I can almost see the surface of my desk today, so I suppose it's
time to summarize the birds-of-a-feather discussion about firewalls
which went on from 2000 to about 2210 during the Fourth Usenix Security
Symposium in Santa Clara, CA (Oct 5, 1993).
I have tried to identify people whenver possible. After the first time,
the person will be identified by their intials inside of square
brackets. [Editorial comments also appear inside of square brackets.]
Un-identified persons are referred to as [UP]. This goes on for another
260 lines, so if you want to skip ahead ...
Ying-da Lee [YL] led off by announcing the beta version of his version
of socks, 4.1, which he said had gone out to 20 people so far, and seems
to have no major problems.
Steve Bellovin [SB] suggested that Bill LeFabvre's shared library was a
better solution because everything didn't need to be relinked.
YL: You need source to solve problems. [no debate ensued.] YL went
on to describe socks at Brent Chapman's [BC] request--a server which
runs via inetd on port 1080. Connect and bind are replaced in client
software by rconnect and rbind which use access control lists in the
sockd server (which is run on a gateway), and which will pass through
permitted connections (run a proxy service). Currently telnet, ftp,
finger, gopher, and xmosaic clients are supported. David Koblas did
original socks. Next big project is to make it more portable (runs on
Suns, HP, AIX, SGI (and an unidentified person [UP] said he had ported
it to Univel.
4.1 beta can run on multi-homed hosts. The ident daemon [a source of
much debate on this list] is used to identify users (RFC 1413).
Software available from
ftp.inoc.dl.nec.com:/pub/security/socks.cstc
and a support mailing list from socks-request @
inoc .
dl .
nec .
com .
UP: What about load?
Paul Moriarty [PM]: Not much load (an early version on a 5 mips machine
supported 600 users).
BC: [Brent tries some raising-of-hands polling, about 120 people present]
5 Universities with firewalls
3 sites using commercial products
5 sites with dual homed hosts
14 filtering only
14 combinations of filtering and dual homed hosts
[all numbers are approximate...]
Mike Ressler [MR]: What is your definition of firewalls?
BC: Allows you to use your network services while protecting you from
[users on] external networks.
SB: [who is writing a book with Bill Cheswick about network security]
Three types of firewalls:
1. packet filter (works at network layer, one packet at-a-time,
no content checking);
2. application gateway, for example, a mail server;
3. a transport layer connection to the firewall [eg, socks].
[At this point, a "debate" broke out between MR, Ed Gould [EG], and SB
about effectiveness of firewalls. I'll try to hit high points...]
EG: If someone breaks into our internal net via a modem [on in internal
machine], we use chokes on outgoing traffic [sounds like DEC SEAL
product].
MR: What is an internal firewall called?
SB: A firewall. Really no difference. Firewalls pose an
administrative policy on network use.
EG: The Internet is a collection of smaller networks. No difference
between defending against Internet attacks and attacks from one internal
net against another [most security incidents are inside jobs...]
UP: What about connecting to another entity with which you have a
contractural relationship?
EG: You use your fireall to implement policy [very approximately what
he said].
UP: How many persons allow writeable ftp sites? [about 12]
Ed DeHart [ED]: CERT recommends no drop off directories unless you
require it. [People have learned that ftp sites make dandy places for
exhanging cracking tools, stolen software, pornographic images...]
Recommend that you change the source to protect drop off directories
[access control for trusted sites]. Or create an execute-only directory
and use writeable subdirectories with password-like names for trusted
sites.
Danny from Tandy [DT]: When we want a software upgrade from Cisco, we
telnet to them, request a download. Then they set up an ftp request TO
tandy to deliver software.
SB: Open up ftp for cisco, and close it down when done.
EH: The dark side of ftp is that the FBI and Department of Justice fear
that a site used [unknowingly] for software piracy could have a civil
suit file against them.
SB: I have seen drop off and pickup within 10 minutes, after which
files were deleted. [SB works with a well-monitored firewall; see
"There be Dragons" in Third USenix Security Symposium Proceedings]
UP: I have seen something like the cisco arrangement when getting PEM
[privacy enhanced mail, includes "restricted to US" RSA technology]
where you get a directory name from TIS, and have ten minutes to ftp and
get the source.
EG: Two step handshake to give notice.
SB: FTP data is inherently insecure [other site initiates connection
from a privileged port, ftp data]. You could do transfer in passive
mode, where client requests transfer (RFC 1123).
UP: Have you released the code to do this?
SB: Two hours of hacking. Have tried to get it into NCR code.
UP: How many people have diodes [only allow outgoing ftp]? [about
half]
UP: Publicly writeable /pub? [no answers]
EH: Don't do it. You'll have .rhosts and .forward files in no time.
Correctly setup ftp [with directories owned by root, not the ftp
user] and you should be safe.
BC: I have heard of someone who is creating a stripped down BSD/386
system which is burned into CDROM for specific purposes [such as running
on a firewall host or gateway--can't be modified].
Johanna [J]: We have a very stripped down host we use for running ftp.
SB: Remove things you don't need--you don't have to trust the buggy
software you don't run.
UP: List of safe/unsafe software?
BC: THat's backwards. If you don't need it, get rid of it. You'd be
amazed at how little you need to run a bastion host. And start
everything from inetd using tcp_wrappers.
UP: Use a sendmail replacement?
BC: Sometime soon. The problem is you connect to the SMTP port
which is running a privileged process [sendmail]. A solution is to let
a daemon collect requests and put them in a queue, where another process
will handle them. A good design.
SB: SMTP is a simple protocol--isolate it on a firewall machine.
Sendmail has it wrong--talk to one process on the gateway and another to
pass it "over the wall".
1. Mailers cross protection domains. A requirement that mailer
can change ownership from send to recipient.
2. Also, mailbox is a virtual concept--doesn't have to be a
file.
Mail was moved from the user's home directory to /usr/spool in version 7
UNIX [about 1978].
UP: Telnet to allow certain partners to use certain services?
SB: Set up a circuit.
UP: Sure. Use TCPR to set up a circuit through the gateway.
Jon Boot: Two competing companies need to work at the same site. Which
accounts do you allow access to? [JB works at a supercomputing site.]
Do you control access based on source network address?
SB: Have them telnet into the gatewat host, and rlogin from there.
UP: IP falsifying attacks?
SB: I wouldn't say they are impossible. Robert Moris Jr. successfully
injected packets [sequence number attack, where packets are
"manufactured" to have the same sequence number as real packets which
follow shortly].
Me: What about source route attacks?
BC: Configure your routers against it.
SB: Tunneling will become more of a problem as time goes on.
MR: What about Swipe[?]?
SB: Don't let it in even if it is encrypted. It's a matter of policy.
I don't trust Matt Blaze's machine because I haven't audited it.
MR: Bell Labs doesn't use Swipe? [MR works for Bellcore]
SB: Not an issue for me. More concerned about tunneling.
UP: We are using hardware encryption.
SB: AT&T OEMs Xerox Semaphore, UUNET also has a box.
Me: Morningstar Technoligies' new router can encrypt at 56-64 kilobits
per second.
JB: Restrict who people talk to by using static routes?
BC: Break root, add routes. I believe in filtering.
SB: Whether you use filtering or routing, it is an issue of transitive
trust.
Frank of TIS: Login via a proxy service to a captive account.
Man from DEC: We use a tunnel from outside of the firewall to the
other end of tunnel inside the firewall for order from DEC.
UP: How do you handle RPC?
BC: Filter out UDP.
Marcus Ranum [MR]: If someone gets on the machine, you're screwed.
SB: We believe in protection in depth.
UP: How do you get in while traveling?
SB: We use SecureNet key to get in. Response-challenge to gateway,
rlogin [no password] to home machine. Bill Cheswick is rebuilding
gateway the third time.
UP: Assume everything is monitored.
SB: Don't trust anything.
MR: We have SKey [designed at Bell Labs]. It keeps a numbered list of
pass keys [one-time keys] and asks for a certain numbered key. If
someone travels a lot, give them a SecureNet key. If they travel some,
they can use a SecureNet from a pool. For occasional travelers, use
SKey.
BC: Across a firewall, provide mail, news, telnet, ftp, and dns, and
people won't know or care there's a firewall there.
MR: We are using the Internet as a backbone. Extending our perimeter
across the Internet. First, centralize policy. All run at same level
of security. Next, set up three bastion hosts for redundancy. A lot of
what we will provide will be NFS...
SB: We monitor routes used internally.
BC: Scan all hosts and all ports and look for connections where they
shouldn't be.
MR: Use a static route on your gateway.
BC: Good idea. Routing is simple on gateway machines. [another poll.
How many sites have full time security people? 11. Six sites have full
time auditors.]
[End of BOF. I certaily noticed how the quantity of notes taken petered
off about halfway through. If a debate got too interesting, notes also
suffered. After the BOF, Marcus Ranum mentioned that Trusted
Information Systems, TIS, who setup WhiteHouse.Gov, will hopefully be
providing software and information about setting up a firewall.
The software should include SKey, the programs
necessary for using one-time keys. This should be a real boon for those
of us who travel some and don't have deep pockets...]
Rik Farrow
|
|
