Firewall Wizards mailing list archives
Re: Firewall administration and thoughts cont.
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Tue, 07 Oct 1997 14:55:22 -0400
Anton writes:
Its not that I hate GUIs, it that I hate inappropriate GUIs.
The question has to do with the purpose of the GUI, as you say. At this point, I believe that the biggest *security* advantage a firewall has over a router is that it (hopefully!) has code that is intended for security rather than packet-hauling, and that code is (hopefully!) a user interface that allows a system manager to set up a *security* *policy* rather than a *routing* *policy*. One firewall* does a really neat thing with their policy: they have about 5 "canned stances" that you can tell the firewall to take. Each one puts a different set of defaults in place, ranging from very conservative to very open. Each stance is described, along with an approximate estimate of what environments it'd be appropriate for, and what tradeoffs it makes. That is a GREAT start. IMO the audit firms have been failing to exercise diligence with respect to firewalls. I truly believe that it's time that someone publish a "best business practice" firewall policy for different categories of businesses which are required to be audited. It's ridiculous that an auditor can require a bank to have certain employees backgrounds checked but can't comment on whether it's appropriate for TELNET to be allowed in through the firewall, and under what circumstances. Since I'm a cynical capitalist dog these days, I can only assume that someone is profiting handsomely from the confusion. As someone who keeps his $$ in a bank and in stocks, I'd like to believe that my bank has met some *predictable* and *testable* standard for protecting its electronic assets. That is, after all, what auditors are for. The very hyper-flexibility of firewalls means this is impossible. The ways to handle this are either: technical - all qualified firewalls must have policy templates that are easily installed and meet a published list of best practices audit - a published list of policies is established and compliance is manually checked (expensive and time consuming, so auditors will prefer this one) I think the industry is slowly groping towards #2 above. Once compliance with a broad policy is determined, then the remaining exceptions can more easily be examined. (e.g.: while XYZ is a bank and best practice for financial institutions requires that TELNET traffic in through firewalls be disabled unless it includes certificate authentication and encryption, in this case, we are permitting it to a "guest" machine on an isolated segment within our network, which has been isolated using hub switching controls.... blah, blah, blah...) What we face is actually a simple problem. :) DOING something about it is hard. The simple problem is: Many organizations are running unacceptable risks and are doing so in full awareness of that fact. The reason it's hard to do something about it is because the risks are very, very, very attractive and it's easy to downplay them as "everyone else is doing it, too!" mjr. (*Network-1, for those who care) -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- Re: Firewall administration and thoughts cont. Anton J Aylward (Oct 07)
- Re: Firewall administration and thoughts cont. Marcus J. Ranum (Oct 07)
- Re: Firewall administration and thoughts cont. Darren Reed (Oct 09)