Bill Hancock, Ph.D. wrote:
> >stick a sieve on your PC and be done with it? It would be a lot cheaper.
>
> I find it very interesting that anyone would take such an attitude about
> any operating environment without truly understanding the nature of the
> problem. The problem is network security and the definition of security
> policy between networks - not what operating environment is used to
> implement same. The selection of any operating environment, including
So you believe that OS security has nothing to do with network security?
I think KM's remark was meant to be a humorous slurr against the dumb
box theory of firewalls. I laughed when I read it, but braced myself
for the postings that would follow.
> variants of UNIX, can be argued to be a "sieve" due to the ability to view
> the entire source code of the operating environment(s) (as is the case of
> many UNIX systems) and use that to formulate an attack strategy. Why would
> many reputable vendors of firewall products in the UNIX environment have to
> deliberately "harden" the operating environments to prevent known and
> potential attack profiles if they are truly secure? Is the operating system
> on a router (such as Cisco's IOS) that is being used as a firewall facility
> truly secure and less vulnerable to attack than UNIX or MS-DOS? How do you
> know? What network science backs this up?
So lets fix it by removing memory management and supervisory mode right?
DOS is a giant step backward in terms of security. "Hardening"
generally refers to removing non-essential services. A stripped down
UNIX is pretty lean, no compiler, no shell in the chroot worlds etc.
Furthermore, since UNIX supports memory management and runs the kernel
in an address space inaccessible to user processes it can be used as a
starting point to build trusted operating systems. Trusted OS's can
monitor the moves of programs such as proxys, verify that their
behaviour is permissible and that their binaries are unaltered.
The problem is that even stripped down, UNIX is still big and
complicated. But DOS is too small to protect itself.
>
> =46irewall products, such as KA9Q, Karlbridge, FireWall/Plus, etc., are
> proper firewall facilities and do not cause a network compromising
> situation simply because they run on MS-DOS. In fact, at least in the case
> of FireWall/Plus, it takes over the system and MS-DOS is simply used for
> file logging and to get the software loaded into memory. Indeed, it is
So FireWall/Plus has now *become* an operating system. Is it a secure
one? Well, maybe if it can be kept small enough, it could be
analyzed.
> commonly believed that the best security facility for a firewall is a
> secure kernel system where the firewall product IS the code running and not
> under the control of another operating environment. There have been running
> threads on this mailing list over the last year or so that have discussed
> the pros and cons of MS-DOS as a launching OS and these are in the
> firewalls archives. Many knowledgeable persons have provided positive
> opinions on the issue who know more about the subject than you or I and
> have stated, as you will find, that MS-DOS as the launching kernel is NOT a
> bad idea and, in fact, may strengthen the ability to withstand a
> kernel-level assault from the trusted or untrusted sides of the network
> connection to a firewall.
Agreed, its not a bad idea. Is it as secure as a proxy on a gateway? No.
Why? I can put the proxy in a can and watch it run. Now I'm not
saying that you couldn't make the DOS-launched program as secure.
But by the time you added the memory management capabilites etc
required for that, you would have another OS and you would be right
back to OS security. W/o some independent third party doing analysis,
all I have is your word "trust me its secure."
Now if one were to start from the ground up to build a special purpose
OS just for firewalling, you could design something incredibly secure.
But it would be a lot of work. And it would require third party
evalutation.
>
> One of the required qualities of a true firewall is that the firewall must
> never, ever allow the trusted (company) network to be attacked using the
> firewall facility itself. In the case of UNIX systems and other operating
> environments, firewall software frequently is an application on top of the
> UNIX environment or has a highly modified UNIX environment to close
> security holes. In either situation, if the firewall software were to
> become disabled, for any reason, the UNIX system could be accessed via the
> network. Since many UNIX systems also include an IP stack on them, that,
> too, may be used to breach the trusted network in the case of firewall
> software failure.
UNIX can protect itself from compromised proxies via chroot envs
and/or secure OS's. The point about the IP stack is interesting, but
I'm not familiar with any IP stack escape related security bugs.
Has anyone ever broken into a system by hacking the IP stack?
But the basis of the argument, "if theres more there, then theres more
to fail" is sound. However the corrolary that you suggest "if theres
nothing there, then it must be completely secure" is false.
>
> =46ireWall/Plus=81 for DOS utilizes the MS-DOS operating system to help ensu=
> re
> that if the FireWall/Plus=81 software should fail that the firewall system
> cannot be used to breach the trusted network. FireWall/Plus=81 is a true,
> transparent firewall system. This means that there is not an IP stack on
> the system and if the firewall software should fail, there is absolutely no
> way to get through the network interfaces on the MS-DOS system to the
> trusted network via any protocol. This provides the most secure of
If there is "absolutely no way to get through the network interfaces"
then how does the firewall function. That functionality is there in
the code executing on the box. If the code is overrun, its behaviour
can be modified. Now if all you do is shovel packets in one
interface and out another, w/o anything like proxies, maybe you have
a point about the security of the box itself. But is the box sufficient
for a firewall? How is it better than a router? If it starts to have
anything that resembles processes and a scheduler, then its an OS.
Claims that it's secure because no one has the source code fail to
take into account the reverse engineering capabilities of hackers.
Its also security by obscurity, which has some merit but cannot be
relied upon in the long term. Perhaps a check box on your order
form, "have you ever engaged in cracking/hacking..." would make it
possible to keep your boxes out of the hands of hackers ;)
> firewall environments: a security kernel approach where the firewall
> software controls all access to or from the system to the exclusion of all
> other types of activities (e.g. routing). In this manner, MS-DOS actually
> complements the security of the product environment. If the firewall
> software should fail, for any reason, there is NO WHERE TO GO and no access
> method via the firewall itself from either the trusted or untrusted sides.
>
How do you know that dumb boxes *always* fail safe? What if the
software failure causes it to evaluate every rule as a "pass"? What
third party has validated your claims?
> While I do not expect to change yours, or any one else's mind, about MS-DOS
> security (in and of itself) and while I agree that components of MS-DOS
> should be taken outside, lined up on a wall and shot in a particularly
> horrific manner, the issue is security of the firewall environment as a
> network security policy implementor. We, at Network-1, have an MS-DOS-based
> product. We also have a pending release of an NT-based firewall product and
> a new version coming up for Windows-95. I regularly warn our customers of
> both our NT and W95 versions that they are not as secure from attack as the
> MS-DOS version due to the nature of the operating environments and the
> primary fact that the NT and W95 products we offer include an IP stack for
> remote management and VPN technologies. This makes them more vulnerable by
> definition (they can be "seen" by the network components on the trusted and
> untrusted sides). A properly configured transparent MS-DOS firewall without
> an actual IP stack is simply not as vulnerable - you can't see it and you
> can't attack it in traditional manner(s) in which firewall systems are
> attacked, including those based on NT and W95.
In this respect, dumber is better. If the "dumb box" is ever used for
web cruising or downloading goodies from the internet, is has no hope
of protecting itself.
> I hope that you consider your responses in the future and remember a very
> valuable lesson I learned in the past - those who know it all must have
> been asked all the questions. I know that I do not know it all as I have
> not been asked all the questions and I spend a lot of time wondering what
> all the answers are to questions unasked...
I found KM's remark humorous. I can understand that if your market is
based on the security of such an approach that you would fail to see
it as such. The MS-DOS launched firewall idea has some merit. I
believe that firewalls implemented on top of a secure OS are more
secure. To some degree *any* firewall is far better than *no*
firewall. Implementations such as the one you describe have the
potential of being very cost-effective, but I place them at the lower
end of the security spectrum. However, according the what I've read in some
packet filter vendors pages, they've come a long way from where
they started by maintaining session state and examining packet data
content.
Mark Riggins
Secure Systems Engineering
AT&T Bell Labs
#include <usual/disclaminer.h>
References:
|
|
