Firewalls + ?

Sandy Harris sandy at STORM.CA
Thu Mar 22 02:09:53 EST 2001


Stephen Chowning wrote:

> So my question is, what would be the list of multiple defenses for networks?
> Firewalls, obviously, but what would the others be?

Schneier's recent book "Secrets and Lies" is a fine introduction to these issues.
I'd recommend it to any non-specialist approaching the field. One line worth
quoting here is "security is a process, not a product".

That said, here are the first few things that occur to me:

I've heard people argue we should scrap all the firewalls to force various admins
and vendors to actually do something about host security. Not a position I'd buy,
but thought-provoking.

Anyway, the first defense for any network is good security on its hosts.

The FBI announced last week they'd been tracking a group of evil-doers who'd been
attacking major e-commerce sites. Details are on sans.org. They'd broken into
several dozen sites and taken, among other data, over a million credit card
numbers. How? Using known, published, vulnerabilities, mostly in web servers
running Windows NT. For most or all of these, Microsoft had issued security
alerts and made fixes available. The admins of the victim sites had not applied
those fixes.

That is not just an admin blunder. Management hired them and set the policies
and priorities. Are they competent, trained, adequately paid, ...? What audit
procedures were in place? Did those admins have time to worry about security,
or were they "too busy" helping the CEO get his Powerpoint presentations ready
for the investors?

Nor is it just an NT problem. Mis-administer a Unix box, or anything else, and
it will be insecure too. Back to "security is a process, not a product".

Physical security is an issue. If I can wander into your computer room with a floppy
and reboot your firewall or server from it, I'd be quite surprised if I couldn't
subvert all your security fairly easily. No matter what computer security measures
you have in place, I could almost certainly crash or trash your systems even if I
couldn't take them over.

Personnel security is an issue. If your employees are underpaid, exploited and hate
the company, they may accept bribes or be easily coerced to assist an attack. If
they're not trained about security, or policies are unclear and mangement not
effective, they may do dumb things that let an attacker in.

Combining those two, consider a disgruntled employee, dishonest contractor or
whatever with a workstation on your corporate LAN, behind the firewall, and
enough technical expertise to intercept messages between other machines on the
LAN, probe for security weaknesses, etc.

DMZ's are another defense. There are several variations. One uses two firewalls
or filtering routers with some servers between.

   wild world --- filter_1 ---------------- filter_2 --- main company net
                                |
                           exposed servers

Now if you get by filter_1, you can attack the exposed servers, but not the
main net. To reach that you have to break filter_2 as well. It might be a
different brand of device, different OS, ...

And it might not even connect to filter_1. You might have:

   wild world --- filter_1 -- web proxy ---- filter_2 --- main company net
                           -- mail server --

Now to get at my net, you have to break filter_1, then subvert one of the
servers in my DMZ, then break filter_2. My web users go out via the web
proxy.

Then you add things like roaringpenguin.com's "MIME Defanger" which runs on
a mail server and removes potentially dangerous attachments before delivering
mail, virus checking on the client systems, an intrusion detection system
lokking for suspicious activity on your net (or two of them, one in DMZ, one
in main net), ...

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list