Re: [fw-wiz] Firewalling at the domain users level instead of network level
From: Chuck Swiger (chuck_at_codefab.com)
To: "Paul D. Robertson" <firstname.lastname@example.org> Date: Tue, 20 Jul 2004 13:35:45 -0400
Paul D. Robertson wrote:
> On Mon, 19 Jul 2004, Chuck Swiger wrote:
> [snip what I agree with...]
>> The second concern is a matter of policy: why do you want your firewall
>> to treat users differently? If it's a bad idea for person A to do some
>> type of network connection, why should it be OK for person B to do so?
> There are a multitude of reasons, including Person B being more clued than
> Person A.
There exists a multitude of reasons, agreed. To the extent that the reasons
are valid and relevant to the situation at hand, then having a policy which
reflects these per-user concerns is reasonable.
It was not quite my intent to say "don't ever use per-user firewall rules", so
much as to say that it is worth asking why you need them and to closely
evaluate the increased risks involved. Having a realistic idea of how much
security problems cost helps a great deal, too. For that matter, even making
a vague guess at downtime costs is helpful considering how few people seem to
think about downtime, loss of data, data compromise and exposure, etc as
potential costs in the first place. 
> We don't tout the "Principle of equal privilege"
> Principle of least privilege works for people, applications and systems.
I note that several people in this thread have advocated the OP use a proxy
like Squid which authenticates via AD/LDAP/whatever, and I would agree with
that approach: you don't have the firewall trying to figure out "valid users",
you have the firewall denying HTTP for everybody but a trusted proxy server,
which itself can do fancier access control on protocol-specific parts of HTTP
ActiveX controls, etc).
Those things are valuable, but I don't really want my firewall to do virus
scanning, proxying, or anything else but routing/bridging traffic while doing
packet filtering, NAT if such evil must be tolerated, and maybe some
straight-through protocol-layer filters & inspection, if y'all really want
them there. A useful virus scanner needs to initiate traffic on a regular
basis in order to update its definitions, and therefore must trust network
data coming from outside; firewalls shouldn't initiate any connections
gratuitously, much less change their rulesets and security capabilities based
on data downloaded from outside the trusted network.
I could be wrong, though: there are vendors selling security products which
seem to be commercially successful which violate my qualms about 'chatty' or
'dynamic' security products. 
>> If you restrict things so that only the services which you trust all
>> users to do are permitted, your security is likely to be much improved
>> compared to a policy based on an ever-growing pile of per-user rules
>> and exceptions.
> If you let one user have the Administrator password, why not all of them!?
ACK!! For shame, Paul! :-)
The right way to think about this is that there should be zero people who have
the Administrator password, and only the simple necessity of needing to login
as admin for the machine once in a while means that somebody-- hopefully an
admin who cares about security-- has to know what the password is.
For that matter, MacOS X does a pretty good job of "not having an admin
passord or root user at all" for a Unix-derived operating system.
Recommending sudo by default and also providing reasonable integration of
re-asking the user to type in a password to obtain privileges when running the
GUI package installer or system patch tool beats the heck out of most
alternatives in terms of security.
If Windows made components downloaded in IE bring up a password dialog before
installing/running them, that platform's security would suck less than it
currently does. But I could be wrong about this, too: some people seem to
think that a web browser which auto-downloads and runs plugins without asking
for user confirmation just because you got emailed a link is fine and dandy
and user-friendly and all. 
-- -Chuck : Perhaps I am biased towards concluding that "per-user firewall stuff isn't worth the cost", but if so, that bias is towards being too safe, and is thus more tolerable than being biased towards poor security. I don't really trust Microsoft's ISA Server to be secure on the box itself, much less offer per-user firewall capabilities that I would choose to rely on over PF/IPFW. : Does anyone evaluate security products in terms of their security anymore, rather than their claimed feature set and performance? Maybe the kindly vendor hosting their mailing list has some opinions, but there's a certain amount of pay-to-play with their certifications that's not so different from the ISO-17799 consultants and certifications we were just talking about in a parallel thread. [ Not trying to pick on anybody, but fair is fair... ] : I could very easily rant about HTML mail and enforced marketting opportunities shanghai-ed upon the users of the most frequently used operating system, but this message is becoming too long as it is. :-) _______________________________________________ firewall-wizards mailing list email@example.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards