Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network

From: Chuck Swiger (chuck_at_codefab.com)
Date: 05/29/03

  • Next message: Chuck Swiger: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
    To: firewall-wizards@honor.icsalabs.com
    Date: Thu, 29 May 2003 16:40:40 -0400
    

    Paul Robertson wrote:
    > On Wed, 28 May 2003, Hugh Blandford wrote:
    >> Please take into consideration that if they had a firewall, it would be
    >> setup to allow all outbound traffic and let the 'responses' back in. There
    >
    > That's a silly and mostly specious pre-requisite. For instance, most
    > small office users have *no* need for IRC, and given that IRC is *the*
    > major control vector for trojaned machines, why the heck would you allow it
    > outbound from a small office? Nuke 6667/tcp outbound and you decrease the
    > chance of being owned rather significantly, and you break less than 1/2 of
    > 1% of SOHO users.

    Blocking outbound 6667/tcp doesn't decrease the risk of being owned in the sense
    of decreasing the chances that a machine will be compromised by a security
    exploit. Blocking outbound 6667/tcp may decrease the risk that a compromised
    machine will successfully contact an intruder with internal information like
    passwords (and thus reduce the chances of other machines being owned), and sure,
    it will help keep the machine from participating in DDoS attacks which use IRC
    as the control channel.

    > You shouldn't choose "basically no security policy, now what firewall
    > fits?" any more than "Here's a firewall, now what policy should it
    > support?"

    Most users do just that. The problem is that Hugh's "pre-requisite"-- the
    assumption that a firewall should permit all outbound traffic and all responses
    to outbound traffic-- is the defacto policy for many firewall products.

    Why?

    One significant reason is that users tend to believe that security is what
    applies to other people: "the firewall can block other people's connections, but
    heaven forbid that it block any connection I want to make". There's more I want
    to say here, but let me take it up in another thread.

    > If we don't try to do better, things won't get better.

    By "we", who are you talking about? :-)

    I suspect that I'd be doing Paul an injustice to claim that he wasn't
    considering users as well as firewall-wizards in his remark, but it's worth
    remembering and repeating that "we" really ought to mean everybody. If you
    don't view your users as being active and willing participants in the security
    policy, your users will very probably respond by acting as active, *unwilling*
    participants.

    -- 
    -Chuck
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Chuck Swiger: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"

    Relevant Pages

    • Re: Cant Ping Windows 2003 server after R2 Upgrade..HELP!
      ... UPDATE* -- i've enabled to the windows firewall just to see what can be ... i then adjust the ICMP setting to allow ALL icmp. ... Enable 3 Allow outbound destination unreachable ... ICMP configuration for Local Area Connection 7: ...
      (microsoft.public.win2000.active_directory)
    • Re: black ice usage question
      ... It relies on it's application control for outbound protection. ... restrict the entire machine from accessing certain ports either. ... firewall will allow the user to restrict all access to only the ports ...
      (comp.security.firewalls)
    • Re: Firewall of SP2 is good?
      ... >> PFW solutions and some people do consider App Control a limited means ... then it cannot send any outbound traffic. ... > connections to an application. ... The firewall does NOT stop any ...
      (comp.security.firewalls)
    • Re: Network Firewall/Routing Solution
      ... > for a good solution to route inbound and outbound traffic. ... > firewall combo boxes that linksys sells, and I really don't want to run ... > I will need to deal with inbound web and ftp requests from the ... > non-pasv connections. ...
      (comp.security.firewalls)
    • Re: Which Firewall with Nod32?
      ... Some of us do not want to be data packet inspectors or firewall rules ... which apps get outbound rights" and which ones don't.How boring, ... > first it was the supposed myth of firewall security and now it's this... ... > "hungry people don't stay hungry for long ...
      (comp.security.firewalls)