Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firewall + Censorware = Trouble

Posted by jamie on from the security-is-a-process dept.

Is your company thinking of buying a firewall that comes bundled with blocking software? Think twice. SecurityFocus ran thisstory earlier this week: "Censorware gaffe turns 'World's Most Secure Firewall' into an open door." Turns out that bundling Cyber Patrol with Network Associates' Gauntlet meant creating a custom server that "contains a buffer overflow bug, and, further, mistakenly accepts connections from the outside world" - so intruders could get root on the firewall. Makes sense to me: firewall designers keep security uppermost in mind; censorware designers don't. Update 8:55 AM: BusinessWeek is calling it "The Breach That's Shocking the Firewall Industry."

14 of 72 comments (clear)

  1. Binary poison. by Spudley · · Score: 5

    This proves the point about adding complexity to a system.

    The most secure systems are generally speaking, the simplest. It should be obvious that the fewer things a system has to do, and the fewer ways of doing those things, the less chance there is for there to be a security hole (or any other kind of flaw).

    Obviously, some for applications it's better to have some 'more-than-one-way-to-do-it'. Firewalls do not fall into this category.

    A Firewall should be there for one purpose, and one purpose only: to control access to a network. Adding features like cyberpatrol was asking for trouble. If you want cyberpatrol software, install it seperately, behind the firewall, so that they can't interfere with each other.

    --
    (Spudley Strikes Again!)
  2. Equations... by dylan_- · · Score: 4

    Hmm...

    Mozilla x (Perl + Python) = New IDE

    Firewall + Censorware = Trouble

    It seems the million dollars for solving mathematical puzzles is preying on the minds of the Slashdot folks....

    dylan_-


    --

    --
    Igor Presnyakov stole my hat
  3. Its about complexity, not censorware by tmu · · Score: 5

    It's unfortunate that this issue is going to be confused by the fact that the censorware caused it. This will leave many network administrators with the impression that as long as they are not doing content-based filtering or blocking, they're ok.

    In fact, this is the first remote-root exploit in a commercial firewall in a long time and it is due entirely to the fact that commercial vendors are under pressure by the market to throw the damned kitchen sink into their products. Firewalls need to be simple enough to be auditable. Simple enough to be understandable by a human at a time and place by herself.

    Commercial firewalls like Checkpoint's FW1 and Gauntlet (among many other offenders) are selling like hotcakes for bad reasons. Smart organizations are implementing simpler solutions like OpenBSD-based ipfilter (Darren Reed's well-tested stateful packet filtering running on Theo Raadt's well-audited kernel). They are then (as other folx have suggested) supplementing with things like squid for proxying (and hopefully on a box separate from the firewall!) and even still using things like the TIS toolkit (now from NAI but originally authored by Marcus Ranum. Smart organizations run secure MTAs like qmail and do virus filtering on the mail server only if they have to (it's a task better taken care of at the client, IMHO).

    These are not fancy tools, but they perform their objectives simply enough that they can be trusted.

    Security should not be about features, ever. It should be about verifiability and trustworthiness.

  4. Misleading article by SPC · · Score: 4
    When I first looked at the article I thought it was about free-speech and a security breach, much in the way of a cause-and-effect connection. And therfore it seemed to me that it was saying that setting up a firewall is bad.

    Please, let's be clear on this: There *are* Firewall/Censorware pacakges that don't automatically create security holes in your network.

    Some are even good censorware, like using junkbuster in conjunction with a firewall to reject evil cookies and filter unwanted ads, and repel crackers.

    It's amazing how much faster it is to surf without waiting for some silly ads to finish downloading, so you can see the rest of the page.

    (Just my $0.02)

    --

    --

    --
    Look, I know the road is rough, and the work is hard; But we'll burn every bridge as we get to it, OK?

    1. Re:Misleading article by whoop · · Score: 4

      People bitch when ZD puts up blatant Slashdot-bait articles, one week it's anti-Linux, the next it's pro-Linux. This site is turning into the same damn thing. We have ridiculous topics like that C++ Builder license thing, rather than anyone asking Borland to clarify, you go into crazy hysteria mode immediately.

      NewsFlash: Sendmail causes Unix to end world. Nuclear submarines may launch missles when fourteen-year-old crackers request it. This gives further proof that you can only trust closed mailing systems like Microsoft Exchange and wonderful Windows operating systems. Any other mail transport agent is insecure and liable to lead to the destruction of mankind.

      Now, how many of you would be sitting back saying, "Yup. Right on! All open source Email systems are truely evil ." to such an article. If you hate Censorware, hate it for what it does, don't go generating hysteria over this. Email, web traffic, flushing the toilet do not cause security holes, specific programs do.

      Slashdot: News for paranoids, spreading the hysteria.

    2. Re:Misleading article by Bryan+Andersen · · Score: 3

      I didn't see anything misleading at all. The article header tells it like it is. When they added in the CyberPatrol module, it added in a security breach. Not only that, it also setup an open proxy server. That's doubly bad.

      What is truly pathetic about this is it's relatively simple to get rid of many buffer overflows by selecting languages and or libraries that range limit all IO. Using calls to routines like gets() and scanf() is asking for trouble. Even though they are standard C functions, they are also not safe due to their design. They don't limit the length of the data they store into buffers. C++'s standard IO routines also contain builtin buffer overflows. This is truly pathetic because it was well known that the non range limited IO routines in C were a security flaw long before C++ was invented. So what did they do, they perpetuated the problem by continuing to not do range limiting.

  5. Would this be newsworthy if... by Glowing+Fish · · Score: 5

    This had not been a censorware product that caused the security hole? This doesn't seem to be a major security hole, it is confined to one specific firewall and one particular censorware product.

    If Slashdot is trying to show a technical flaw, that is cool. And if Slashdot is trying to say that censorware is wrong\unethical, that is also okay. But by combining the two, what Slashdot seems to be subliminally implying is:

    "Unethical" software is inherently techincally flawed.

    Of course, no one would come out and say that, because it is totally ridiculous. But by showing examples, the idea is implanted.

    --
    Hopefully I didn't put any [] around my words.
    1. Re:Would this be newsworthy if... by TheMoog · · Score: 3

      I think you're reading far too much into this - while Slashdot shows up the technical flaw I can't see any implication that 'censorware is unethical' in the write-up.

      As for the association between the two; that's taking it even further.

      For my money, it just shows that when you take two products with different end-goals and try to merge them, you may end up sacrificing some of each...just it seems the sacrifice has come from the wrong side.

      --

      GodboltBlog

    2. Re:Would this be newsworthy if... by PigleT · · Score: 3
      (As an implication): >"Unethical" software is inherently techincally flawed.

      There are a couple of other options for what /.'s saying:
      (1) technically-flawed software is also unethical;
      (2) oh look, combining things has just given us the worst of both worlds => this is a complete crock of software.

      I'm surprised nobody's pointed out this absolute hoot of a sales pitch..:

      Gauntlet Firewalls combine the most secure method of firewall protection - application gateway- with the speed of stateful inspection packet filters via our patent-pending Adaptive Proxy technology. Adaptive Proxies protect both in-bound and out-bound services, supporting high throughput and the latest web-based technologies without sacrificing security with important features including user transparency, integrated management, strong encryption and content security.

      I guess it's not meant to be an open-source product, by any chance? ;)
      ~Tim
      --
      .|` Clouds cross the black moonlight,

      --
      ~Tim
      --
      .|` Clouds cross the black moonlight,
      Rushing on down to the circle of the turn
  6. firewalls should only be firewalls by docfbl · · Score: 3

    Unfortunately, we now have another reason to show why your firewall (or any other security device, IMHO)should be the only software running on a particular machine, other than the OS.

    Unfortunately, in these days of consolidation and price sharing, nobody seems to be listening. I don't know how many requests I get a week from different people asking for different software to be installed on the firewalls ("Can we make the firewall a DNS server? SMTP server? NTP server?")

    This also highlights another thing we in the security industry should be worried about: Bugs in code. With packages such as checkpoint becoming larger and larger, it is getting harder to keep track of the internals of exactly what is happening inside these security products. While it probably isn't feasible, it would be nice to have some sort of outside auditing done on the code, as a sanity check. Heck, open source it. :)

    Also, this may make people take a closer look at firewall appliances such as the nokia. Having something that is pretty much a dedicated firewall solution (aka, stripped down OS, running nothing else but firewall) becomes more attractive.

    So, the recipe for a good firewall is:

    1) Install OS
    2) De-install everything not needed to let the box run.
    3) Harden OS (also, take a look at known security bugs for the OS you are running, it may save you grief in the long run).
    4) Install firewall code. If you don't need some portion of the firewall, don't install/activate it! Also, RTFM. The release notes and web pages of the companies involved can save you trouble in the long run.

    Of course, you need a little more than this to develop true 'network security', but this will at least help you get the firewall portion right.....

    --Doc

  7. Bugs happen. But Trialware In The Firewall?!? by Effugas · · Score: 5

    Actually, it's just an unfortunate coincidence that of all the various things that could have gone wrong with this Firewall, it was the bridge to the Censorware app that did. As Schneier argues, excess complexity really is the death of security, and the bottom line was that an app intended to filter packets had detailed, layer 7 filtering hoisted onto it through a hack, rather than a chosen design. It doesn't matter what was hacked in--something was hacked, it wasn't thought out well enough, and it went boom.

    It's just a rather inconvenient failure for the Censorware industry that it was one of theirs that took the system down.

    But there's a much more interesting failure, one that I don't really think has been paid enough attention to: It's not that Gauntlet had a security breach, it's that the breach came from 30-Day Trialware installed by default on a mission critical service.

    If an app I choose to install turns out to have a hole, I'm more than willing to give the authors time to repair the hole. But if an app I *don't* choose to install turns out to install some other app with a hole, one I didn't realize would be installed by default, didn't realize would by default communicate my download logs to the central office(Hi Realnetworks! How's that Download Demon doing?), didn't realize was being shoved on me as a supposed freebie but as an actual privacy and security disaster...

    Then the honesty that underlies every commercial reaction gets toasted.

    I don't blame the coders for having a bug in their bridge code. I blame the policymakers for specifying that the bridge should be enabled by default. Such behavior is inappropriate for employee desktops; whoever made the call that this kind of sales strategy should be applied to the most security critical of product lines bears the responsibility for the disaster that ensued.

    The only good to come out of it is that, slowly but surely, we're going to win Corporate America's support of industry codes of conduct as a last ditch defense against regulation. Some good, eh guys?

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com

  8. Teaching Buffer Overflows in School by Izaak · · Score: 3
    I just gave a security lecture to a bunch of graduating comp sci students. I focused mainly on buffer overflows, how they are exploited, and how to avoid writing them. I actually stepped through the process of writing some vulnerable code, overflowing it and disecting it in the debugger, and then writing a simple exploit. It really looked like I grabbed their attention (hopefully for the right reasons). Perhaps they will now avoid some of the common mistakes that lead to these news stories.

    Thad

    --

    The Bolachek Journals

  9. Same story, different message by LinuxGeek · · Score: 4

    My take is that this story highlights the technical oversights that CyberPatrol is making.

    I have strong concerns about the methods they employ to select what content and sites to filter and this points to severe technical problems with their implementation. I think you read the wrong message into its /. submission. It is more like a headline of "Technically incompetent bomb maker blows off own foot" or "Neighborhood bully gets butt kicked, lunch money stolen", irony is quite humors as long as it wasn't your firewall. I would be quite pissed if it was my firewall they pooched.

    --

    Kindness is the language which the deaf can hear and the blind can see. - Mark Twain
  10. a firewall is a firewall, not a router etc by martin · · Score: 3

    Every time someone integrates complex functionality you have the opportunity for errors.

    The more complex the system more more likely it is to have problems. Same issue for cars (eg a Formula 1 car less reliable than a Ford Focus, but it has a different job to do so..).

    Like I always say KISS - Keep It Simple Stupid (Ok so the Army uses this as well).

    The simpler the system more reliable it _tends_ to be.

    When security is involved, I like simple because I'm stupid.