> Lance Spitzner <lanceat_private> 02/15/00 01:10AM >On Sat, 12 Feb 2000, Crispin Cowan wrote: > >> Firewalls are to keep the bad packets out. Firewalls are completely >> ineffective at keeping the users in. They were not designed to contain >> users, and are completely incapable of containing a determined user. > >I'm going to disagree with you on this one :) Firewalls are >designed to enforce policy. They do not work in only "one" direction, >they work however you configure them to. You state the firewalls only >keep users out. How does a firewall know what is 'out' and 'what' is >in, they don't. Below you give an example of how traffic can be tunneled, >any user can do this, in or out. In general, outbound rules do tend >to be easier to subvert. However, with your DNS example, if that is >allowed inbound, it to can be tunneled. > >> For a counter-example to the idea of using firewalls to contain inside >> users, consider MJR's demo-ware that implemented TCP/IP over top of DNS >> requests. If you can get any data at all out, then you can put TCP/IP on >> top of it, and from there you can do anything. > >> Thus for security purposes, firewalls are strictly access control devices >> to control what outsiders can do to your inside. Your firewall may be >> performing some kind of control on what your inside users can pass out, >> but it is strictly a convenience factor. A determined user can always >> push out if they want to. > >A firewall is basically a ACL device, definitely agree. Yes, a determined >user can subvert outbound access (httptunnel). However, based on most >production rulebases I have seen, they can also be subverted inbound. Inbound channels can only be subverted if the consumer of the information evaluates it in a different context than the firewall. It is really about the difference between content and context. Firewalls (hopefully) evaluate the content of the data stream but they must make some assumptions about how the endpoints use that data stream. If you control the inside host that uses the inbound data and you are sure that the inside host and the firewall have the same ideas about what effects the content will have, you are set. If the firewall sees content that it judges to be benign (say ICMP echo payload) but the inside host uses that content for something other than the usual diagnostic pupose (control of a DDoS agent) there are problems. > >This is why I am a big fan of proper rule base design. Personally, >I feel there is too much discussion on the techinical merits of >competing firewalls, and too little discussion on their implementation (i.e., >architecture and rulebase design). Any access control method has some assumptions made during the design phase. The control method can be correct, but it is only effective as long as the assumptions made regarding the environment are correct. I have to agree that more discussion on the implementation of secured networks and environments would be encouraging, at least until I can find the checkbox in the firewall GUI that reads 'Secure the environment surrounding this firewall' - don't think that I have not looked ;-) > >Lance Spitzner >http://www.enteract.com/~lspitz/papers.html Regards, tcw
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:57 PDT