Re: [fw-wiz] Worms, Air Gaps and Responsibility
From: Rogan Dawes (discard_at_dawes.za.net)
To: "Paul D. Robertson" <email@example.com> Date: Wed, 05 May 2004 18:11:05 +0200
I agree that it is a good idea to separate user networks from server
networks (in the general case) and user networks from production
networks specifically. In most cases, I think that air gaps are a bit of
overkill. Using a firewall and defined interfaces that can be adequately
secured (e.g. by not using MS file sharing :-) is sufficient in many cases.
On a related note, I've been thinking quite a lot about having switches
perform firewall tasks. I see no reason why it should not be possible to
classify ports into groups such as "server" and "desktop" (at a
minimum), and apply appropriate filtering rules between the groups.
e.g. desktops may only talk to servers, not to each other.
Obviously, it should be feasible to use much more granular rules,
perhaps based on 802.1x authentication of the connecting device.
e.g. I plug my laptop in at work. The switch requests me to authenticate
using 802.1x. As part of the authentication process, the switch
retrieves a user-specific set of rules, and applies them to the specific
port that I have connected to.
This could be configured to allow me to talk only to the Unix servers
that I am authorised to, communicate with the domain controllers to
authenticate, access only the servers that I am allowed to, etc.
As a benefit, it would even prevent attacks against the local segment,
as well as the rest of the network.
I realise that this could end up causing a lot of work for network
admins (analogous to locking MAC addresses to ports, perhaps), but with
the right tools, it should be manageable.
Paul D. Robertson wrote:
> Hospitals, banks, the U.K. Coast Guard... The damage from the latest
> Microsoft-based worm isn't as widespread as that from the last one, but
> it's pretty darned bad in point cases.
> Why do people continue to connect critical production networks to
> user/administrative networks?
> Surely networking equipment is cheap enough that a real honest air gap
> (not some marketingspeak switch thingie) isn't all that difficult to
> Air gaps make great firewalls. They rarely need upgrading, they're
> low-power and low-heat, and they're less filling and taste great.
> Worst-case, a few low-end firewalls to segment the users off from the
> production stuff should be a no-brainer these days.
> All the money, effort and time people are spending on IDS, IPS, and all
> the other buzzword-compliant devices, and yet we still don't have good
> solid separation and segmentation in places where, one would expect that
> the responsibility for running a critical network would require some level
> of protection to be displayed.
> Paul D. Robertson "My statements in this message are personal opinions
> firstname.lastname@example.org which may have no basis whatsoever in fact."
> email@example.com Director of Risk Assessment TruSecure Corporation
> firewall-wizards mailing list
-- Rogan Dawes *ALL* messages to firstname.lastname@example.org will be dropped, and added to my blacklist. Please respond to "lists AT dawes DOT za DOT net" _______________________________________________ firewall-wizards mailing list email@example.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards