Search This Blog

Wednesday, April 17, 2013

firewall-wizards Digest, Vol 64, Issue 9

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Proxy advantage (Paul D. Robertson)
2. Re: Proxy advantage (Dave Piscitello)
3. Choir, preaching to (was Re: Proxy advantage) (Bennett Todd)


----------------------------------------------------------------------

Message: 1
Date: Tue, 16 Apr 2013 10:48:11 -0400
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] Proxy advantage
To: Kevin Kadow <kkadow@gmail.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <6562E06A-008E-4570-A803-E4451D02785F@compuwar.net>
Content-Type: text/plain; charset=us-ascii

Transparent proxy clients don't have a way to connect without DNS. Fewer non-aware applications exist today than even 5 years ago. Hosts files can be maintained where that's an issue. Good security requires work- it's hard isn't a good excuse in my book. Engineer well and handle the exceptions, don't throw away your security by engineering for the poor exceptions.

As far as management- if you're going to whitelist some DNS servers, how difficult is it to log and investigate recursive resolution requests? Rate of change is low, even in large environments.

For broken crappy software, either file bug reports or just set up a wildcard resolver for the clients- it doesn't really matter what you resolve it to since the proxy makes the connections anyway.

DNS tunneling is becoming vogue again- how else do you stop it?

Paul
--
President and Chairman, FluidIT Group
Moderator, Firewall-Wizards
http://pauldrobertson.net
http://pauldrobertson.com
@compuwar

On Apr 16, 2013, at 10:13, Kevin Kadow <kkadow@gmail.com> wrote:

> Does this only apply to an explicit proxy server? Does anybody deploy a transparent proxy server and not pass DNS down to the client?
>
> Can you call it a "best practice" when it is impossible to maintain in a large diverse network? Aside from applications which are just not proxy aware, even when the application correctly uses OS proxy settings for HTTP/HTTPS/FTP/etc, it may still rely on being able to resolve external names; result is an unmanageably large whitelist for DNS lookups.
>
> Same goes with "not advertising a default route" or restricting default route HTTP/HTTPS with ACLs. Great idea, but one which quickly becomes difficult to manage on a large scale network. Once you have any unproxyable applications needing connectivity to Akamai or a similar CDN, these controls are usually abandoned as unmaintainable.
>
> Kevin Kadow


------------------------------

Message: 2
Date: Tue, 16 Apr 2013 12:34:25 -0400
From: Dave Piscitello <dave@corecom.com>
Subject: Re: [fw-wiz] Proxy advantage
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<CADLVL0+gy4Q=Lk9CojJ=ztGMpg3E_+j+iv5O7GAFtdMh-TTCHQ@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

DNS is one service where you can actually do some mitigation at scale.
Not certain why people overlook the fact that name resolution is among
the earliest interventions an admin can take.

Not certain, too, whether anyone has tried Response Policy Zone (RPZ,
see http://www.isc.org/community/blog/201007/taking-back-dns-0), but
there's a lot to gain by filtering response of malicious domains. I
think this may scale better than host files.

On Tue, Apr 16, 2013 at 10:48 AM, Paul D. Robertson <paul@compuwar.net> wrote:
> Transparent proxy clients don't have a way to connect without DNS. Fewer non-aware applications exist today than even 5 years ago. Hosts files can be maintained where that's an issue. Good security requires work- it's hard isn't a good excuse in my book. Engineer well and handle the exceptions, don't throw away your security by engineering for the poor exceptions.
>
> As far as management- if you're going to whitelist some DNS servers, how difficult is it to log and investigate recursive resolution requests? Rate of change is low, even in large environments.
>
> For broken crappy software, either file bug reports or just set up a wildcard resolver for the clients- it doesn't really matter what you resolve it to since the proxy makes the connections anyway.
>
> DNS tunneling is becoming vogue again- how else do you stop it?
>
> Paul
> --
> President and Chairman, FluidIT Group
> Moderator, Firewall-Wizards
> http://pauldrobertson.net
> http://pauldrobertson.com
> @compuwar
>
> On Apr 16, 2013, at 10:13, Kevin Kadow <kkadow@gmail.com> wrote:
>
>> Does this only apply to an explicit proxy server? Does anybody deploy a transparent proxy server and not pass DNS down to the client?
>>
>> Can you call it a "best practice" when it is impossible to maintain in a large diverse network? Aside from applications which are just not proxy aware, even when the application correctly uses OS proxy settings for HTTP/HTTPS/FTP/etc, it may still rely on being able to resolve external names; result is an unmanageably large whitelist for DNS lookups.
>>
>> Same goes with "not advertising a default route" or restricting default route HTTP/HTTPS with ACLs. Great idea, but one which quickly becomes difficult to manage on a large scale network. Once you have any unproxyable applications needing connectivity to Akamai or a similar CDN, these controls are usually abandoned as unmaintainable.
>>
>> Kevin Kadow
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


------------------------------

Message: 3
Date: Tue, 16 Apr 2013 17:57:49 -0400
From: Bennett Todd <bet@rahul.net>
Subject: [fw-wiz] Choir, preaching to (was Re: Proxy advantage)
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<CAA9gXs8ZvJJXY+KnL2zn1TnGkfVHHhHRxvFsKaaaZZPK7UE3yQ@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Computer Security serves a very specific purpose, and that's helping
improve reliability in the face of a hostile world.

If you do or say things that mustn't be known in public, it may serve to
help there, too, but that's neither the sole nor a necessary justification.

Implementing computer security comes at a cost. It may be paid in money, or
time, but it will always be paid in sacrificed flexibility, speed, ease of
use, and so on.

If your security policy lays out the decision criteria well, you can do
things -- like making all IP addresses other than your internal network
unroutable and unreachable to anything but the proxies in your firewall
plant.

If you allow individuals' mobile devices to attach to your network, or vpn
for work from home; or if you allow anyone to install software without
careful review and supervision; or if you allow excessively complex
applications to access excessively complex data from untrusted sources
(say, gui web browsers or email clients), your security stance is cruising
along well below the threshold to repel casual thugs with limited
motivation and expertise.

A low-tech kludge for must-have apps with unacceptable security issues is
to run them on a sandbox machine. Happily, in this day of VMs, the cost of
doing so is smaller than it used to be.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20130416/2b81c757/attachment-0001.html>

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 64, Issue 9
***********************************************
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)