to filter these now.  Linux does not
> presently.

Sorry, but you follow marketing mumble. I have been told this on every single
firewall marketing booth during the last two years--from marketing people.
I have looked enough at filter code (i wrote some myself) to know how ridiculous
this is: 

 - Todays viruses move to fast. By the time your scanner gets the 
   updated virus database it's to late. Most of the recent viruses
   took less than 24h to travel arround the world. No chance.

 - Encryption. Put your malicious code on a webpage that's served by
   an SSL enabled server  ('Oh look, the litle keypad is locked, so it's
   extra secure, isn't it!'). No scanner i know of can crack SSL.
   Or PGP-encrypt your mail (and that's something i would strongly
   suggest to everone sending bussiness related mails). No chance
   for the scanner ...

BTW, and just for the record: There _are_ scanners for Linux. 
There are a handfull of 'open/free' products (www.freshmeat.net) as
well as commercial products (i just had a look at SAVI from Sophos,
pretty good for what it attempts, but no chance against encoded streams).

> > ADVICE:  Disable VBA, only run the latest Java VM, you may even look into
> > running a browser with less functionality.  I am daring enough to run Netscape
> > but I don't run IE or Outlook Express for e-mail.
> 
> Note that these are problems on the most heavily traveled platforms.  And
> you can force this with SMS can't you?

Well, this is the key point: Security _is_ inconvenience (inssecure cars
are way more comfortable!). _This_ is the price a company has to pay for
it's network security. No firewall/scanner/whatsoever can compensate for
that.

> > 
> > CONCLUSION:
> > If you really want to be safe buy some consulting time from an established
> > network security expert (there are some on this list and I am NOT one of
> > them).  They can tell you what to buy and they can also point out security
> > risks that you may not even think of.

Right. And read Spaford/Garfinkel (who say the same ...)

> And you will get all this when you buy a commercial firewall from a
> reputable integrator.

In my experience, the firewall often eats up all the budget and
then the important consulting won't happen.

 Ralf

> Chris
> 
> > Buy insurance if your life depends on the safety of your network because all
> > humans make mistakes and eWeek's OpenHack proved that once again (they used
> > the best of the best in equipment and made only one little mistake).
> > 
> > Ferdinand
> 
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug




More information about the LUG mailing list