North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Firewall opinions wanted please
On Wed, Mar 17, 2004 at 02:01:59PM -0500, Matthew Silvey said something to the effect of: > On Wed, Mar 17, 2004 at 11:57:33AM -0600, Rachael Treu wrote: > > > > As for your assertion that firewalls "reduce the overall security of the > > 'net."...can you please elaborate on that, as well? Other factions might/do > > argue that it's the other team refusing to lock their doors at night that > > are perpetuating the flux of bad behavior as a close second to the ignorant > > and infected. > > > > > to extend an abstraction: > > these factions are arguing about the lock on the door, but it is the door > that is important. it is a feature of the house, a means of entering and > exiting. if you argue that all doors must have a lock then you can no longer > have the freedom of design and creation to decide whether your house will > have a door for pigeons, hamster, cats, or humans without deciding how each > specific door can be accessed by each specific creature. By that rationale, why must any houses have doors at all? Further, your analogy doesn't, I feel, hold water in this case. Let's reverse that portion of said abstraction. I said all doors must have locks and all edges filters. I did not expound upon to what extent those edges are filtered. Saying that the doors must be locked does not have anything to do with whether the doors are for pigeons, hamster, cats, or humans... Access control balances this equation. You can lock a pigeon door with a key that the pigeon can bear and the hamster... Okay...this is getting absurd. Let's revert to netspeak. :) Access control. "if you argue that all doors must have a lock then you can no longer have the freedom of design and creation to decide whether your house will have a door for pigeons, hamster, cats, or humans without deciding how each specific door can be accessed by each specific creature." Exactly. Absolutely! What is wrong with that? That is my point. This is not an "information wants to be free" argument, guys. You have a network connection, you have a responsibility to ensure that you manage your risks and also that you do not enable it to be used to harm others. You build a corporate intranet server and I want to get into it. Are you going to let me? Or are you going to design it with the intent that only corporate hamsters...er...employees can access that specific door. How about your home network? Mind if I do a little recon and raid your personal systems for password and personal info harvesting? Do you _use_ passwords, for that matter? If the argument is really about a means of entering and exiting and not locking or restricting access, then why bother? Do you lock the front door to your house? These wide-swinging doors of which you speak are not practical in terms of government intelligence. Or physical border control. If your doors-- which given what you are describing are actually doorless doorways and more closely resemble gaping maws--were appropriate edge deployments, then guards should drop from perimeter and border walls, passwords should come off machines, encryption should die, ATM PINs should be decommissioned, and so on and so forth. Inarguably people complain that passwords are annoying to maintain and enter and that firewalls are in the way a lot of the time. Thankfully, many of those complaining are outsiders and intruders that shouldn't be getting in, too. I imagine that vehicle thieves find door locks to be a bit of an impairment to their livelihood, too. This is about access control. Not everything out there is meant to be collected and used by everyone else. Why do you have doors? So that people can get in. Why do you lock them? So that only the appropriate people can. The tenet of effective network security is to make the holes punched into a network small enough to prevent unauthorized access, but not so small that functionality is impaired. It is the goal of security engineers (the decent ones at least) to determine how things like access controls can best serve and protect, interoperate with, and withstand the rigors of the network, not the other way around. Now...how is it that a firewall deployed to protect the deployer's network is crushing the fundamental network purism or kills our inner rogue or pens in our data (free range packets, anyone?) These methodologies are not conjured up in order to irritate those managing the movement of traffic (legitimately). This is about flow control of payload, as are stoplights and turnstyles and credit card companies asking for your mother's maiden name and photo IDs and taking a number at the butcher or DMV... > if you're selling services that consist of pushing http/dns/smtp/pop3 traffic > then you have a much easier time inserting and using any kind of filtering > system. but if your preventative system stifles the development of new > applications then you have a losing situation. any kind of filtering > automatically creates a roadblock for network application development. If there is no network, there is no netapp development. Denial of Service then presents something other than a roadblock? Or the hijacking or prevention of development details and trade secrets? The owning of a device or deletion of throngs of data to make room for warez...? Bandwidth consumption due to other security violations...? Develop in-house, behind edge filters. The only development that edge filtering gets in the way of is rootkits that the nefarious are testing. Make use of a competent security professional who knows how to tweak filters properly for the task at hand and you won't have any "roadblocks" except for those trying to roadblock the criminal element... > all > in all the cost of the IT staff is probably less than the cost of lost > development time. it sucks, but any delays on a development schedule can > translate to potential revenue lost. And what kind of cost do you think is realized by your providers who are required by contract and law to maintain security teams and respond to security incidents? You are merely passing the buck here and shifting collateral damage. I'm going to try to climb down from this soapbox now. Remember...we're all friends here. Neither side wants to halt innovation or network utilization. --ra -- k. rachael treu, CISSP firstname.lastname@example.org ..quis costodiet ipsos custodes?..