firewall-wizards Digest, Vol 64, Issue 8

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Proxy advantage (Marcus J. Ranum)
2. Re: Proxy advantage (Kevin Kadow)
3. Re: Proxy advantage (Paul Robertson)
4. Re: Proxy advantage (Magos?nyi ?rp?d)
5. Re: Proxy advantage (Marcus J. Ranum)


----------------------------------------------------------------------

Message: 1
Date: Mon, 15 Apr 2013 18:21:42 -0400
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Proxy advantage
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: "Paul D. Robertson" <paul@compuwar.net>
Message-ID: <516C7D76.8030105@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Paul D. Robertson wrote:
> I've always railed against DNS tunneling. It seems to be rearing its ugly head again. Today with all the in-band HTTP attacks, it once again seems the major advantage of a proxy server is not having to pass DNS down to the client. Should this be a best practice?

Hasn't it always?

mjr.

--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenable.com



------------------------------

Message: 2
Date: Tue, 16 Apr 2013 10:13:51 -0400
From: Kevin Kadow <kkadow@gmail.com>
Subject: Re: [fw-wiz] Proxy advantage
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: Marcus Ranum <mjr@ranum.com>, "Paul D. Robertson"
<paul@compuwar.net>
Message-ID:
<CAMY_91v2XZgDTLspvm6+n9Ew4G6w_d9B4aDG3e08-uwtKT=k2A@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Does this only apply to an explicit proxy server? Does anybody deploy a
transparent proxy server and not pass DNS down to the client?

Can you call it a "best practice" when it is impossible to maintain in a
large diverse network? Aside from applications which are just not proxy
aware, even when the application correctly uses OS proxy settings for
HTTP/HTTPS/FTP/etc, it may still rely on being able to resolve external
names; result is an unmanageably large whitelist for DNS lookups.

Same goes with "not advertising a default route" or restricting default
route HTTP/HTTPS with ACLs. Great idea, but one which quickly becomes
difficult to manage on a large scale network. Once you have any
unproxyable applications needing connectivity to Akamai or a similar CDN,
these controls are usually abandoned as unmaintainable.

Kevin Kadow
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20130416/5bb0d3e9/attachment-0001.html>

------------------------------

Message: 3
Date: Tue, 16 Apr 2013 04:46:56 -0400
From: Paul Robertson <probertson@fluiditgroup.com>
Subject: Re: [fw-wiz] Proxy advantage
To: "mjr@ranum.com" <mjr@ranum.com>, Firewall Wizards Security Mailing
List <firewall-wizards@listserv.icsalabs.com>
Message-ID: <5F63BF11-1319-4AD2-8D50-37F88BABF9DF@fluiditgroup.com>
Content-Type: text/plain; charset=us-ascii

Not since "statefull" and "deep packet" inspection became keywords.

Paul
--
President and Chairman, FluidIT Group
Moderator, Firewall-Wizards
http://pauldrobertson.net
http://pauldrobertson.com
@compuwar

On Apr 15, 2013, at 18:21, "Marcus J. Ranum" <mjr@ranum.com> wrote:

> Paul D. Robertson wrote:
>> I've always railed against DNS tunneling. It seems to be rearing its ugly head again. Today with all the in-band HTTP attacks, it once again seems the major advantage of a proxy server is not having to pass DNS down to the client. Should this be a best practice?
>
> Hasn't it always?
>
> mjr.
>
> --
> Marcus J. Ranum CSO, Tenable Network Security, Inc.
> http://www.tenable.com
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


------------------------------

Message: 4
Date: Tue, 16 Apr 2013 11:25:58 +0200
From: Magos?nyi ?rp?d <mag@magwas.rulez.org>
Subject: Re: [fw-wiz] Proxy advantage
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <516D1926.3050102@magwas.rulez.org>
Content-Type: text/plain; charset=ISO-8859-1

On 04/15/2013 11:13 PM, Paul D. Robertson wrote:
> I've always railed against DNS tunneling. It seems to be rearing its ugly head again. Today with all the in-band HTTP attacks, it once again seems the major advantage of a proxy server is not having to pass DNS down to the client. Should this be a best practice?

It seems like a good idea, which is easy to execute. I see you ending up
with either hundreds of angry end-users who were using non-http
applications, or carefully migrating thousands of them one-by-one to a
new AD domain which does not know about your real DNS servers. And after
two months busily analysing http proxy logs to figure out how much of
your users were connected to the C&C.
Okay, I am exaggerating, and I do think that the idea is worth a
thought. Just wanted to point out that
1) there are exceptions, and this is without exception
you will still have to provide internet dns to them, and have the
measures against dns tunneling.
And yes, it is much easier if you know that > 10 lookup/min is either
your http proxy, or a reverse proxy.
2) you will still be hit by http reverse proxies
And yes, you can at least have the opportunity to control them from a
central point, as before.

On a general level:

The best practice would be to proxy everything, and let in only the
traffic which adheres to the respective standards, the firewall
understands and finds harmless.
Let's see how it works out in real world:
1. Adheres to standards
Maybe 10% of the current traffic? Proprietary protocols and protocol
extensions, misimplementations, horrific web pages, etc.
2. The firewall understands it
Your average packet filter is ignorant to nearly anything which is
not needed for pushing the traffic through the device.
Your average proxy firewall, which knows a bit more about the basic
protocols, so it can stop some attacks on that level.
And there are the toolkit firewalls (I know only Zorp as an instance
of this kind), which know all the ins and outs of the basic protocols,
can do anything with them, and relatively easy to teach them higher
level ones. But they need a lot of tuning to get to the level which
really gives better protection than an average firewall.
There are high-level gateways (like the xml proxies) which may
understand things even on layer 7, but know only very few protocols, and
in most cases only a subset of them.
And there are the ESBs, which can do anything with the cost of
configuration complexity - nearly like a toolkit firewall, but maybe for
less protocols - , but have a distinct use case, which is not about
security.
3. the firewall finds it harmless
If adheres to standards and we understood it, then we alredy know
whether it is harmless. With protocols and passive contents it is easy,
and we can proof that we understood the content by disassembling and
reassembling it (this is what Zorp and ESBs do).
But active content (from software updates through pdf/word documents
to javascript) is another thing. We either trust them based on the
provider of content, deny them, try to get some assurance, or use some
kind of sandbox (from the one built in to the web browser/java vm to
malware isolation products). They are either unacceptable from the
business perspective (deny), inherently insecure (most of the malware
detection stuff violates the "default deny" principle), have extensive
operational burden (maintaining trust related database/ensuring leakless
sandboxen), or all of the above.

Once upon a time we optimistically assumed that if enough operators deny
non-adhering, potentially harmful content, providers of such content
will adhere to safe standards. It turned out to be a dream.



------------------------------

Message: 5
Date: Tue, 16 Apr 2013 11:46:17 -0400
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Proxy advantage
To: Kevin Kadow <kkadow@gmail.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>, "Paul D. Robertson"
<paul@compuwar.net>
Message-ID: <516D7249.6040204@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Kevin Kadow wrote:
> Does this only apply to an explicit proxy server? Does anybody deploy
> a transparent proxy server and not pass DNS down to the client?

My friend Ron Dilley wrote a passive DNS collector/logger - it's:
http://www.uberadmin.com/

Back in the day he used it as a data source into our "overwatch" system,
which is here:
http://www.ranum.com/security/computer_security/code/overwatch_final_draft.pdf

> Can you call it a "best practice" when it is impossible to maintain in
> a large diverse network?

If your premise is that your network is impossible to secure, then it's
impossible to secure.

> Aside from applications which are just not proxy aware, even when the
> application correctly uses OS proxy settings for HTTP/HTTPS/FTP/etc,
> it may still rely on being able to resolve external names; result is
> an unmanageably large whitelist for DNS lookups.

If your premise is that your network should accept
bad/dodgy/suspicious/inappropriate
traffic then it's impossible to secure.


> Same goes with "not advertising a default route" or restricting
> default route HTTP/HTTPS with ACLs. Great idea, but one which quickly
> becomes difficult to manage on a large scale network.

If your premise is that your network allows all kinds of stuff in and
out, then
it's impossible to secure.

> Once you have any unproxyable applications needing connectivity to
> Akamai or a similar CDN, these controls are usually abandoned as
> unmaintainable.

When you abandon security as "unmaintainable" don't whine when you
discover your network is insecure.

mjr.

--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenable.com



------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 64, Issue 8
***********************************************