Re: [fw-wiz] Worms, Air Gaps and Responsibility

From: Rogan Dawes (
Date: 05/05/04

  • Next message: R. DuFresne: "Re: [fw-wiz] NAT Pseudo Security"
    To: "Paul D. Robertson" <>
    Date: Wed, 05 May 2004 18:11:05 +0200

    I agree that it is a good idea to separate user networks from server
    networks (in the general case) and user networks from production
    networks specifically. In most cases, I think that air gaps are a bit of
    overkill. Using a firewall and defined interfaces that can be adequately
    secured (e.g. by not using MS file sharing :-) is sufficient in many cases.

    On a related note, I've been thinking quite a lot about having switches
    perform firewall tasks. I see no reason why it should not be possible to
    classify ports into groups such as "server" and "desktop" (at a
    minimum), and apply appropriate filtering rules between the groups.

    e.g. desktops may only talk to servers, not to each other.

    Obviously, it should be feasible to use much more granular rules,
    perhaps based on 802.1x authentication of the connecting device.

    e.g. I plug my laptop in at work. The switch requests me to authenticate
    using 802.1x. As part of the authentication process, the switch
    retrieves a user-specific set of rules, and applies them to the specific
    port that I have connected to.

    This could be configured to allow me to talk only to the Unix servers
    that I am authorised to, communicate with the domain controllers to
    authenticate, access only the servers that I am allowed to, etc.

    As a benefit, it would even prevent attacks against the local segment,
    as well as the rest of the network.


    I realise that this could end up causing a lot of work for network
    admins (analogous to locking MAC addresses to ports, perhaps), but with
    the right tools, it should be manageable.


    Paul D. Robertson wrote:

    > Hospitals, banks, the U.K. Coast Guard... The damage from the latest
    > Microsoft-based worm isn't as widespread as that from the last one, but
    > it's pretty darned bad in point cases.
    > Why do people continue to connect critical production networks to
    > user/administrative networks?
    > Surely networking equipment is cheap enough that a real honest air gap
    > (not some marketingspeak switch thingie) isn't all that difficult to
    > deploy?
    > Air gaps make great firewalls. They rarely need upgrading, they're
    > low-power and low-heat, and they're less filling and taste great.
    > Worst-case, a few low-end firewalls to segment the users off from the
    > production stuff should be a no-brainer these days.
    > All the money, effort and time people are spending on IDS, IPS, and all
    > the other buzzword-compliant devices, and yet we still don't have good
    > solid separation and segmentation in places where, one would expect that
    > the responsibility for running a critical network would require some level
    > of protection to be displayed.
    > Paul
    > -----------------------------------------------------------------------------
    > Paul D. Robertson "My statements in this message are personal opinions
    > which may have no basis whatsoever in fact."
    > Director of Risk Assessment TruSecure Corporation
    > _______________________________________________
    > firewall-wizards mailing list

    Rogan Dawes
    *ALL* messages to will be dropped, and added
    to my blacklist. Please respond to "lists AT dawes DOT za DOT net"
    firewall-wizards mailing list

  • Next message: R. DuFresne: "Re: [fw-wiz] NAT Pseudo Security"

    Relevant Pages

    • Re: authenticating users from different domains
      ... the concept of RADIUS servers ... you have several independent authentication networks. ...
    • Re: 2 DHCP
      ... You hvae to separat the networks with a router and use in each subnet the scope, ... What's the reason for connecting the DHCP servers together with one NIC? ...
    • Re: Geographically Dispersed Clusters
      ... clusters installed on the same networks for a manual failover incase the ... bring the resources online. ... We use scripts to backup the cluster ... We won't be able to test for awhile until we can get some servers ...
    • Route Addition Issues
      ... we have recently moved our servers to a co-location ... If i attach a desktop machine to the manchester network it can ping ... everything on the trusted and dmz networks fine as the routes are in the ... let the server know the route (its default gateway is the public IP card as ...
    • RE: WebDav Worm?
      ... networks are being hammered with it, ... Only those servers that give back ... Astaro Security Linux -- firewall with Spam/Virus Protection ...