Subject: Firewall philosophy (was Re: SYN cookie ?)
To: None <tech-kern@netbsd.org>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-kern
Date: 04/18/2001 10:39:41
>> This is *exactly* what firewalls are for: to protect `inside'
>> machines from having their vulnerabilities exploited.

>> Indeed, it's why I generally don't like firewalls: they amount to
>> saying "yes, I know there's this vulnerability, but rather than fix
>> it I'd rather just try to paper over it".

> I disagree.

I trust it's only the second part you're disagreeing with! :-)

> The proper application of firewalls is doing things in a faster,
> albeit less secure, way internal to a LAN, while being sure that the
> services that requires (say, r*, telnet, NFS, etecetera) will under
> no circumstances travel out into the outside world.

I didn't say anything about whether the vulnerabilities in question
were deliberate or not.  If you want to deliberately weaken your
security locally and then (try to) paper over it with a firewall, well,
it's your network.  Personally, a "soft and chewy interior" stands my
hair on end, when I'm wearing my security-maven hat.

> There are perfectly good reasons one would want clear-text ftp (it's
> a damn sight faster than scp) or NFS, and, although these services
> can be moderately kept from passing outside a LAN without a firewall,
> putting one up protects an outside attacker from even seeing the
> services

...until the attacker manages to get inside the firewall, by whatever
means, at which point you pay for your insecurity by having to
reinstall all your boxen instead of just one.  (If you believe nobody
will ever get through or around your firewall, I submit you are living
in a fool's paradise.)

> and the network topology of the LAN.

I suspect you're confusing NAT boxen with firewalls here.  (While many
firewalls do NAT, and many NAT boxes are also firewalls, neither is a
subset of the other, nor should they be confused with one another.)
You may not be, though; a firewall will obscure anything behind it to
the extent that it blocks whatever protocol(s) may reveal the putative
thing, so if you block enough stuff, you can eventually reach a point
where you obscure any desired fact about the "inside" network,
ultimately including even its existence.  (Whether this happens before
you reach the point where the price is not worth the gain, well, that
depends. :-)

> Perverting the use of a firewall to specifying whether packets which
> you would ordinarily allow (say, requests to a web server inside the
> firewall) are actually okay based on the content of those packets

Huh?  That's exactly what a firewall does: determines whether packets
which would ordinarily be permitted are to be blocked, based on their
content.  I see no difference except implementation between blocking
based on one part of the content (IP or TCP header, say) and another
part of the content (HTTP header, say).

> is distinct from protecting insecure services which you choose to run
> WITHIN YOUR LAN for the sake of convenience.

The only difference I see is whether the insecurity is deliberately
created for the sake of convenience or accidentally created by running
a server with a security bug.

Shouldn't this move to tech-net?

					der Mouse

			       mouse@rodents.montreal.qc.ca
		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B