Re: [fw-wiz] Firewalls Compared

• Previous message: Devdas Bhagat: "Re: [fw-wiz] Firewalls Compared"
• In reply to: Devdas Bhagat: "Re: [fw-wiz] Firewalls Compared"
• Next in thread: Devdas Bhagat: "Re: [fw-wiz] Firewalls Compared"
• Reply: Devdas Bhagat: "Re: [fw-wiz] Firewalls Compared"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Devdas Bhagat <devdas@dvb.homelinux.org>
Date: Tue, 22 Jun 2004 15:18:21 -0400 (EDT)

On Tue, 22 Jun 2004, Devdas Bhagat wrote:

> On 22/06/04 12:28 -0400, Paul D. Robertson wrote:
> <snip>
> > While the incidence of worms and DDoS attacks are high, the event costs
> > often pale in comparison to an insider abuse or critical intrusion.
> The costs of worms and DDoS are spread across a very large number of
> people, including those of us who actually follow best practices.

Sure, but other than a few specific instances, the costs are relatively
low, especially at places that do things well. On the other hand, most
the insider stuff I've seen has been in the millions of dollars range
damage-wise, and sometimes into the hundreds of millions.

> > Frequency of attack with a lower cost will surpass infrequent attacks with
> > a higher cost in many cases. Still, longer-term, and strategically,
> > intrusions and infrastructure compromise are much more worrisome than
> > local desktop disruption. DDoS can be taken care of with end-to-end QoS,
> The destkop disruption is potentially damaging because of the sheer
> number of desktops.

Sure, however the insider abuse is potentially damaging because of
specialized knowlege of the environment and the sheer amount of access
afforded.

> > an evil we may eventually have to bite the bullet on, just like voice
> Except that a few thousand zombies spewing out a few kbit of traffic
> will not really be QoSable.
> 64 kbps of traffic * 4000 zombies [1] = 256 Mbps of traffic.

Sure they will- if QoS is enforced on the leaf nodes.

> Are you going to enforce QoS at that level? It need not be ICMP traffic
> either. 64 kbit/sec of http traffic, or SMTP, or anything else.
> It would be easy to write a program that generates a limited amount of
> traffic against a site from a single host and distribute it to a large
> number of hosts.

Sure, but if you have end-to-end QoS, you can potentially allow things
per-flow once you move control out of band. QoS allows you to do things
like allow a routing arbiter to get through, or even
authentication/authorization traffic like the tagged packet "marker dye"
stuff.

> QoS will *not* work against a DDoS for most sites. The large sites have
> enough bandwidth to handle the traffic, but for those people whose
> servers are not in large datacenters but on T1 or equivalent lines, this
> could be a nightmare.

It depends on architecture, if we go end-to-end QoS with channelized
bandwidth, it very well could work, especially if you get trusted neighbor
damping, the damping packet would just have to flow back to the origin-
but we're already doing forward path based routing, so I think it'd be a
fairly minor thing.

> The damamge from Blaster/Welchia/Nachi could not really have been controlled
> by QoS. One 92 byte ICMP packet going out is *NOT* QoSable. It did cause
> routers to fall over and die due to the sheer number of packets being
> originated to different destinations.

It could if you did QoS on the switch- you just have to be able to policy
QoS out to the leaf nodes, where the bandwidth matters. More integrated
QoS to take into account spikes is probably a better improvement, if we
can't go to channelized stuff, but I really think channels are the way to
go- you fight for the channel that user traffic goes on, and we'll treat
floods like collisions- DWDM makes that almost interesting in a MAN
environment...

>
> > networks had to bite the out-of-band signaling bullet.
> >
> > > I don't know where I would find statistics on how many home or corporate
> > > broadband networks have hardware firewalls or personal firewalls. If I had to
> > > guess for home users...I would say less than 10% have hardware firewalls
> > > and less than 20% employ personal firewalls. Fewer would employ both
> > > together Most users I know just ride bareback against a cable modem or
> >
> > Educate those users. Change their behavior. This is a time-local
> > problem, and with Comcast's recent moves and some prodding, we can make
> > the time period shrink significantly.
> Or as MJR had once proposed, don't give them full Turing complete
> systems. Give them embedded systems (or dumbed down PCs) which do very
> few things.

That's really only feasible once we slow down innovation-wise.

>
> > > DSL which is relatively amazing considering that GIAC trained
> > > professionals now are recommending that home users consider both hardware
> > > and software firewalls simultaneously. (See something like
> > > http://www.giac.org/practical/GSEC/Barbara_Kupiec_GSEC.pdf). Considering
> > > the number of intrusions that I see break throught my hardware firewall
> > > and get stopped by my personal firewall...I would say this is excellent if
> > > not underwhelming advice.
> >
> > Hmm, I don't see anything "break through my hardware firewall," maybe the
> > issue is security policy? ;)
> That depends on your definition of attack as well :). I get a crapload
> of spam to my small, one user home system. I do call it an attack. Since
> I run my own server, that port will be open to the Internet.

I don't store mail on my local systems- so it depends on what you call
"past" too ;)

>
> > Here's the rub- in corporations, way less than half of firewalls are
> > configured to block the attacks that corporate firewalls are perfectly
> > capable of blocking. Now, let's say that means that ~75% of the people on
> Most people still go by the policy of block only the bad traffic.
> The whitelist only policy that should be applied to network traffic
> isn't usually applied.
> The cost of a mistake is too high for some people. They would rather
> risk having their infrastructure attacked and broken into, because in
> their estimation, the risk of being broken into is lower than the cost
> of fixing it.
>

In my experience, it's been more ignorace that they *could* set the
firewall up that way or lack of power to set it up that way.

> <snip>
> > A handful of providers can solve the bulk of the home user attack
> > "problem" with relative ease, or we can make the users do it machine by
> > machine- but long-term they're not as much of an issue as corporate
> > networks are, IMO.
> If they would actually take steps to solve the issue, then yes.
> So far, they haven't done too much.

Yes, of course.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Devdas Bhagat: "Re: [fw-wiz] Firewalls Compared"
• In reply to: Devdas Bhagat: "Re: [fw-wiz] Firewalls Compared"
• Next in thread: Devdas Bhagat: "Re: [fw-wiz] Firewalls Compared"
• Reply: Devdas Bhagat: "Re: [fw-wiz] Firewalls Compared"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]