Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network
From: Chuck Swiger (chuck_at_codefab.com)
To: email@example.com Date: Thu, 29 May 2003 16:40:40 -0400
Paul Robertson wrote:
> On Wed, 28 May 2003, Hugh Blandford wrote:
>> Please take into consideration that if they had a firewall, it would be
>> setup to allow all outbound traffic and let the 'responses' back in. There
> That's a silly and mostly specious pre-requisite. For instance, most
> small office users have *no* need for IRC, and given that IRC is *the*
> major control vector for trojaned machines, why the heck would you allow it
> outbound from a small office? Nuke 6667/tcp outbound and you decrease the
> chance of being owned rather significantly, and you break less than 1/2 of
> 1% of SOHO users.
Blocking outbound 6667/tcp doesn't decrease the risk of being owned in the sense
of decreasing the chances that a machine will be compromised by a security
exploit. Blocking outbound 6667/tcp may decrease the risk that a compromised
machine will successfully contact an intruder with internal information like
passwords (and thus reduce the chances of other machines being owned), and sure,
it will help keep the machine from participating in DDoS attacks which use IRC
as the control channel.
> You shouldn't choose "basically no security policy, now what firewall
> fits?" any more than "Here's a firewall, now what policy should it
Most users do just that. The problem is that Hugh's "pre-requisite"-- the
assumption that a firewall should permit all outbound traffic and all responses
to outbound traffic-- is the defacto policy for many firewall products.
One significant reason is that users tend to believe that security is what
applies to other people: "the firewall can block other people's connections, but
heaven forbid that it block any connection I want to make". There's more I want
to say here, but let me take it up in another thread.
> If we don't try to do better, things won't get better.
By "we", who are you talking about? :-)
I suspect that I'd be doing Paul an injustice to claim that he wasn't
considering users as well as firewall-wizards in his remark, but it's worth
remembering and repeating that "we" really ought to mean everybody. If you
don't view your users as being active and willing participants in the security
policy, your users will very probably respond by acting as active, *unwilling*
-- -Chuck _______________________________________________ firewall-wizards mailing list firstname.lastname@example.org http://honor.icsalabs.com/mailman/listinfo/firewall-wizards