Firewalls and DCOM
From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 08/14/03
- Previous message: Shugert, Mark L - PGGC-6: "Various Programs May Stop Responding Occasionally"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 14 Aug 2003 01:36:42 -0400 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
The best summary I can think of from the messages that came to the list address in response to Brian's initial post is;
"Oh, wouldn't life be grand if it were only that simple..."
I'm going to take the corporate perspective first in my response, home users should skip down to their section at the bottom. I'll refer to Brian's suggested Linksys as the "device", just to open the possibility that other Vendors have products that would suffice.
Corporate:
Note - I'm assuming you are asserting that a corporation only needs a properly configured FW at its Internet gateway.
1. If the suggestion is that every computer, regardless of where its being used, should be behind a "device"...you've just tripled the cost of the NIC in every computer. If money wasn't an issue, then using such a "device" both at home, and in the office where you already have an enterprise-level FW, would certainly make life interesting.
Every system has its own default gateway, can't get to DHCP (unless I configure every one of these "devices" to be its own DHCP server), doesn't see broadcasts, and needs to be ACL'd such that TCP/UDP135, 137, 139, and 445 can go through (inbound and outbound.) Then there are the many other protocols that companies use. What if I have SNA? IPX? How do I get to the Terminal Servers? How does the Help Desk get to my desktop remotely to show me how to do something in Word? Do I need TFTP? Probably not, but I might need BOOTP if I boot from a prom or from a server.
You aren't seriously suggesting that we're going to manage every one of these "devices" such that each is specifically configured for the needs of the system behind it, are you? Imagine how many different rule sets you'd have, and then how do you get that config to the device? Open up a web management port on them? Remember, that would be on the "exposed" side in a corporate environment. What about systems where different users log in, how do we dynamically alter the ACLs on the "device" to accommodate?
Every machine behind its own NAT? Wow, what a configuration job that is for hundreds, or thousands, of systems. Gotta make sure they're all unique within the corporate network. And double-NAT'd?? The enterprise FW is also NAT'ing, often. Double the number of IP addresses, hmm, that's fun with IPv4.
Then how do you even know a system is compromised, pour over the individual "device" logs of all of the devices??
2. Can my "device" be configured the same when I'm in the office as when I'm using it in a hotel? Nope, sorry, but I VPN from a hotel and not in the office. Great, the "device" supports that, but I have to change the config when I leave the office, or else now we're talking about two "devices" for each system that roves.
As Jon Thomas said;
"Now maybe you say, "You should have a firewall on the laptop, Black Ice or something, problem solved". But maybe your budget has been cut by 55% and you haven't even submitted a final draft yet."
Oh, and your recommended "device" has 4 ports on it, so when the corporate laptop goes home and little Johnny connects his mod'd box to the "device", which he just brought home from a LAN party, does the device do Eth-port to Eth-port Firewalling and AV? Will it detect two machines on it's "safe" side hitting each other? If not, you've got the same problem most corporate LANs have. But then you can recover the expenses from Johnny's allowance, right, or just fire him...;-]
3. How do you actually propose preventing people from directly plugging their laptop's ethernet cable into the wall jack rather than the cable from their device? MAC address blocking? What do you do when the culprit is the CEO? Fire him/her? What happens when they lose it, or it dies, or they forget it at home or in the hotel room? Any idea how many ethernet cables and laptop power cable/transformers the average corporation goes through in a year? Lots.
4. What about those systems that are behind such a "device" at a home or branch office, but then they connect to the corporate VPN. The VPN is configured to give them full access (again, because trying to configure individual or specific rulesets for internal LAN systems is just too difficult in environments with more than 100 system, in mine and others experience), and the corporate network has an infection. If your AV doesn't have a definition, the "device" isn't going to stop you from getting infected. The "device", with all of its great software and ACLs still only knows about bad traffic due to software updates it has to receive from somewhere. Nimda used HTTP and NetBIOS shares, so only signatures would detect it. (thanks to Alan Dobkin)
5. What happens when a work-at-home user's DSL goes down, so they revert to the backup modem and dial straight into a modem bank? Their "device" doesn't do modems. Of course they could have two "devices", again. (thanks to Ryan Tucker)
6. Don Lester said;
"this very same sentiment was voiced regarding Code Red, Nimda, and countless others. Never underestimate the lengths to which your users will inadvertently go through to infect a network ;)"
7. I personally have done a lot of work inside Financial Institutions, and in particular in "Private Banking" groups, or Traders for the rest of you. If there's anyone in the world a security person hates more than anyone else, its a Fund Manager. See, they make millions, every day often, and they've developed a somewhat distinct personality when it comes to their computers. Whatever they need to stay happy is what they want. They'll throw an infected laptop at a security guy while on their way out to lunch and expect all problems to be resolved before they get back.
You can tell them anything you want, burden them down with gear coming out their ears, they may or may not use it. They don't care, they can pay for replacements, meanwhile the rest of the bank suffers with the infections they cause.
8. Probably the single point that was hammered home the most was the idea that thinking the way you do is just not realistic. Sure, everyone should do this, and that, and adhere to policy, and not click on things they don't know about, and so on...but it just doesn't happen. Its not bad policy, or lack of enforcement, a company can't fire half their employees.
And what if you're employees aren't!...like in a University where your "employees" are "customers", students who've paid their fees and expect the sky, the moon, the sun and the stars in their dorms?
Summary:
I don't think NTBugtraq is about promoting patching. Heck, I am the most vocal person in the media talking about how patching is often ineffective, costly, and unnecessary. NTBugtraq also isn't meant to be a forum for discussing (often) Best Practices or teaching people how to secure their systems. Granted, we get some traffic along those lines from time to time, but that's not what the list was created for...nor, I suspect, what most people expect out of it.
A Firewall is a layer of the onion, and only that...not a panacea. At TruSecure, where I work, we preach "Default Deny" repeatedly. Firewalls should be configured to only allow traffic which has been specifically chosen, understood, and to/from specific hosts where possible. Despite that, its still not widely accepted or implemented. You might find it easy to think about 4 ports, but most companies have far too much trouble isolating every port/protocol use/need. Then what about proxies that require plug-gw's for protocols they don't understand, or encrypted channels where the servers don't handle the filters the same way the Firewalls do. Training, updates, maintenance, logging, etc... all are complex issues which contribute to the end result. IOWs, many networks are just not simple enough to expect them to work as you suggest.
To your points about firing people, well, clearly you've never worked in a union. Even with non-union companies, do you want to try and go to court and prove that one human being, and no other, actually did the dastardly computer deed you want to fire them or charge them for? Its not as easy as it sounds, how long are you going to archive web access logs with sufficient detail to use in court? How are you going to prove the system wasn't compromised? I'm not saying this can't be done, but if you were to try every time such an incident happened, not only would you run up a fairly big legal and forensic bill, you'd also run out of employees. I mis-type a URL and get 6 dirty images on my computer, and 3 months later I get fired because their in my cache? Making them financially responsible is also hard. I heard a report today that someone is claiming the cost of LovSAN is already at 333 million. That's a bit much for any employee to handle.
and finally...
Home Users:
Take Brian's advice, for you its great advice. These devices have built in NAT, DHCP, Firewall, and Anti-Virus covering all of the boxes in your house. Cheap, easy, what more could you ask for? But do enable Auto-Updates also and make sure your desktop AV is getting updates regularly too.
Cheers,
Russ - NTBugtraq Editor
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to
http://www.trusecure.com/offer/s0100/
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Shugert, Mark L - PGGC-6: "Various Programs May Stop Responding Occasionally"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
