Re: Firewall administration and thoughts cont.

["Marcus J. Ranum" <mjr () nfr net>]

Anton writes:
> Its not that I hate GUIs, it that I hate inappropriate GUIs.

The question has to do with the purpose of the GUI, as you say.
At this point, I believe that the biggest *security* advantage a
firewall has over a router is that it (hopefully!) has code that
is intended for security rather than packet-hauling, and that code
is (hopefully!) a user interface that allows a system manager to
set up a *security* *policy* rather than a *routing* *policy*.

One firewall* does a really neat thing with their policy: they have
about 5 "canned stances" that you can tell the firewall to take.
Each one puts a different set of defaults in place, ranging from
very conservative to very open. Each stance is described, along
with an approximate estimate of what environments it'd be
appropriate for, and what tradeoffs it makes. That is a GREAT
start.

IMO the audit firms have been failing to exercise diligence
with respect to firewalls. I truly believe that it's time that someone
publish a "best business practice" firewall policy for different
categories of businesses which are required to be audited.
It's ridiculous that an auditor can require a bank to have certain
employees backgrounds checked but can't comment on whether
it's appropriate for TELNET to be allowed in through the firewall,
and under what circumstances. Since I'm a cynical capitalist
dog these days, I can only assume that someone is profiting
handsomely from the confusion. As someone who keeps his
$$ in a bank and in stocks, I'd like to believe that my bank has
met some *predictable* and *testable* standard for protecting
its electronic assets. That is, after all, what auditors are for.
The very hyper-flexibility of firewalls means this is impossible.
The ways to handle this are either:
        technical - all qualified firewalls must have policy templates
                that are easily installed and meet a published list
                of best practices
        audit - a published list of policies is established and compliance
                is manually checked (expensive and time consuming, so
                auditors will prefer this one)

I think the industry is slowly groping towards #2 above.

Once compliance with a broad policy is determined, then the
remaining exceptions can more easily be examined. (e.g.:
while XYZ is a bank and best practice for financial institutions
requires that TELNET traffic in through firewalls be disabled
unless it includes certificate authentication and encryption, in
this case, we are permitting it to a "guest" machine on an
isolated segment within our network, which has been isolated
using hub switching controls.... blah, blah, blah...)

What we face is actually a simple problem. :) DOING something
about it is hard. The simple problem is:
Many organizations are running unacceptable risks and are
doing so in full awareness of that fact.

The reason it's hard to do something about it is because the
risks are very, very, very attractive and it's easy to downplay
them as "everyone else is doing it, too!"

mjr.
(*Network-1, for those who care)
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr