On Tue, 19 Mar 1996, Marcus J. Ranum wrote:
> jsong @
net (Jenjen Song) writes:
> >By opening email and other business applications on the net, we'll need to
> >set up some virus-checking software to ensure no harmful files/message be
> >senting thr the firewall & into our internal network.
> The problem is that viruses don't come just over the
> Internet. Indeed, I've never gotten one that way - mostly I've
> gotten my viruses through vendor-provided software and through
> floppy disks. If you put virus protection in place at the
> firewall, you're only attacking a small part of the problem,
> and the first time a virus gets through by another means you'll
> quickly be infected.
This being said, I was wondering if anyone else got the impression that
people are trying to make firewalls do more than they really should? I
know that many have paid a lot of money (for a commercial version or to
employees who've put together one from freeware) for these boxes but why
do they have to be the be-all and end-all of their security?
Let's see... a firewall must filter traffic coming in, maybe filter on
the way out, basically safely passing traffic in either direction based
on the rules setforth. It needs to know protocols of the service and
maybe assist in the safe passage of that service. Basically stop the
bad guys in some way (yes, it's an over simplification, I'm not writing
a dissertation here :-).
But does a firewall have to know anything more about email than how to
pass it safely? What about ftp? Does it have to scan every byte on a
transfer? Does a firewall even have to be a server?
The failure is not in the firewall or their vendors, but with people
who know nothing more about firewall systems than what they have been
reading in the trade rags. It has only been over the last few years
that these rags have paid this much attention to internet security
other than as a curiosity or when something big happens. And if you
look at the way many of these articles are written, they are assuming
that people have a basic understanding of what a firewall is and what
it "should" do.
I should stop ranting because I am making money from this situation! :-)
But I can't tell you how many times I have been called to consult with
a client about connecting to the internet and/or firewalls following an
article in one of these rags. And the conversation is usually the
same: the client does not have a clue as to what their security issues
are nor any idea about what they want in their security policy. But
they want to connect to the internet or they're (rightfully) worried
that someone is breaking into their network. And they convey this by
reciting these articles paragraph by paragraph, forgetting that I read
the same articles!
Instead of trying to put the onus on the firewall, how about trying one
(or more) of the following:
1) If you want to have email scanned, tell your inbound SMTP
proxy to forward the mail to a system with the appropriate
software to scan and distribute the mail properly. You can
easily set this up with smap/smapd and all you're responsible
for is the scanning software.
Watch out for this scanning software. I once had a product
from a very well known company call a text file compressed with
GNU's gzip infected only because something happened to match
one of the patterns it was searching for. Never let it fix
gzip'ed files! :-)
2) If you want to have ftp scanned, set up an email-based ftp
service and scan the incoming items like you would email. In
fact, if you do #1, then all you have to do is not allow
outbound ftp and get software to do the ftp for you. The last
time I checked, you can pick up a copy of ftpmail from
gatekeeper.dec.com, which should do the trick.
3) Scanning WWW transactions may be more difficult. While proxying
httpd may be within the scope of what a firewall should do, I
am having a difficult time with (the conept of) caching
proxies. Yes, I understand the performance issues, but does
this have to happen on a firewall?? Why not set up a caching
server in the DMZ. This way you let the firewall proxy, the
server in the DMZ serve, and whatever scanning software you
want running on the server and not on the firewall. Who knows,
maybe this is a better way to implement Java filters!
The firewall should do what a firewall does best and it should not be
looked upon as the all inclusive security box. If you are trying to do
this, may I suggest you examine the policy you are trying to implement
and (possibly) rethink your plans.
(gee... how many people are going to flame me this time! :-)
scott barman DISCLAIMER: I speak to anyone who will listen,
com and I speak only for myself.
Q: What do sneakers and the NCAA's Sweet 16 have in common?
A: No Heels!