Re: [fw-wiz] Middleboxes can only do the middle work


Nice recap. I still like the idea of a "middleware" app proxy
using a whitelist approach; however, as even the best and most
security conscious programmers quite simply make mistakes--not
to mention all the languages, libraries, and frameworks out there
that programmers must use, which were never meant to be secure
in the first place. E.g. an http proxy that insisted on sane
input, with only alphanumeric and maximum of 128 chas, otherwise
it just drops the whole http get/put/etc. A lot of old CGIs
would suddenly become usable again. ;-)

Perimeter firewalls are necessary. OS hardening is necessary.
But none of it matters if the apps you are running are riddled
with buffer overflows and etc. waiting to happen....

I'm definitely not disagreeing with you, although it might sound
like it.

--p

-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx]On Behalf Of Dave
Piscitello
Sent: Tuesday, April 01, 2008 2:45 PM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] Middleboxes can only do the middle work


Several recent threads call attention to the elephant in the conference
room no one talks about.

Firewalls are middleboxes (some RFC that says this so I'm certain it is
true). They are one element in a line of defense, and from an attacker's
viewpoint, one line of defense that has to be breached (for some set of
attacks). Even the stone stupid attackers spend few cycles breaching
firewalls today because it is much easier to go after code that is
written by folks with little security clue, using grossly generous
language constructs, with amazingly few access controls enforced on the
hosting computer. Paul Melson's "epic fail from the beginning" and
Marcus' "bad ideas happening fast" are spot on.

This doesn't mean firewalls are obsolete, but it does (finally) provide
ample evidence for even the most obdurate network designers that "the
perimeter will save us" is seriously overtaken by events. This is a good
thing: and after only two decades, we are actually turning our attention
to considering remedies closer to communications endpoints.

The problem we still face is one of addiction. The historical comfort
and debatable success that perimeter enforcement solutions provided
created "a box in the middle will cure our application woes" mentality
that persists today. What we really get each time we substitute a
middlebox for secure programming and secure OS (implementation and
configuration) is symptomatic relief, not cure.

The security industry is eager to build middleboxes that don't quite
cure the woes but narcotize users sufficiently that they are happy to
buy expensive boxes, flog configurations, study traffic logs, buy more
boxes, flog configurations... Feed the addiction. As long as users are
buying the drugs and doping themselves senseless so they can ignore the
root causes at the endpoints, we shouldn't anticipate that things will
improve dramatically.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards