North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Firewall opinions wanted please
- From: Rachael Treu
- Date: Wed Mar 17 15:07:24 2004
On Wed, Mar 17, 2004 at 02:01:59PM -0500, Matthew Silvey said something to the effect of:
> On Wed, Mar 17, 2004 at 11:57:33AM -0600, Rachael Treu wrote:
> > As for your assertion that firewalls "reduce the overall security of the
> > 'net."...can you please elaborate on that, as well? Other factions might/do
> > argue that it's the other team refusing to lock their doors at night that
> > are perpetuating the flux of bad behavior as a close second to the ignorant
> > and infected.
> to extend an abstraction:
> these factions are arguing about the lock on the door, but it is the door
> that is important. it is a feature of the house, a means of entering and
> exiting. if you argue that all doors must have a lock then you can no longer
> have the freedom of design and creation to decide whether your house will
> have a door for pigeons, hamster, cats, or humans without deciding how each
> specific door can be accessed by each specific creature.
By that rationale, why must any houses have doors at all?
Further, your analogy doesn't, I feel, hold water in this case.
Let's reverse that portion of said abstraction. I said all doors must
have locks and all edges filters. I did not expound upon to what extent
those edges are filtered. Saying that the doors must be locked does not
have anything to do with whether the doors are for pigeons, hamster, cats,
or humans... Access control balances this equation. You can lock a
pigeon door with a key that the pigeon can bear and the hamster...
Okay...this is getting absurd. Let's revert to netspeak. :)
"if you argue that all doors must have a lock then you can no longer
have the freedom of design and creation to decide whether your house will
have a door for pigeons, hamster, cats, or humans without deciding how each
specific door can be accessed by each specific creature."
Exactly. Absolutely! What is wrong with that? That is my point.
This is not an "information wants to be free" argument, guys. You have a
network connection, you have a responsibility to ensure that you manage
your risks and also that you do not enable it to be used to harm others.
You build a corporate intranet server and I want to get into it. Are you
going to let me? Or are you going to design it with the intent that only
corporate hamsters...er...employees can access that specific door. How
about your home network? Mind if I do a little recon and raid your personal
systems for password and personal info harvesting? Do you _use_ passwords,
for that matter? If the argument is really about a means of entering and
exiting and not locking or restricting access, then why bother? Do you
lock the front door to your house?
These wide-swinging doors of which you speak are not practical in terms
of government intelligence. Or physical border control. If your doors--
which given what you are describing are actually doorless doorways and more
closely resemble gaping maws--were appropriate edge deployments, then guards
should drop from perimeter and border walls, passwords should come off
machines, encryption should die, ATM PINs should be decommissioned, and so
on and so forth. Inarguably people complain that passwords are annoying to
maintain and enter and that firewalls are in the way a lot of the time.
Thankfully, many of those complaining are outsiders and intruders that
shouldn't be getting in, too. I imagine that vehicle thieves find door locks
to be a bit of an impairment to their livelihood, too.
This is about access control. Not everything out there is meant to be
collected and used by everyone else. Why do you have doors? So that
people can get in. Why do you lock them? So that only the appropriate
people can. The tenet of effective network security is to make the
holes punched into a network small enough to prevent unauthorized access,
but not so small that functionality is impaired.
It is the goal of security engineers (the decent ones at least) to
determine how things like access controls can best serve and protect,
interoperate with, and withstand the rigors of the network, not the other
way around. Now...how is it that a firewall deployed to protect the
deployer's network is crushing the fundamental network purism or kills
our inner rogue or pens in our data (free range packets, anyone?) These
methodologies are not conjured up in order to irritate those managing
the movement of traffic (legitimately). This is about flow control of
payload, as are stoplights and turnstyles and credit card companies asking
for your mother's maiden name and photo IDs and taking a number at the
butcher or DMV...
> if you're selling services that consist of pushing http/dns/smtp/pop3 traffic
> then you have a much easier time inserting and using any kind of filtering
> system. but if your preventative system stifles the development of new
> applications then you have a losing situation. any kind of filtering
> automatically creates a roadblock for network application development.
If there is no network, there is no netapp development. Denial of
Service then presents something other than a roadblock? Or the hijacking or
prevention of development details and trade secrets? The owning of a
device or deletion of throngs of data to make room for warez...? Bandwidth
consumption due to other security violations...?
Develop in-house, behind edge filters. The only development that edge
filtering gets in the way of is rootkits that the nefarious are testing.
Make use of a competent security professional who knows how to tweak
filters properly for the task at hand and you won't have any "roadblocks"
except for those trying to roadblock the criminal element...
> in all the cost of the IT staff is probably less than the cost of lost
> development time. it sucks, but any delays on a development schedule can
> translate to potential revenue lost.
And what kind of cost do you think is realized by your providers who are
required by contract and law to maintain security teams and respond to
security incidents? You are merely passing the buck here and shifting
I'm going to try to climb down from this soapbox now. Remember...we're
all friends here. Neither side wants to halt innovation or network
k. rachael treu, CISSP firstname.lastname@example.org
..quis costodiet ipsos custodes?..