OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: firewalls and the incoming traffic problem

firewalls and the incoming traffic problem


Marcus J. Ranum (mjrnfr.net)
Sun, 28 Sep 1997 11:32:19 +0000


I'm concerned that firewall technologies are going to
reach an impasse in the next couple of years over what
I am calling the "incoming traffic problem." Briefly, the
problem:
        - Firewalls are good at providing access control
        on return traffic that is in response to a request
        that originated behind the firewall
        - Firewalls are poor at providing access control
        on "unsolicited" incoming traffic to generic
        services that are "required" as part of being on
        the Internet
        - The number of generic services is increasing
        slowly
        - The number of implementations of the generic
        services is increasing dramatically

Let's take Email as the perfect example. If I have a mail
server behind a firewall, and I want to receive Email,
I have to allow it in to my mail server somehow. More
importantly, for Email to work the way we want it to, I
have to allow Email from virtually any site in to that
mail server. Therefore, the firewall's protection is reduced
as regards my Email service. (I'll come back to the proxy
nonproxy issue later) So, we're back to worrying about
sendmail - or are we? Nowadays there are zillions of
implementations of SMTP, on many different O/S platforms,
and it's likely that there are security holes (of one sort or
another) in many of them.

The proxy/nonproxy discussion is becoming increasingly
irrelevant, as a result. Let's assume I'm using some kind
of turbo-whomping stateful filter -- in that case I need to
worry A Whole Lot about the implementation of my Email
service. If I'm allowing the whole world to reach port
25 on my mail server, then the whole world can probe
it for bugs, and, if I'm running a buggy mailer, I have a
real problem. If I'm using a proxy firewall, the proxy
may perform some additional checks, and may block
some well-known attacks, but the problem is still there.
What if I have a proxy firewall built by a UNIX guru,
which knows about mail to: /bin/sh, but which doesn't
know about mail to: c:\autoexec.bat? Those are the
easy cases -- what about the bug in bubbmail1.2 for
Windows NT, where if you send mail addressed to
to: <admincommand: reboot> it will reboot the
machine? A little feature that crept in there...

Summary: firewalls originally offered the promise that
you could "install a firewall and not worry about your
internal security." Now, it's clear that firewalls force
you to split your security between the firewall and host
security on all the systems to which the firewall permits
incoming traffic.

If I'm going to have to worry about the host security
and the server side s/w on my internal systems, why
shouldn't I just use a router with gross-level filtering
to channel traffic into a few carefully configured
backend servers? The "hard part" is doing the backend
configuration anyhow!!

What's worrying me is all the folks I've seen who put
a firewall in, and believe it is going to somehow protect
the incoming traffic. :( I had a consulting gig where
the customer had a very high profile target website
behind a bunch of proxy firewalls - and for performance
the firewalls were just using plugboard proxies to copy
the data back and forth. AND the web server was a
version of NCSA with known holes. Even if they had had
a proxy server, the proxy server, if it was provided by a
vendor, would not have been able to "know" about
security holes in their locally-developed CGI scripts.
It keeps coming back to having carefully configured
backend servers -- which is expensive and requires
constant maintenance.

I'm not saying that "firewalls are dead" because this
problem has always been there and firewalls DO serve
a purpose. The fact is that sites with firewalls get broken
into less often that sites without. But - are a majority
of firewall users falsely confident?

mjr.
-----
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
<A HREF=http://www.clark.net/pub/mjr>Personal</A>
<A HREF=http://www.nfr.net>Work</A>
<A HREF=http://www.clark.net/pub/mjr/websec>New Book!!</A>



This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:08:58 CDT