Wednesday, April 27, 2011

firewall-wizards Digest, Vol 57, Issue 10

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Proxies, opensource and the general market: what's wrong
with us? (Peter Robinson)
2. Re: Proxies, opensource and the general market: what's wrong
with us? (Tracy Reed)
3. Re: How to keep firewall rules clean and up-to-date (Tracy Reed)


----------------------------------------------------------------------

Message: 1
Date: Thu, 28 Apr 2011 09:06:17 +1000
From: Peter Robinson <peter@securegateway.org>
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: firewall-wizards@listserv.cybertrust.com
Message-ID: <183770AF-F5E1-4142-A11B-F6DC4295F7C1@securegateway.org>
Content-Type: text/plain; charset="us-ascii"

Hi there

This thread is just to good to not get involved.... :-)

I wrote this "article" in 2002 and at that time it was titled "Open Source and the virtues of the Crystal Box" as a parody on the virtues of Open Source security software vs closed source commercial security software...

In the "old days"... Some vendors would actually provide source code if specifically requested as, after all, this was "Security" software...

---------------
Once apon a time, in a cyberland, far far away.....

There lived a young Geeknight and his job was to secure the systems of the Corporate empire at the behest of King CISO.

He had access to all the finest commercial tools/weapons he needed but still failed to slay or deter the Dragons of Hack.

The Dragons wanted to steal information about all the citizens in the realm and were able to wreak havoc on the realm as they knew exactly how all the tools/weapons worked including the Drawbridge/"Wall of Fire"

The Geeknight realised that he needed more visibility of how his systems worked and so he asked the Lords of Supply to whom he paid vast sums of money to please provide the source code for the "wall of fire" he ran.

They grudgingly obliged and claimed they actually had the Realms of Corporate's best interests at heart. Soon, the Geeknight was able to quickly make modifications, apply patches and customise his "Wall of fire" to the specific requirements of his realm.

The Dragons of Hack had no idea what had happened when they next tried to invade the realm and were surprised to learn that even though he thought they understood how these systems worked they still could not penetrate the Realm of Corporate's new "Wall of fire".

The Realm was safe for many Internet Years until the Lords of Supply became greedy and decide not to allow the Young Geeknight access to the source code any longer just incase he gave it away free to other Realms.

They constantly forced the Realm to upgrade all the systems to newer versions by refusing to support the older ones (even though there was nothing wrong with them).

The Dragons of Hack(being industry professionals) also had access to these new versions and soon found they could resume their tyrannical onslaught of the Realm of Corporate.

The young Geeknight pleaded with his suppliers for visibility of his system so he could counter these attacks but they refused and once again the Realm of Corporate was regularly breached by The Dragons of Hack.

Realising he could not compete whilst constantly waiting for the Lords of Supply to upgrade his defences, the Geeknight turned to Open Source software which he obtained for free and after a few weeks of training he was able to build a new "Wall of Fire" totally to the realms of Corporate's specific requirements.

The Dragons of Hack were once again hapless but still determined.

But... King CISO of the Realm of Corporate became distressed, He could not understand why he had been paying so much for these services in the past and failed to see why his budget was now drastically reduced.

When he realised that he was no longer going to be wined and dined by the Lords of Supply and had lost the ability to simply prove his levels of diligence to the realm with a fat budget , he became angry with the young Geeknight and demanded an explanation.

The Geeknight explained his dilemma and but King CISO could not fathom that he could have the same levels of realm security without the fat budget.

King CISO insisted the Geeknight remove the "free" systems and return to the expensive, Lords of Supply "supported" "Walls of Fire".

Being loyal to the realm he returned to the Greedy Lord of Supply and begged forgiveness. They forgave the Geeknight "at a cost" and King CISO got his Wining and Dining(relationship management) back along with his over inflated fat budget.

The Dragons of Hack soon returned and breached defences all around the Realm of Corporate, this did not deter King CISO as he could now again, prove his diligence to the Realm with a fat budget.

They all lived happily ever after except the young Geeknight who resigned his Knighthood in disgust and began his own start-up realm.com

-----------------

we've come a long way since then but we still seem to be losing this argument....
-----------------------------
Peter Robinson
peter@securegateway.org
Securegateway.Org

There is nothing more difficult to take in hand, more perilous to
conduct, or more uncertain in its success, than to take the lead in the
introduction of a new order to things. Niccolo Machiavelli


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20110428/0a3036ca/attachment-0001.html>

------------------------------

Message: 2
Date: Wed, 27 Apr 2011 15:38:49 -0700
From: Tracy Reed <treed@ultraviolet.org>
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20110427223848.GD31668@tracyreed.org>
Content-Type: text/plain; charset="us-ascii"

On Tue, Apr 26, 2011 at 05:03:27PM +0400, ArkanoiD spake thusly:
> There are some right things happening, though. I see many firewalls are now
> capable of dealing with http based appliactions quite complex ways.
> Looks like FOSS is lagging behind again (except WAF part) :-(

The demand just isn't there.

> > the GPL side. Because open source is about community, and reaching critical
> > mass is very hard, especially if you come with a nich? product aimed at the
> > enterprise. This is a feat neither FWTK nor Zorp have been able to reach.
>
> Quite amazing, but fwtk (old TIS once) was there once. But it was 15 years
> ago :-(

I have only ever known one person who attempted to implement fwtk and actually
proxy protocols. Everyone else just packet filters and calls it a firewall. And
that's all any security standard or regulation I have ever seen requires as
well.

> Easy to use "firewall-oriented" Unix toolboxes like Smoothwall, Shorewall,
> IPCop, m0n0wall etc have reached that quite easy, but they are not really
> "aimed at the enterprise", they are aimed to be user-friendly at low
> end/soho.

Depends on what you mean by enterprise. I know lots of companies with millions
in revenue using them.

> Maybe I should start with designing simple kick-start tools for newbies? Will
> it help?

What would these tools be kick-starting?

> > 6. The world is changing. This means that new buzzwords coming up, followed
> > dutifully by the market. Fortunately new buzzwords usually mean the same
> > old things. Those ideas which have been too immature 20 years ago, reemerge
> > later in a different name and shape. You are looking for application level
> > firewall? Look at "xml firewall" and "SOA firewall". They are out there.
> > Yes, they are specialized into a very tiny subset of the problem space (and
> > the rest is still uncovered), but maybe that is the most important part
> > anyway.
>
> XML/SOA firewalls were expected to have great future, but they are useless
> unless you have detailed system design documents with data flow described in
> the tiniest details and you are ready to spend about 10% of resources (or
> even more) used to implement the system itself on security related issues.

A lot of this whole business sounds very buzzword compliant. A lot of people
see to weigh the expense of purchasing/configuring/maintaining the fancy
firewalls vs the perceived risk. They end up implementing nothing more than a
packet filter.

> > I am also seeing labeling and information flow control gaining momentum.
> > You should be very familiar with both TNI and the modern enterprise
> > architecture to catch a glimpse of it, but it is there and growing. And our
> > profession is changing, too.
>
> That's amazing, because from the very beginning it was quite obvious that
> labeling and information flow control is the foundation of information
> security.

That's one of the reasons why I like SE Linux. Labels are nice. Like having a
nice type system in a programming language to make sure things don't go wrong.

> Despite that, people ignored it for years, until they got better ad hoc
> labeling tools with DLP. Better later than never :-) Again, opensource
> solutions are barely visible here :-(

Again, no demand. Everyone wants a "community" and nobody wants to build
something which hardly anyone will use.

> I guess the first thing we do need is a good companion endpoint security
> solution, capable of data discovery and classification as well..

How would something like this work?

--
Tracy Reed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20110427/697b6bdd/attachment-0001.pgp>

------------------------------

Message: 3
Date: Wed, 27 Apr 2011 15:45:20 -0700
From: Tracy Reed <treed@ultraviolet.org>
Subject: Re: [fw-wiz] How to keep firewall rules clean and up-to-date
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <20110427224520.GE31668@tracyreed.org>
Content-Type: text/plain; charset="us-ascii"

On Tue, Apr 26, 2011 at 01:12:06PM +0200, Ilias - spake thusly:
> What do you do to keep your firewall rules clean and up-to-date?

Periodic firewall config audits. Review each rule, make sure it still has a
purpose. Ideally you would search the rules whenever a box is retired but that
has been difficult to enforce in my environments. Best is to have reviews
regularly enough that when you see a rule for a box that has recently been
retired you recognize it.

I extensively comment my firewall rules also and explain why each rule is there
and what it is intended to do. That makes recognizing unneeded rules much
easier.

Accounting on your firewall rules is nice also. If you see a rule that hasn't
been hit in a while or only hit with a few packets such as might result from a
SYN scan from the net you can investigate if it is needed anymore and remove it.

If a server changes IP addresses we have always found it easier with our system
to edit the existing rule rather than add a new one so we tend not to get
duplicates rules because a system changed IP addresses.

--
Tracy Reed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20110427/7ee12c64/attachment.pgp>

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 57, Issue 10
************************************************

No comments:

Post a Comment