Re: [fw-wiz] Firewalling at the domain users level instead of network level

From: Chuck Swiger (chuck_at_codefab.com)
Date: 07/20/04

  • Next message: Dana Nowell: "Re: [fw-wiz] iso 17799"
    To: "Paul D. Robertson" <paul@compuwar.net>
    Date: Tue, 20 Jul 2004 13:35:45 -0400
    
    

    Paul D. Robertson wrote:
    > On Mon, 19 Jul 2004, Chuck Swiger wrote:
    > [snip what I agree with...]
    >> The second concern is a matter of policy: why do you want your firewall
    >> to treat users differently? If it's a bad idea for person A to do some
    >> type of network connection, why should it be OK for person B to do so?
    >
    > There are a multitude of reasons, including Person B being more clued than
    > Person A.

    There exists a multitude of reasons, agreed. To the extent that the reasons
    are valid and relevant to the situation at hand, then having a policy which
    reflects these per-user concerns is reasonable.

    It was not quite my intent to say "don't ever use per-user firewall rules", so
    much as to say that it is worth asking why you need them and to closely
    evaluate the increased risks involved. Having a realistic idea of how much
    security problems cost helps a great deal, too. For that matter, even making
    a vague guess at downtime costs is helpful considering how few people seem to
    think about downtime, loss of data, data compromise and exposure, etc as
    potential costs in the first place. [1]

    > We don't tout the "Principle of equal privilege"
    >
    > Principle of least privilege works for people, applications and systems.

    Oh, absolutely.

    I note that several people in this thread have advocated the OP use a proxy
    like Squid which authenticates via AD/LDAP/whatever, and I would agree with
    that approach: you don't have the firewall trying to figure out "valid users",
    you have the firewall denying HTTP for everybody but a trusted proxy server,
    which itself can do fancier access control on protocol-specific parts of HTTP
    if need be (ie, virus scanning, content-filtering MIME types, Javascript,
    ActiveX controls, etc).

    Those things are valuable, but I don't really want my firewall to do virus
    scanning, proxying, or anything else but routing/bridging traffic while doing
    packet filtering, NAT if such evil must be tolerated, and maybe some
    straight-through protocol-layer filters & inspection, if y'all really want
    them there. A useful virus scanner needs to initiate traffic on a regular
    basis in order to update its definitions, and therefore must trust network
    data coming from outside; firewalls shouldn't initiate any connections
    gratuitously, much less change their rulesets and security capabilities based
    on data downloaded from outside the trusted network.

    I could be wrong, though: there are vendors selling security products which
    seem to be commercially successful which violate my qualms about 'chatty' or
    'dynamic' security products. [2]

    >> If you restrict things so that only the services which you trust all
    >> users to do are permitted, your security is likely to be much improved
    >> compared to a policy based on an ever-growing pile of per-user rules
    >> and exceptions.
    >
    > If you let one user have the Administrator password, why not all of them!?

    ACK!! For shame, Paul! :-)

    The right way to think about this is that there should be zero people who have
    the Administrator password, and only the simple necessity of needing to login
    as admin for the machine once in a while means that somebody-- hopefully an
    admin who cares about security-- has to know what the password is.

    For that matter, MacOS X does a pretty good job of "not having an admin
    passord or root user at all" for a Unix-derived operating system.
    Recommending sudo by default and also providing reasonable integration of
    re-asking the user to type in a password to obtain privileges when running the
    GUI package installer or system patch tool beats the heck out of most
    alternatives in terms of security.

    If Windows made components downloaded in IE bring up a password dialog before
    installing/running them, that platform's security would suck less than it
    currently does. But I could be wrong about this, too: some people seem to
    think that a web browser which auto-downloads and runs plugins without asking
    for user confirmation just because you got emailed a link is fine and dandy
    and user-friendly and all. [3]

    -- 
    -Chuck
    [1]: Perhaps I am biased towards concluding that "per-user firewall stuff 
    isn't worth the cost", but if so, that bias is towards being too safe, and is 
    thus more tolerable than being biased towards poor security.  I don't really 
    trust Microsoft's ISA Server to be secure on the box itself, much less offer 
    per-user firewall capabilities that I would choose to rely on over PF/IPFW.
    [2]: Does anyone evaluate security products in terms of their security 
    anymore, rather than their claimed feature set and performance?
    Maybe the kindly vendor hosting their mailing list has some opinions, but 
    there's a certain amount of pay-to-play with their certifications that's not 
    so different from the ISO-17799 consultants and certifications we were just 
    talking about in a parallel thread.  [ Not trying to pick on anybody, but fair 
    is fair... ]
    [3]: I could very easily rant about HTML mail and enforced marketting 
    opportunities shanghai-ed upon the users of the most frequently used operating 
    system, but this message is becoming too long as it is.  :-)
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Dana Nowell: "Re: [fw-wiz] iso 17799"

    Relevant Pages

    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.backoffice.smallbiz)
    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.backoffice.smallbiz2000)
    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.windows.server.sbs)
    • Re: Firewall Suggestions
      ... servers on a peer to peer network topology. ... > to access the other computers across the network. ... enough security without adding a software firewall. ... it was before the security craze of recent. ...
      (comp.security.firewalls)
    • Re: MC Extender - How do I get my wireless key entered? Sees the
      ... Although I did get my X working with WPA-PSK, when I enable my Trend Micro ... Firewall, the next time I turn on my Extender, it fails to connect. ... > Appendix B: Wireless Security ... > setting up or using your wireless network. ...
      (microsoft.public.windows.mediacenter)