Great Circle Associates Firewalls
(December 1995) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: selection criteria?
From: frankw @ in . net (Frank Willoughby)
Date: Wed, 6 Dec 95 11:52:18 -0500
To: firewalls @ GreatCircle . com 
Mike Shaver wrote:

>Thus spake Marcus J. Ranum:
>> 	I played a naughty little game at a conference recently
>> where I polled the room by show-of-hands as to what were the
>> important things they looked for in firewalls. Features, price,
>> and vendor reputation were pretty much the top categories. I'd
>> cheated and left "security" off my list and I thought I was going
>> to get away with it until someone flagged me when I asked "are
>> there any criteria I forgot to put on the list...?"
>
>I'm beginning to feel a little lonely, but am I _really_ the only one
>who sees security as a feature?  In my mind, a feature is "something
>it does".  Whether that's provide a point-and-drool puncture apparatus
>for the packet filtering (mjr-esque "feature") or provide a
>bulletproof defense against IP spoofing (mjr-esque "security") matters
>not.

Mike,

A firewall is first and foremost a security product and should be evaluated
as such.  I am surprised that people aren't evaluating them in that light
and that the people are concentrating on other areas instead.  If you are
purchasing a firwall that is vulnerable to one or more security vulnerabilities,
then the firewall isn't fulfillling its function and you are wasting your
money.

A couple of my favorites:

GUIs
"Hey, cool GUI interface" (forgetting that the GUI itself represents an 
increased risk of a potential security vulnerability which can be exploited 
&/or that it may use X-windows which is another security problem in itself).

Firewall to firewall encryption
An excellent idea - provided that the keys are changed frequently & securely.
A hacker can monitor the traffic (dumping it into a file, crack it, & produce 
the key.  After the key has been compromised, the company's confidential data 
can also be compromised.  How many firewall vendors change the key for each 
session?  Only one that I know of.  (if there are more, please drop me a line).

SecurID.
"Neat. Your firewall uses SecurID."  Forgetting in the process that 
Authentication (of users on the 'net) which isn't tightly coupled 
with Encryption offers *no* protection from Terminal Session Hijacking 
attempts.

The firewall is installed on top of the O/S.
Briefly, putting a secure firewall on an *insecured* O/S results in
only the illusion of security.  Unless the O/S has been secured (MLS,
hardened O/S, etc), then the O/S is vulnerable to attacks.  If successful,
they can compromise the firewall, and then the LAN/WAN which the firewall
is trying to protect.  The O/S is the weak link in the chain in this case.

Terminal Session Hijacking
You need encryption from the User on the Internet (outside the firewall) 
to the firewall itself.  At last count, a whopping >3< firewall vendors 
have this capability.

TCP Sequence Number Prediction Attacks
"All firewalls can prevent TCP Sequence Number Prediction Attacks."
Sure - IF all of your inside addresses are clean & no one on your
entire network trusts anyone else. This is the way it should be, but
seldom is.  I personally know of a company which has several *thousand*
rogue IP addresses.  Seems that when they did their network planning,
no one ever gave any thought of connecting to the Internet.  <sigh>.
It will cost them a mint to clean up that mess.  They aren't the
only one I am familiar with.  (They have just taken the problem to 
extremes).

Node Spoofing (by itself)
"All firewalls can prevent Node Spoofing."Again, Sure - if all of 
your inside addresses are clean & you don't trust anyone on the 
outside, then this problem isn't that large.

The above are basic vulnerabilities that have been covered in many
books & papers.  Shame that they aren't given much thought when the
firewalls are enhanced by (most of the) vendors or evaluated by 
customers.


>
>Mike
>(completely secure that, if he is in fact the only one, he will soon
>find out why ;) )
>
>-- 
>#> Mike Shaver (shaver @
 ingenia .
 com) Ingenia Communications Corporation <#
>#>        Technical Specialist -- will tame sendmail(8) for food       <#
>#>                                                                     <#
>#> "You are a very perverse individual, and I think I'd like to get to <#
>#>  know you better." --- eric @
 reference .
 com                           <#
>
>
>

Best Regards,


Frank
Fortified Networks Inc. - Management & Information Security Consulting
Phone: (317) 573-0800   - http://www.fortified.com/fortified

<standard disclaimer>
The opinions expressed above are of the author and may not 
necessarily be representative of Fortified Networks Inc.
Indexed By Date Previous: How do I remove myself from this list
From: "Andy Andrews" <andya @ aussie . clubfed . sgi . com>
Next: Re: FW: chroot/setuid vs type enforcement
From: "G. Del Merritt" <del @ giant . IntraNet . com>
Indexed By Thread Previous: RE: selection criteria?
From: Paul Merenbloom <paulm @ MR . Net>
Next: Re: selection criteria?
From: "Johnson-Bryden, Ian" <IJB @ saicuk . co . uk>
Google
 
Search Internet Search www.greatcircle.com