Wow. It sounds like I hit a nerve. My mailbox is overflowing with response
to this thread. I do, however, intend to summarize my mail at the closure
of this conversation and post it back to the list. So please continue
to entertain me!
First, I'd like to say that the previous post was only a HYPOTHETICAL situation.
Not one I'm currently working on. My reason for posting it in the first
place was because of concerns I had (personally) regarding the same issues
as many who have posted replies. Namely the introduction of said products
that "claim" to be "all-in-one" "firewall" solutions. More specifically,
my concerns are for the MISINFORMED users/administrators who continually
ask questions (especially on this list) like "What good firewall products
are available for Windows NT?". To whom my answer would be: "NONE!"
Off topic...
Have you seen "The Net" yet? Did the villain remind you of Bill Gates
too?
It all sounds like a quote I read once by Douglas Adams : "The idea that
Bill Gates has appeared like a knight in shining armor to lead all customers
out of a mire of technological chaos neatly ignores the fact that it was
he who, by peddling second-rate technology, led them into it in the first
place."
Back on...
Over the past 8 years I've been exposed to almost every type of firewall
scenario. Apparently, because of capitalism, the old DMZ via a secured
bastion with a strong router acting as a filtering mechanism is recently
starting to give way. Commercial firewall products are popping up left
and right that claim to do everything for you. With due reason in my opinion.
The capital expense and the cost of administration for the first scenario
can reach astronomical levels. Medium to small sized companies are forced
into looking for an alternative if they want to be a part of the Internet
and reap its benefits (or so they think...because they're told by the salesman).
The lambs want their hands held and the solution to sound inexpensive.
Microsoft with their army of third party are putting their hands out to
the masses like messiahs. For the trust their customers put in them they
deliver an unreliable, slow, inadequate, inflexible, and insecure firewall/WWW
package deal. The problem I have is that even that solution costs significantly
more than a FreeBSD or Linux one and it really SHOULDN'T be any easier.
Although, I do concede that right now (at least) it is easier.
So, I spent a little time looking around for some current information on
building a low-cost, easy to setup, and use INTERET firewall. Trying to
be as uneducated as possible. Even knowing all that I know about firewalls,
I couldn't find a single source that outlined a solution for even half
of the original 14 requirements that were listed...for any operating system.
It alarmed me to think that with all the power, flexibility, and HISTORY
that UNIX lends to this application; There isn't a quick and dirty guide
to getting the most bang for your buck as far as firewalls and PCs are
involved. Instead, you get a cheesy FAQ on what firewalls are that lists
about 5 different products. Also, a few books (I found extremely enlightening)
are still far too difficult for the lay-person or mediocre administrator
to completely understand.
Does Microsoft win again? With substandard unreliable products for the
masses? I personally hope not. My intent on this thread is to start an
organized and cataloged firewall solutions Web Page for as many configurations
as I can. Furthermore, I'll leave it up to Microsoft and their new 'Network
Evangelists' (yep, it's really one of their titles!) to push their products.
Maybe with some support from the readers of this list who have also been
setting up and maintaining firewalls/gateways, for long enough to remember
a time when it was rare to see a PC on the net, we can sway the Misinformed
Microsoft Misfits.
"That's just my opinion. I could be wrong." -- Dennis Miller
Me too...
Jay Tingiris
>>> Ken Hardy <ken @
bridge .
com> 03/12 11:53 am >>>
"Rev. Ben" <samman-ben @
CS .
YALE .
EDU> recently preached:
>One of the problems with a 'low cost firewall' is that inevitably its
not >a secure setup and could lead to a false sense of security.
Please present a mathematical proof that correlates cost to security.
;->
There is no such inevitability. Though you certainly need to be up to
speed on a lot of issues if you're going to roll your own, it's entirely
possible to create a quite secure 'wall. The difficulty depends in part,
of course on the scope of what you're trying to accomplish (the original
poster seems to want to accomplish quite a lot), and it certainly requires
a non-trivial level of expertise.
Nevertheless, the most expensive commercial firewall, poorly administered,
could be a lot less secure.
I agree that you probably (not "inevitably") have a better chance of getting
it right with a *good* commercial tool. But certainly you know that just
because it has a slick brochure and costs a lot doesn't mean it's good.
Or well administered.
>Um. As someone who is admittedly NOT a firewalls professional,
Ah-hah! (No, we still appreciate your thoughtful input. :-)
>* The idea of a firewall is minimize the number of uses a machine
>has. The less it is used, the easier it is to nail it down and minimize
>your security perimeter. When you start adding services to your firewall
>you start increasing the size of your security perimeter. In this case
>you've basically got a proxy box on steriods there. It would be no
>harder to break into this machine and then use it to exploit a machine
>behind the 'firewall' than to simply hit one of the machines behind the
>firewall.
* I would classify various firewall functions under the single "use"
of firewall machine. Splitting your functions among n number of
machines means that you've got n times the number of machines to
securely administer and n times the chance of screwing up. You've
also got n times the frequency of hardware failure bringing down at
least a part of your permimeter, and you need n times the (properly
configured) hot backup machines, if that's part of your policy.
Note that I agree that *only* firewall functions belong on the
firewall. Some of the original poster's bulleted items (servers &
caches, e.g.) are not strictly speaking, IMHO, firewall functions,
and likely belong elsewhere. The idea is to keep the processes
running on the firewall as pure and simple as possible, but if
you're going to run them, I don't see a direct correlation of risk
to how many of them are on one box. (I'm assuming, of course, that
the machine can handle all you ask of it; we're talking strictly
security not performance.)
If, say, your HTTP proxy is going to compromise your security
perimeter, you're as thoroughly toasted if said proxy is one of
five machines instead of one of one. Maybe your mail proxy is
still relatively safe, but the real prize is on the inside where
the number of perimeter machines is irrelevant once one of them is
broached.
I do agree, however, that if you take your comment, "The less it is
used, the easier it is to nail it down" to its logical conclusion,
it's very secure; don't use it at all, unplug it, and put it in a
vault. That's security! ;-)
* By more clearly defining precisely what functions you want to put
where in what sort of topology, we could probably come up with a
more secure scenario, but that's due to the structure of the
relationship between the boxes and the processes on them, not
*just* because they're on separate boxes. We'd probably throw a
few screening routers into the equation, too.
As to what Jay wanted, it definitely could be put together with a cheap
or discard x86 box and free software. Using discards, you probably could
get multiple machines for under $2K; they probably needn't be
Pentiums or Sparcs. Putting *all* that on a single "firewall" machine
would definitely lower the level of confidence in its own security (and
maybe require a Pentium?) However, it would *definitely* cost more than
$2K worth of someone's time to do it. But maybe they have the time and
not the cash.
- KHC Matthew Curtin rote...
"I fear that we're going to start seeing lots of these silly machines start
coming up ... everything in one. A bad idea for security, a bad idea for
service ... but they, like so many other dumb things that people with
money claim to "need," will probably become successful products from the
perspective of marketing and profitability. Sigh."
Now considering we are nearly, if not actually, at the point of needing
these types of setups on every single machine, don't you think we need
to rethink the belief that there needs to be a separate machine for each
critical service? I mean, with Java doing what it can do, a gatekeeper
needs the ability to remotely configure a firewall on every single machine
*within* his/her organization in order to ensure that rogue programs that
can get through the firewall aren't able to do things on, or to, those
internal machines.
With the "browser" concept catching on like wild-fire, and all these applications
coming about which use the same port, its getting to the point where the
philosophy of a firewall (something that allows you to grant or deny services
based on a combination of things including a service port) is getting
thrown to the dogs. If, through HTTP, I can download and unknowingly execute
an application that can do FTP or PING or whatever, then the LAN has to
be treated as hostile as the external or untrusted network.
The solution, in my mind, is not to try and filter out these rogue applications
at the firewall but to make a tool that a gatekeeper can administer that
allows him/her to allow or deny services on individual machines, in addition
to a normal firewall. It will sure make security administration a far
more complex matter, but in the face of the over-whelming desire to do
these things I don't see that there is much else that can be done. At
least it will make your jobs more important! ;-]
I had a conversation recently with a major manufacturer of computers who
were talking about a PC administration tool which would work through any
browser and allow the user to do remote control, that is, take over a
keyboard and do real time screen captures, all using a little HTTP daemon
to be run on the workstation. When I asked how they planned to secure
the product, they said they had been thinking about SSL. All I could do
was throw my hands up and cry uncle!
Where's the LAN-based VPN???
Cheers,
Russ
|
|
