On Sat, 12 Feb 2000, Crispin Cowan wrote: > Firewalls are to keep the bad packets out. Firewalls are completely > ineffective at keeping the users in. They were not designed to contain > users, and are completely incapable of containing a determined user. I'm going to disagree with you on this one :) Firewalls are designed to enforce policy. They do not work in only "one" direction, they work however you configure them to. You state the firewalls only keep users out. How does a firewall know what is 'out' and 'what' is in, they don't. Below you give an example of how traffic can be tunneled, any user can do this, in or out. In general, outbound rules do tend to be easier to subvert. However, with your DNS example, if that is allowed inbound, it to can be tunneled. > For a counter-example to the idea of using firewalls to contain inside > users, consider MJR's demo-ware that implemented TCP/IP over top of DNS > requests. If you can get any data at all out, then you can put TCP/IP on > top of it, and from there you can do anything. > Thus for security purposes, firewalls are strictly access control devices > to control what outsiders can do to your inside. Your firewall may be > performing some kind of control on what your inside users can pass out, > but it is strictly a convenience factor. A determined user can always > push out if they want to. A firewall is basically a ACL device, definitely agree. Yes, a determined user can subvert outbound access (httptunnel). However, based on most production rulebases I have seen, they can also be subverted inbound. This is why I am a big fan of proper rule base design. Personally, I feel there is too much discussion on the techinical merits of competing firewalls, and too little discussion on their implementation (i.e., architecture and rulebase design). Lance Spitzner http://www.enteract.com/~lspitz/papers.html
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:32 PDT