Firewalls: Re: Firewalls

Firewalls
(October 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Firewalls
From:	Adam Shostack <adam @ homeport . org>
Date:	Fri, 18 Oct 1996 11:48:35 -0500 (EST)
To:	dtshin @ bulldog . ca (Dan Tshin)
Cc:	Firewalls @ GreatCircle . COM
In-reply-to:	<01BBBCE7 . F57874C0 @ belgium . bulldog . ca> from "Dan Tshin" at Oct 18, 96 11:31:51 am

Dan Tshin wrote:
| On Friday, October 18, 1996 4:27 AM, Adam =
| Shostack[SMTP:adam @
 homeport .
 org] wrote:
| >Jonathan Low wrote:
| >	Physical access will get you into most firewalls.  Also, the
| >question you should be asking is 'Did anyone even get trhough one of
| >those firewalls to attack the network it was defending?'

| >	Unfortunately, its very embarrassing when your firewall is
| >breached, and no one likes to talk about it.

| Who would be able to respond to such questions? What firewalls have NOT =
| been breached? I have Milkyway claiming that no-one has breached their =
| firewalls. Would one be able to ask the company itself?
| Which firewalls are *more succeptable* to break-ins?

	If by breach you mean information got through in a way that they
were not allowed to by the rules defined by the user, there are
relatively few breaches.

	There are plenty of packet filters allowing access to an SMTP
mailer with bugs in it that allow access to that machine, and then
probably others.  Is this a breach in the firewall?  I can argue
either way, that the firewall shouldn't be letting packets through to
mailers, or that it should be doing what the user asked it to.

	If you configure a Milky Way to pass all packets (I don't know
if this is even possible), and then someone breaks into one of your
machines, the Milky Way performs as expected, and Milky Way can
convincingly argue that their firewall was not breached.  Your company
may have more trouble making that argument.

	A packet filter can't protect you against things like a buffer
overflow attack in sendmail.  A mail proxy can.  A packet filter is
more able to handle something like CU-SeeMe without writing a lot of
code.  This is a bad thing, since you're more likely to do the
insecure thing, because its easy.

	I strongly prefer application level protocol filtering.  You
can get a useful boost in security from packet filters, but the people
I work for (banks, hospitals, military contractors) tend to have a
need for strong security that will resist real attacks.

| I have a feeling that I won't get too far asking these questions...

	A good question to ask is what are you worried about?
Hackers?  Professional criminals?  Local law enforcement gone bad?
The KGB?  Insiders?  What attacks are they likely to mount?  How does
your firewall defend against them?

Adam

-- 
"Every year the Republicans campaign like Libertarians, and then go to
Wasthington and spend like Democrats."

Vote Harry Browne for President.  http://www.harrybrowne96.org

References:

RE: Firewalls
From: Dan Tshin <dtshin @ bulldog . ca>

Indexed By Date	Previous:	Re: WWW Port 80 connections 2-3 times/second... From: "Roy.Hills" <rsh @ inmarsat . org>
Indexed By Date	Next:	Re: Need Help: Unix vs. NT From: Sarah Reidy <sreidy @ popact . org>
Indexed By Thread	Previous:	RE: Firewalls From: Dan Tshin <dtshin @ bulldog . ca>
Indexed By Thread	Next:	RE: Firewalls From: "Craig H. Rowland" <crowland @ v-one . com>