I think everyone is aware of your points - everyone except the casual end user, that is.
That's what the problem is about. Microsoft should not be using the word "Ignore" in its default action listing.
End users knowledgeable enough to run multiple scanner are probably knowledgeable enough to know that adware is adware and to get rid of it no matter what MS or any other software says about it. The problem is most end users aren't that knowledgeable - even if they're smart enough to run an antispyware scanner at all. Certainly that seems to be MS's attitude by doing what it did - to take advantage of the end user's lack of knowledge in favor of its own spyware.
And a really knowledgeable end user WILL use more than one AV - one for on-access scanning and one on-demand to doublecheck the findings of the first one if necessary.
Well, it's better than bending over and taking it in the ass without lubricant like the MS shills like you like to do.
You're right, though - we need to start dismissing EVERY remark out of Redmond as a LIE from the git-go. Just as the former Minister of Information in Iraq was dismissed, we need to dismiss anything coming out of the mouths of Bill, Steve, or anybody else working for MS as a LIE - nothing more. And EVERY action of theirs as a pickpocket attempt - nothing more.
And those of use who are consultants need to make every single client aware that Microsoft is a company of liars that makes crap which is negatively affecting the clients business and should be boycotted from any purchasing decision.
Scoble is a LIAR. He works for Microsoft, he talks for Microsoft on his blog. He's a LIAR.
He's NOT just a "brown-noser". He's a LIAR. Like everyone else who babbles about Microsoft and how good it is. Including the paid and unpaid MS shills on/.
Good enough for you? Something else you need to know about me? Like I think MS is CRAP. That I think Linux is CRAP. That I think Linux is however FREE crap.
Is anybody else getting tired of reading about Microsoft lies? Should we start calling "dupe" whenever Microsoft issues a "new" lie to be reported on the/. front page? Is there such a thing as a "new" lie from Microsoft - or is the same old one with a new face?
How many times do I have to say it: NOTHING coming out of the mouth of a Microsoft employee (at least one who is either being paid to speak to the public or whose job depends on following the party line) should be taken as anything but a deliberate cynical lie.
And EVERY action taken by Microsoft is an attempt to take your last dime out of your pocket and give it to Bill Gates. (And that dime is NOT going to go to charity from his "Foundation".)
Listing them is a boring and pointless effort - on a par with listing the lies of George Bush or Bill Clinton or the former Iraqi Minister of Information or anybody else in the lies game.
From now on, when somebody mentions Microsoft, just say, "That bunch of liars, thieves and incompetents? Who cares?"
Let's move on to more interesting things - like how we can make Linux and OSS so much more impressive than anything Microshit makes that Microshit will no longer be an issue to anyone except the owners of their stock - as they go to the poor house.
Also, every consultant who has to deal with clients afflicted by the crapware made by this company should be resolute in telling each and every client on every support visit that they would be MUCH better off with Linux (or the Mac or BSD or whatever) and OSS software in general.
Let's make the fact that MS is now going to install spyware in their OS (yeah, right, they haven't admitted that either - yet - is there any rational doubt they will?) an issue in our service advertising. According to a recent article, spyware is starting to seriously affect end user behavior and is the one thing about computers they seem to "get" - that "spyware is bad".
Let's put Microsoft as the source of spyware (both as incompetent OS developer and shortly as ACTUAL source) in the end users crosshairs.
I hope to be doing HIPAA compliance work for health providers in my tech support business, and this sort of thing is going to become more important as identify theft rings start penetrating networks and compliance laws make it expensive to get penetrated.
Firewalls are good for keeping out the riffraff and script kiddies and the odd worm, but real security has to deal with stealth penetration by competent crackers for the purpose of acquiring information rather than system damage.
I'm not 100% convinced that external Net firewalls are useless, but I can see the point of the article, unlike many others on Slashdot. It's a valid concept as long as it's done right.
I agree with your last point completely. That's one reason I suggest the article is not out of line in recommending that hardening begin from the inside out rather than the perimeter in.
As for internal DoS attacks from compromised workstations, that sort of thing should be easy to detect and eliminate with the right monitoring. If the workstation is compromised, you probably have worse problems than some pointless DoS.
I'm not concerned about those scenarios or with ordinary malware (once systems are in place to deal with them, of course) - I think the real attention should be on stealth hacks that are going for information rather than system damage. With the compliance laws now in place, these things are potentially much more damaging due to law suits and the like than anything that can bring down the network.
We're not dealing with ordinary script kiddies as the primary threat anymore - we're dealing with organized rings of identity thieves run by the Russian Mafiya and the like. Guys who don't mind knocking over a van carrying bank backup tapes and then phishing for customer SSN numbers using the data from the tapes - that's apparently what's been going on in the last few months according to one article I read the other day. While there is no network penetration being done in that sort of thing, penetration for the acquisition of large numbers of credit card info and SSN and privacy-related info is going to be the main threat from now on.
"I use an automated tool I wrote to flag suspect activities and it errs on the side of false positives. I can them review the logs to see what is really going on)."
Excellent approach - it's what the article recommended and I agree the best method is to have someone eyeball the alerts and follow up rather than poring over logs in the first place.
I didn't say you couldn't use a cheap Linux box as a firewall, I said the other features provided by such a firewall (NAt, etc.) weren't relevant to the use of a firewall to detect and block complicated attacks. In other words, the justification of a firewall AS A firewall and AS A security appliance depends on its security aspects, not its general networking utility features.
When you say 75% of your systems offer services to the Net, are you saying you don't have ANY "back-end" servers such as database servers that would logically need to be separated from the Net-facing systems? If so, then saying the entire network is in the DMZ would make sense.
If not, those back-end servers should be isolated from the Net-facing systems as described in the article - and yes, the article recommended application layer firewalls as well as Layer 3 switches with ACLs (which are effectively firewalls in this context), so in this context firewalls are definitely needed.
It sounds to me like your systems work a lot like the ones in the article, albeit you have the additional Net-facing firewall. If it's working to keep out and alert you to serious penetration attempts, then I'd say you're doing the right thing. In your configuration, having the additional firewall protection might well be a reasonable trade-off. The article simply suggests that's not always the case and I think it's not wise to dismiss that as a viable concept. I suspect it depends on the specifics of each network and the relevant targets to be protected and the probable type of attacks - in other words, the usual risk analysis.
I can't wait to read what Bruce Schneier is going to say about this stupidity.
What next? Body scanners on busses?
In every building entrance?
Every crosswalk?
Every home?
Wait! You forgot the anthrax scanners!
The bomb-sniffing dogs!
Where's my bodyguards?
Or - like George Bush - where's my ten thousand security personnel with the submachine guns, anti-aircraft missiles, the guys to seal up every manhole cover for ten blocks, the bulldozers to wipe away entire towns that might be critical of me if I pass near them?
Humans are pathetic. Kill fifty of them, you get to influence five or fifty or five hundred million more. That was the basis of my original plans back in the day when I was a bank robber - kill enough people (and the right people), you get to control how things go with the rest. While in prison, I decided it wasn't worth the effort - better to bypass monkeys in the first place.
What was it A. E. Van Vogt said in one of his stories? "The only difference between the deaths of twenty people and the deaths of twenty million is the effect on the emotions of the survivors."
My point about "known attacks" includes "known patterns". Anything a firewall can detect can be detected and dealt with elsewhere - or better yet, as I pointed out in my first post, PREVENTED in the first place elsewhere.
Granted, if you fail to do it correctly elsewhere, you get a vulnerability. But the same is true in firewall configuration, so the issue is just moved from one to the other when adding the firewall. Also, if you DON'T do the checks in BOTH places, you're relying on only one device anyway.
I think the article deals with all this by pointing out that they use application firewalls and Level 3 switches with ACLs to handle the situations you outline. It's whether an EXTERNAL Net-facing packet filtering firewall is needed to do this that they don't buy.
You have to balance the administrative cost of a firewall and the "moat mentality" mindset it tends to create with the minimal additional security it adds once you've eliminated that mindset by eliminating the firewall and replacing its security features with more effective ones closer to the targets of an attack.
To those who say "more is better", I (and the SubGenius) say "Too much is not enough". That is, if you add security resources at the wrong place, you're not enhancing your security, you're actually WEAKENING it because you're wasting resources protecting not what NEEDS to be protected but a lot of other less important stuff AND you're creating another avenue of attack into the system if that security resource fails because it's not effective due to being too general.
The White House has a fence around it and security guards on the fence. But that's just to keep out the riffraff. Sure, it serves as first line of defense - but really only as a tripwire to alert the INSIDE staff of an attack. They RELY on the internal Secret Service posts INSIDE the White House (and their bunkers) to secure the President.
A firewall can do the same as the White House fence - but only to keep out riffraff. An effective hacker IS going to bypass the firewall since he knows he HAS to if he's going to get anywhere. While this may cause him some time lost, most hackers don't view that as a problem. You don't get to BE an effective hacker without having LOTS of time on your hands to screw around learning how to do it and developing your methods. Since you're not physically present at the point of entry, the White House fence analogy to a firewall breaks down. The hacker can take his sweet time bypassing the fence and there will BE NO alert to the inside staff. Any security profile should ASSUME the firewall will fail without giving an alert. The firewall in almost all organizations really is just to keep out the riffraff (worms and script kiddies).
The article simply says that if that's the case, then dump the firewall, harden the workstations to a degree adequate to keep out the riffraff, but don't worry about them, worry about the servers and spend the resources you'd spend on an external firewall to harden the servers. Concentrate your limited defensive resources on the real targets of a hack.
To some degree, you have no choice but to do this when adding layers of security, but the point of the article is that the layers have varying costs and benefits, and an external Net-facing packet filtering firewall doesn't add enough security over OTHER means to justify its existence.
In martial arts, you're taught not to waste movement defending against attacks that aren't going to actually hit you or do damage if they do.
Again, I got no sense from the article that the firewall was thrown away "lightly". From the into, they obviously got fed up with the concept over time and decided to migrate to a system they feel is more economical and at the same time more effective.
I agree with most of your points, but I don't see them being necessarily arguments against using an alternative to the firewall.
I'm not convinced firewalls are useful for damage containment. If a hacker gets into your internal network for the purposes of removing data, he's going to have a plan for bypassing the firewall outward-bound - and since he's already got past it somehow INWARD-bound, I don't think that's going to be a significant problem for him (unless he screws up, of course, but the right security measures and monitoring the network is what the article recommends for that anyway.)
As for trojans and other automated malware, whatever system you have in place to prevent them getting in in the first place should be sufficient to prevent them getting anything out even if they fail to stop the penetration. They really are not a significant security threat overall - they're more of a nuisance threat. While a lot of trojans these days can penetrate a software firewall, and a hardware firewall is much better at stopping them, I don't see common malware as adequate justification for the hardware firewall in the absence of other security measures - which is the point of the article.
Finally, your points about workstation compromise seem to me to be exactly why the author did what he did - to concentrate security on the servers so that whatever happens to the workstations is less a risk than simply encircling the wagons with a firewall and hoping for the best. The point of contention is whether an external firewall itself adds any FURTHER SECURITY (not other features) on an economic basis to justify its existence on anything other than the theory that "more is better" (or perhaps the SubGenius theory that "too much is not enough.")
You comment basically merely reiterates stuff that the article deals with.
The other services that a firewall renders are irrelevant to the discussion because the same services are available from any cheap 486 Linux (or other OS, including Windows - well, not on a 486!) box running as a firewall or not and any number of other network devices that do these things. We're talking about the firewall here strictly as a device to handle packet filtering intelligently.
"my entire network is in a DMZ" How does this square with being "defense in depth"? You need MORE THAN ONE DMZ to have defense in depth. The article has a three-tier approach which is actually very commonly advocated.
Also, the point of the article is that there is NEVER a need for ALL servers to be exposed to the Net using the three-tier approach. I suspect your systems are not using the presentation layer/application layer/database layer approach to system design mentioned in the article which is a pretty common approach these days, if not for security reasons.
As for the firewall being "unnecessary", the point is that if your security elsewhere handles all the things the firewall is supposed to help with, then the firewall is redundant and adds maintenance time and expense better applied elsewhere. It's an economic decision once the security decisions are made.
These guys didn't START by dumping the firewall, they got fed up with them over time and migrated to a different posture they feel is more effective at protecting what's important while allowing more freedom to the end users. Some/. commentators seem to think the article just advocates up and dumping the firewall without rethinking the security architecture in total at the same time. I didn't get that sense from the article.
"So the majority of the effort in opening a port is determining whether the security and business ramifications mandate opening it or denying the request. This is what your security architects should be doing anyway."
And by dumping the (external) firewall you avoid all that work. The issue is whether the work is worth it. These guys decided it wasn't.
With the article's approach, you put 80% of your work on the servers - which makes them (perhaps not quite) twice as protected as if you put 40% into them. In other words, you're not splitting up your defense resources which leads to a more effective defensive posture.
"Various trojans, backdoors, etc. could be added to open up that port. A firewall will provide some protection in this case."
Again, this misses the points made in the article (although the article could have been clearer and more expanded about this.)
If your workstations are treated as suspect from the git-go, it doesn't matter if you have trojans or backdoors. The article stated that their workstations can only access "presentation servers", and stated that the end user cannot access the app servers, middleware servers, and one further layer in, the database servers. So a trojan is made irrelevant since it can't access any more data than happens to be in the buffer of the apps running on the workstation. So it's unlikely to be able to send anything out of interest anyway - even sending an end-users authentication key would be next to useless since the end-user keys only get them as far as a presentation server.
Also, if a workstation is compromised, it's not hard to engineer a trojan to bypass any firewall protection you have to get data out of the system. Which makes a firewall - even a hardware firewall - less than perfect security. I've been considering getting rid of my software firewall on my home system simply because it has been demonstrated to me how easily it is penetrated by various trojan techniques in use. A hardware firewall would be better, but it is probably possible for a trojan to pump data out piggybacked on another connection regardless. Not too likely on a home system, but quite possible as a result of a well-engineered hack of a corporate system.
Especially since apparently an amazing number of sys admins, especially of small companies, leave the default passwords on even hardware firewalls unchanged.
I agree that the use of ACLs on Layer 3 switches and routers is essentially the same as using a firewall, but that is a semantic argument not relevant to the point of the article, which was not to rely on a single external firewall or, going further, even on perimeter security in the normal sense. Don't read the article or the headline too literally.
While it may be easier to track an insider attack to the guilty party, that is not relevant to preventing or detecting and containing the attack in the first place. More specifically, it is not relevant to preventing the SUCCESS of an attack in the first place. All a firewall does is keep out the riffraff; once an able attacker penetrates it, he's on even better ground than an internal user because he can piggbyback on internal users while being undetected himself. If you treat internal users as the main threat, you are at least halfway to dealing with the hacker who has penetrated your perimeter security.
Again, the point of the article was that perimeter security is not enough - to the point that it MAY be better not to bother with it in the first place.
"Internal cracking is as common as it is simply because our internal networks have to be more usable and hence have more security vulnerabilities."
This was exactly the point of the article. By going to the architecture they did, and leaving the workstations more exposed to the realities of the Net, they reduce the threat of internal cracking, because their own end users are essentially treated as a threat - which they are.
At the same time, the article explicitly stated this made the end users MORE effective in using the Net because on the one hand, they didn't have to be shut off from it by a firewall, and OTOH, they had to be locked down as much as they would be if they had to use a laptop outside the company firewall. So they had to get used to operating in an insecure environment.
Meanwhile the REAL security was applied to the targets of attacks - the servers.
Again, I'd like to see their architecture tested against a good pen-test and compared against a similar architecture with and without an external perimeter firewall. That would be revealing as to the real pros and cons of this architecture.
I agree with that, but OTOH it doesn't change anything. You still can't rely on vendors to do proper engineering to make yourself secure. That will always remain the sys admins (and security officers) job.
It would be nice if that job were easier due to proper engineering on the part of vendors, you're absolutely correct about that.
Nice feature, but my point was if your systems are protected against known exploits, what's the point of the firewall detecting them? After all, they have to be KNOWN for the firewall to detect them, right? If they're known, you'd best already be protected against them, rather than relying on the firewall which becomes a single point of failure. If the firewall has a flaw, those exploits will then get through and have a field day on your internal systems.
If you're going to advocate defenses in depth, relying on the firewall does not support that practice. And if you're already defended against known exploits by other means, the fact that a firewall can detect them is no longer relevant.
"The firewall scans for known exploits, and if found, shuns the host sending them for X amount of time, thereby thwarting their planned attack 99% of the time."
Yeah, right. One of my five thousand zombie systems gets shunned, so I immediately shift the attack to one not on that subnet. So much for your firewall. Also, what do you do if the host sending them happens to be a business partner you can't afford to just drop packets on? I'd get on the phone to them if I were you rather than relying on the firewall to just dump them, or they'll be calling you.
Also, what the hell difference is it between scanning for known exploits and "shunning the attacker so the attack doesn't work" and preventing the attack from working in the first place and thus not giving a damn about the firewall - which was the point of my comment?
The point of the article is that your "added security" from the outer firewall is probably unnecessary and therefore nonexistent if your internal security is good. Your comment gets modded "redundant."
This is the ultimate reason why corporate computer security sucks - smart-asses who think they've figured it all out and are perfectly safe "because we got a firewall - and a few tricks."
They're not pointing out that doing layered defenses of the server is something new. Nor did they mention Xen - the submitter did.
They're pointing out that perimeter security doesn't work well and retreating to the servers is more cost and security effective. They're saying perimeter security leads to lax security on the internal network. If that doesn't apply to some companies in your opinion, fine, but it DOES apply to quite a few companies based on what I've read in the trade press.
Secondly, my suggestion to lockdown users only applies to those who think reconfiguring the firewall to block some Web site is an easier maintenance solution. In fact, the article indicates that once you treat ALL users and workstations as suspect, you can let end users do what they want (within some rational reason, of course) because you've concentrated your security on the servers where the "meat" of the company actually is.
Users SHOULD be prohibited from installing anything that needs *system privilege* to run. If your users need some app that some idiot programmer set up to require system privilege to run, then either you are not providing the apps your users need, or you do not have enough time and resources to support them properly when they need to ask you to install something. In either case, it's your problem. It should be company policy that if an end user NEEDS an app to do their JOB (as opposed to following the baseball scores while at work), they get it from the company, not some random Web site. YOU get it, YOU test it, YOU install it. If you can't do that, then obviously you don't know what your users need to do their jobs. It's that simple.
"AV and anti-spyware software takes care of 99.9% of the problems automatically." Which is exactly what the article says they do. Which is opposite to the notion that reconfiguring a perimeter firewall is the better solution.
As for programs phoning home, note that the article's users are using "presentation servers" to access their applications - which means there's nothing to phone home ABOUT unless the trojan can read the app buffers. The end users aren't running applications from their workstations and storing potentially compromisable data on their hard drives. So it doesn't even matter if a trojan phones home - as long as it doesn't put a keylogger on and get the server authentication. That's what the AV and anti-trojan and anti-spyware stuff is for.
And even then, if the trojan compromises the user's authentication, the articles users can still only access a *presentation server* - the REAL data is stored two more layers in on the database servers which cannot be accessed by anything but the app and middleware servers. Which means a trojan is useless - only a live hack can possibly get deep enough into the app or middleware server to compromise the data.
At least, that's the THEORY. As I say, I'd like to see their setup pen-tested with trojans and live hacks to see how it withstands a real-world attack.
They SAID it was costly but less so than buying another box. Evidently they think it's less costly than trying to support perimeter security over numerous workstations rather than protecting the "meat" of the company which are the servers.
Re:Firewalls aren't totally expendable
on
Tear Down the Firewall
·
· Score: 2, Interesting
The point is they INTEND for the workstations to be more exposed to the Net. This reflects the reality that perimeter security isn't working well. If you treat the workstations as if they're NOT secure, your security actually gets better because now you're dealing with the reality that most hacking is done from INSIDE the network - whether from internal users or compromised workstations doesn't matter.
Their security is reserved for the server tiers. The workstations are protected as well as possible using the usual means, but they are NO LONGER TRUSTED.
You are of course missing the point - I'm obviously not saying that human eyes have to watch every packet. I'm saying human eyes have to watch the monitoring facilities whatever they may be so they can catch the alert - instead of responding to an email ten minutes later.
Try not to read posts so literally.
Secondly, these guys ARE using layered defenses. They've simply layered them differently than the conventional wisdom because the conventional wisdom isn't working well.
"Assuming that an operating system is safe from attack on a given port just because the system claims the port is "closed" or that there are no active services monitoring that port is foolish."
This statement is just ridiculous. What do you think a "port" is? Some physical opening in the box? If the OS or an app is not listening to it, it doesn't exist. It's just a number out of 64,000 others which isn't mapped to any actual memory address. That's why DOS was far more secure than Windows as far as the Net was concerned because if you weren't running a telecom app, DOS didn't know telecom ports existed other than COM1 and COM2 and they were useless as a penetration point without something handling the interrupts.
Slashdot Mirror
"It's much better than spybot or ad-aware, in fact"
Not from what I've read from numerous people who have tried it, here and on Usenet.
It finds some stuff the others miss, it protects against some stuff the others miss - but so do they in relation to it.
Adding the MS product to your bag of tricks is reasonable, but dumping any other antispyware product would be a mistake, as you said.
But saying it's MUCH better than Ad-Aware or Spybot I think is incorrect.
And finally, the point of the article is: you can't trust it anymore. That simple.
Uhm, not exactly.
The criteria CATEGORIES are posted. We want to see the actual criteria and rankings used per spyware product.
Especially for Claria.
I think everyone is aware of your points - everyone except the casual end user, that is.
That's what the problem is about. Microsoft should not be using the word "Ignore" in its default action listing.
End users knowledgeable enough to run multiple scanner are probably knowledgeable enough to know that adware is adware and to get rid of it no matter what MS or any other software says about it. The problem is most end users aren't that knowledgeable - even if they're smart enough to run an antispyware scanner at all. Certainly that seems to be MS's attitude by doing what it did - to take advantage of the end user's lack of knowledge in favor of its own spyware.
And a really knowledgeable end user WILL use more than one AV - one for on-access scanning and one on-demand to doublecheck the findings of the first one if necessary.
Well, it's better than bending over and taking it in the ass without lubricant like the MS shills like you like to do.
You're right, though - we need to start dismissing EVERY remark out of Redmond as a LIE from the git-go. Just as the former Minister of Information in Iraq was dismissed, we need to dismiss anything coming out of the mouths of Bill, Steve, or anybody else working for MS as a LIE - nothing more. And EVERY action of theirs as a pickpocket attempt - nothing more.
And those of use who are consultants need to make every single client aware that Microsoft is a company of liars that makes crap which is negatively affecting the clients business and should be boycotted from any purchasing decision.
Hi. My sig is below. No "Anonymous Coward" here.
Scoble is a LIAR. He works for Microsoft, he talks for Microsoft on his blog. He's a LIAR.
He's NOT just a "brown-noser". He's a LIAR. Like everyone else who babbles about Microsoft and how good it is. Including the paid and unpaid MS shills on
Good enough for you? Something else you need to know about me? Like I think MS is CRAP. That I think Linux is CRAP. That I think Linux is however FREE crap.
Duh!
Is anybody else getting tired of reading about Microsoft lies? Should we start calling "dupe" whenever Microsoft issues a "new" lie to be reported on the
How many times do I have to say it: NOTHING coming out of the mouth of a Microsoft employee (at least one who is either being paid to speak to the public or whose job depends on following the party line) should be taken as anything but a deliberate cynical lie.
And EVERY action taken by Microsoft is an attempt to take your last dime out of your pocket and give it to Bill Gates. (And that dime is NOT going to go to charity from his "Foundation".)
Listing them is a boring and pointless effort - on a par with listing the lies of George Bush or Bill Clinton or the former Iraqi Minister of Information or anybody else in the lies game.
From now on, when somebody mentions Microsoft, just say, "That bunch of liars, thieves and incompetents? Who cares?"
Let's move on to more interesting things - like how we can make Linux and OSS so much more impressive than anything Microshit makes that Microshit will no longer be an issue to anyone except the owners of their stock - as they go to the poor house.
Also, every consultant who has to deal with clients afflicted by the crapware made by this company should be resolute in telling each and every client on every support visit that they would be MUCH better off with Linux (or the Mac or BSD or whatever) and OSS software in general.
Let's make the fact that MS is now going to install spyware in their OS (yeah, right, they haven't admitted that either - yet - is there any rational doubt they will?) an issue in our service advertising. According to a recent article, spyware is starting to seriously affect end user behavior and is the one thing about computers they seem to "get" - that "spyware is bad".
Let's put Microsoft as the source of spyware (both as incompetent OS developer and shortly as ACTUAL source) in the end users crosshairs.
Thanks for the references. I'll look into them.
I hope to be doing HIPAA compliance work for health providers in my tech support business, and this sort of thing is going to become more important as identify theft rings start penetrating networks and compliance laws make it expensive to get penetrated.
Firewalls are good for keeping out the riffraff and script kiddies and the odd worm, but real security has to deal with stealth penetration by competent crackers for the purpose of acquiring information rather than system damage.
I'm not 100% convinced that external Net firewalls are useless, but I can see the point of the article, unlike many others on Slashdot. It's a valid concept as long as it's done right.
I agree with your last point completely. That's one reason I suggest the article is not out of line in recommending that hardening begin from the inside out rather than the perimeter in.
As for internal DoS attacks from compromised workstations, that sort of thing should be easy to detect and eliminate with the right monitoring. If the workstation is compromised, you probably have worse problems than some pointless DoS.
I'm not concerned about those scenarios or with ordinary malware (once systems are in place to deal with them, of course) - I think the real attention should be on stealth hacks that are going for information rather than system damage. With the compliance laws now in place, these things are potentially much more damaging due to law suits and the like than anything that can bring down the network.
We're not dealing with ordinary script kiddies as the primary threat anymore - we're dealing with organized rings of identity thieves run by the Russian Mafiya and the like. Guys who don't mind knocking over a van carrying bank backup tapes and then phishing for customer SSN numbers using the data from the tapes - that's apparently what's been going on in the last few months according to one article I read the other day. While there is no network penetration being done in that sort of thing, penetration for the acquisition of large numbers of credit card info and SSN and privacy-related info is going to be the main threat from now on.
"I use an automated tool I wrote to flag suspect activities and it errs on the side of false positives. I can them review the logs to see what is really going on)."
Excellent approach - it's what the article recommended and I agree the best method is to have someone eyeball the alerts and follow up rather than poring over logs in the first place.
I didn't say you couldn't use a cheap Linux box as a firewall, I said the other features provided by such a firewall (NAt, etc.) weren't relevant to the use of a firewall to detect and block complicated attacks. In other words, the justification of a firewall AS A firewall and AS A security appliance depends on its security aspects, not its general networking utility features.
When you say 75% of your systems offer services to the Net, are you saying you don't have ANY "back-end" servers such as database servers that would logically need to be separated from the Net-facing systems? If so, then saying the entire network is in the DMZ would make sense.
If not, those back-end servers should be isolated from the Net-facing systems as described in the article - and yes, the article recommended application layer firewalls as well as Layer 3 switches with ACLs (which are effectively firewalls in this context), so in this context firewalls are definitely needed.
It sounds to me like your systems work a lot like the ones in the article, albeit you have the additional Net-facing firewall. If it's working to keep out and alert you to serious penetration attempts, then I'd say you're doing the right thing. In your configuration, having the additional firewall protection might well be a reasonable trade-off. The article simply suggests that's not always the case and I think it's not wise to dismiss that as a viable concept. I suspect it depends on the specifics of each network and the relevant targets to be protected and the probable type of attacks - in other words, the usual risk analysis.
I can't wait to read what Bruce Schneier is going to say about this stupidity.
What next? Body scanners on busses?
In every building entrance?
Every crosswalk?
Every home?
Wait! You forgot the anthrax scanners!
The bomb-sniffing dogs!
Where's my bodyguards?
Or - like George Bush - where's my ten thousand security personnel with the submachine guns, anti-aircraft missiles, the guys to seal up every manhole cover for ten blocks, the bulldozers to wipe away entire towns that might be critical of me if I pass near them?
Humans are pathetic. Kill fifty of them, you get to influence five or fifty or five hundred million more. That was the basis of my original plans back in the day when I was a bank robber - kill enough people (and the right people), you get to control how things go with the rest. While in prison, I decided it wasn't worth the effort - better to bypass monkeys in the first place.
What was it A. E. Van Vogt said in one of his stories? "The only difference between the deaths of twenty people and the deaths of twenty million is the effect on the emotions of the survivors."
He gets a few million in VC money and he thinks he's Bill Gates.
Nothing he said hasn't been refuted before.
Nothing to see here but another prima donna. Oh, wait, maybe he CAN compare himself to Bill Gates on that basis.
Move along.
Have you tried eBay? GoodWill?
My point about "known attacks" includes "known patterns". Anything a firewall can detect can be detected and dealt with elsewhere - or better yet, as I pointed out in my first post, PREVENTED in the first place elsewhere.
Granted, if you fail to do it correctly elsewhere, you get a vulnerability. But the same is true in firewall configuration, so the issue is just moved from one to the other when adding the firewall. Also, if you DON'T do the checks in BOTH places, you're relying on only one device anyway.
I think the article deals with all this by pointing out that they use application firewalls and Level 3 switches with ACLs to handle the situations you outline. It's whether an EXTERNAL Net-facing packet filtering firewall is needed to do this that they don't buy.
You have to balance the administrative cost of a firewall and the "moat mentality" mindset it tends to create with the minimal additional security it adds once you've eliminated that mindset by eliminating the firewall and replacing its security features with more effective ones closer to the targets of an attack.
To those who say "more is better", I (and the SubGenius) say "Too much is not enough". That is, if you add security resources at the wrong place, you're not enhancing your security, you're actually WEAKENING it because you're wasting resources protecting not what NEEDS to be protected but a lot of other less important stuff AND you're creating another avenue of attack into the system if that security resource fails because it's not effective due to being too general.
The White House has a fence around it and security guards on the fence. But that's just to keep out the riffraff. Sure, it serves as first line of defense - but really only as a tripwire to alert the INSIDE staff of an attack. They RELY on the internal Secret Service posts INSIDE the White House (and their bunkers) to secure the President.
A firewall can do the same as the White House fence - but only to keep out riffraff. An effective hacker IS going to bypass the firewall since he knows he HAS to if he's going to get anywhere. While this may cause him some time lost, most hackers don't view that as a problem. You don't get to BE an effective hacker without having LOTS of time on your hands to screw around learning how to do it and developing your methods. Since you're not physically present at the point of entry, the White House fence analogy to a firewall breaks down. The hacker can take his sweet time bypassing the fence and there will BE NO alert to the inside staff. Any security profile should ASSUME the firewall will fail without giving an alert. The firewall in almost all organizations really is just to keep out the riffraff (worms and script kiddies).
The article simply says that if that's the case, then dump the firewall, harden the workstations to a degree adequate to keep out the riffraff, but don't worry about them, worry about the servers and spend the resources you'd spend on an external firewall to harden the servers. Concentrate your limited defensive resources on the real targets of a hack.
To some degree, you have no choice but to do this when adding layers of security, but the point of the article is that the layers have varying costs and benefits, and an external Net-facing packet filtering firewall doesn't add enough security over OTHER means to justify its existence.
In martial arts, you're taught not to waste movement defending against attacks that aren't going to actually hit you or do damage if they do.
Again, I got no sense from the article that the firewall was thrown away "lightly". From the into, they obviously got fed up with the concept over time and decided to migrate to a system they feel is more economical and at the same time more effective.
I agree with most of your points, but I don't see them being necessarily arguments against using an alternative to the firewall.
I'm not convinced firewalls are useful for damage containment. If a hacker gets into your internal network for the purposes of removing data, he's going to have a plan for bypassing the firewall outward-bound - and since he's already got past it somehow INWARD-bound, I don't think that's going to be a significant problem for him (unless he screws up, of course, but the right security measures and monitoring the network is what the article recommends for that anyway.)
As for trojans and other automated malware, whatever system you have in place to prevent them getting in in the first place should be sufficient to prevent them getting anything out even if they fail to stop the penetration. They really are not a significant security threat overall - they're more of a nuisance threat. While a lot of trojans these days can penetrate a software firewall, and a hardware firewall is much better at stopping them, I don't see common malware as adequate justification for the hardware firewall in the absence of other security measures - which is the point of the article.
Finally, your points about workstation compromise seem to me to be exactly why the author did what he did - to concentrate security on the servers so that whatever happens to the workstations is less a risk than simply encircling the wagons with a firewall and hoping for the best. The point of contention is whether an external firewall itself adds any FURTHER SECURITY (not other features) on an economic basis to justify its existence on anything other than the theory that "more is better" (or perhaps the SubGenius theory that "too much is not enough.")
You comment basically merely reiterates stuff that the article deals with.
The other services that a firewall renders are irrelevant to the discussion because the same services are available from any cheap 486 Linux (or other OS, including Windows - well, not on a 486!) box running as a firewall or not and any number of other network devices that do these things. We're talking about the firewall here strictly as a device to handle packet filtering intelligently.
"my entire network is in a DMZ" How does this square with being "defense in depth"? You need MORE THAN ONE DMZ to have defense in depth. The article has a three-tier approach which is actually very commonly advocated.
Also, the point of the article is that there is NEVER a need for ALL servers to be exposed to the Net using the three-tier approach. I suspect your systems are not using the presentation layer/application layer/database layer approach to system design mentioned in the article which is a pretty common approach these days, if not for security reasons.
As for the firewall being "unnecessary", the point is that if your security elsewhere handles all the things the firewall is supposed to help with, then the firewall is redundant and adds maintenance time and expense better applied elsewhere. It's an economic decision once the security decisions are made.
These guys didn't START by dumping the firewall, they got fed up with them over time and migrated to a different posture they feel is more effective at protecting what's important while allowing more freedom to the end users. Some
"So the majority of the effort in opening a port is determining whether the security and business ramifications mandate opening it or denying the request. This is what your security architects should be doing anyway."
And by dumping the (external) firewall you avoid all that work. The issue is whether the work is worth it. These guys decided it wasn't.
With the article's approach, you put 80% of your work on the servers - which makes them (perhaps not quite) twice as protected as if you put 40% into them. In other words, you're not splitting up your defense resources which leads to a more effective defensive posture.
"Various trojans, backdoors, etc. could be added to open up that port. A firewall will provide some protection in this case."
Again, this misses the points made in the article (although the article could have been clearer and more expanded about this.)
If your workstations are treated as suspect from the git-go, it doesn't matter if you have trojans or backdoors. The article stated that their workstations can only access "presentation servers", and stated that the end user cannot access the app servers, middleware servers, and one further layer in, the database servers. So a trojan is made irrelevant since it can't access any more data than happens to be in the buffer of the apps running on the workstation. So it's unlikely to be able to send anything out of interest anyway - even sending an end-users authentication key would be next to useless since the end-user keys only get them as far as a presentation server.
Also, if a workstation is compromised, it's not hard to engineer a trojan to bypass any firewall protection you have to get data out of the system. Which makes a firewall - even a hardware firewall - less than perfect security. I've been considering getting rid of my software firewall on my home system simply because it has been demonstrated to me how easily it is penetrated by various trojan techniques in use. A hardware firewall would be better, but it is probably possible for a trojan to pump data out piggybacked on another connection regardless. Not too likely on a home system, but quite possible as a result of a well-engineered hack of a corporate system.
Especially since apparently an amazing number of sys admins, especially of small companies, leave the default passwords on even hardware firewalls unchanged.
I agree that the use of ACLs on Layer 3 switches and routers is essentially the same as using a firewall, but that is a semantic argument not relevant to the point of the article, which was not to rely on a single external firewall or, going further, even on perimeter security in the normal sense. Don't read the article or the headline too literally.
While it may be easier to track an insider attack to the guilty party, that is not relevant to preventing or detecting and containing the attack in the first place. More specifically, it is not relevant to preventing the SUCCESS of an attack in the first place. All a firewall does is keep out the riffraff; once an able attacker penetrates it, he's on even better ground than an internal user because he can piggbyback on internal users while being undetected himself. If you treat internal users as the main threat, you are at least halfway to dealing with the hacker who has penetrated your perimeter security.
Again, the point of the article was that perimeter security is not enough - to the point that it MAY be better not to bother with it in the first place.
"Internal cracking is as common as it is simply because our internal networks have to be more usable and hence have more security vulnerabilities."
This was exactly the point of the article. By going to the architecture they did, and leaving the workstations more exposed to the realities of the Net, they reduce the threat of internal cracking, because their own end users are essentially treated as a threat - which they are.
At the same time, the article explicitly stated this made the end users MORE effective in using the Net because on the one hand, they didn't have to be shut off from it by a firewall, and OTOH, they had to be locked down as much as they would be if they had to use a laptop outside the company firewall. So they had to get used to operating in an insecure environment.
Meanwhile the REAL security was applied to the targets of attacks - the servers.
Again, I'd like to see their architecture tested against a good pen-test and compared against a similar architecture with and without an external perimeter firewall. That would be revealing as to the real pros and cons of this architecture.
I agree with that, but OTOH it doesn't change anything. You still can't rely on vendors to do proper engineering to make yourself secure. That will always remain the sys admins (and security officers) job.
It would be nice if that job were easier due to proper engineering on the part of vendors, you're absolutely correct about that.
Nice feature, but my point was if your systems are protected against known exploits, what's the point of the firewall detecting them? After all, they have to be KNOWN for the firewall to detect them, right? If they're known, you'd best already be protected against them, rather than relying on the firewall which becomes a single point of failure. If the firewall has a flaw, those exploits will then get through and have a field day on your internal systems.
If you're going to advocate defenses in depth, relying on the firewall does not support that practice. And if you're already defended against known exploits by other means, the fact that a firewall can detect them is no longer relevant.
Nothing to see here. Move along. Don't even bother to RTFA.
"The firewall scans for known exploits, and if found, shuns the host sending them for X amount of time, thereby thwarting their planned attack 99% of the time."
Yeah, right. One of my five thousand zombie systems gets shunned, so I immediately shift the attack to one not on that subnet. So much for your firewall. Also, what do you do if the host sending them happens to be a business partner you can't afford to just drop packets on? I'd get on the phone to them if I were you rather than relying on the firewall to just dump them, or they'll be calling you.
Also, what the hell difference is it between scanning for known exploits and "shunning the attacker so the attack doesn't work" and preventing the attack from working in the first place and thus not giving a damn about the firewall - which was the point of my comment?
The point of the article is that your "added security" from the outer firewall is probably unnecessary and therefore nonexistent if your internal security is good. Your comment gets modded "redundant."
This is the ultimate reason why corporate computer security sucks - smart-asses who think they've figured it all out and are perfectly safe "because we got a firewall - and a few tricks."
You've missed the point of the article entirely.
They're not pointing out that doing layered defenses of the server is something new. Nor did they mention Xen - the submitter did.
They're pointing out that perimeter security doesn't work well and retreating to the servers is more cost and security effective. They're saying perimeter security leads to lax security on the internal network. If that doesn't apply to some companies in your opinion, fine, but it DOES apply to quite a few companies based on what I've read in the trade press.
Secondly, my suggestion to lockdown users only applies to those who think reconfiguring the firewall to block some Web site is an easier maintenance solution. In fact, the article indicates that once you treat ALL users and workstations as suspect, you can let end users do what they want (within some rational reason, of course) because you've concentrated your security on the servers where the "meat" of the company actually is.
Users SHOULD be prohibited from installing anything that needs *system privilege* to run. If your users need some app that some idiot programmer set up to require system privilege to run, then either you are not providing the apps your users need, or you do not have enough time and resources to support them properly when they need to ask you to install something. In either case, it's your problem. It should be company policy that if an end user NEEDS an app to do their JOB (as opposed to following the baseball scores while at work), they get it from the company, not some random Web site. YOU get it, YOU test it, YOU install it. If you can't do that, then obviously you don't know what your users need to do their jobs. It's that simple.
"AV and anti-spyware software takes care of 99.9% of the problems automatically." Which is exactly what the article says they do. Which is opposite to the notion that reconfiguring a perimeter firewall is the better solution.
As for programs phoning home, note that the article's users are using "presentation servers" to access their applications - which means there's nothing to phone home ABOUT unless the trojan can read the app buffers. The end users aren't running applications from their workstations and storing potentially compromisable data on their hard drives. So it doesn't even matter if a trojan phones home - as long as it doesn't put a keylogger on and get the server authentication. That's what the AV and anti-trojan and anti-spyware stuff is for.
And even then, if the trojan compromises the user's authentication, the articles users can still only access a *presentation server* - the REAL data is stored two more layers in on the database servers which cannot be accessed by anything but the app and middleware servers. Which means a trojan is useless - only a live hack can possibly get deep enough into the app or middleware server to compromise the data.
At least, that's the THEORY. As I say, I'd like to see their setup pen-tested with trojans and live hacks to see how it withstands a real-world attack.
They SAID it was costly but less so than buying another box. Evidently they think it's less costly than trying to support perimeter security over numerous workstations rather than protecting the "meat" of the company which are the servers.
The point is they INTEND for the workstations to be more exposed to the Net. This reflects the reality that perimeter security isn't working well. If you treat the workstations as if they're NOT secure, your security actually gets better because now you're dealing with the reality that most hacking is done from INSIDE the network - whether from internal users or compromised workstations doesn't matter.
Their security is reserved for the server tiers. The workstations are protected as well as possible using the usual means, but they are NO LONGER TRUSTED.
You are of course missing the point - I'm obviously not saying that human eyes have to watch every packet. I'm saying human eyes have to watch the monitoring facilities whatever they may be so they can catch the alert - instead of responding to an email ten minutes later.
Try not to read posts so literally.
Secondly, these guys ARE using layered defenses. They've simply layered them differently than the conventional wisdom because the conventional wisdom isn't working well.
"Assuming that an operating system is safe from attack on a given port just because the system claims the port is "closed" or that there are no active services monitoring that port is foolish."
This statement is just ridiculous. What do you think a "port" is? Some physical opening in the box? If the OS or an app is not listening to it, it doesn't exist. It's just a number out of 64,000 others which isn't mapped to any actual memory address. That's why DOS was far more secure than Windows as far as the Net was concerned because if you weren't running a telecom app, DOS didn't know telecom ports existed other than COM1 and COM2 and they were useless as a penetration point without something handling the interrupts.