Re: Firewall RISKS

["MIKE SHAW" <mas () sbscorp com>]

It's been awhile...but this is the first I could reply.

> If you mull over nothing else in this message, ponder the above.  In
> fact, stop reading now and figure out answers to the above before
> going on.  If you don't have a handle on these issues, the rest will
> be pretty much pointless.

I've got a fine handle on those issues.  Unfortunately this isn't a discussion of the perfect security model.  We're 
discussing the role of firewalls in security models in general.

> Dialup internet access is an `obscure' example?  Setups involving
> dialup to ISPs constitute less that one percent of all topologies?
> That all aside, and also ignoring that home dialup use is probably
> one of the functions with the -least- specialised topology, I would
> still point out that (from this end at least) observing that a security
> setup is `specialized' is in no way a Bad Thing.

*sigh* no dial ups fall under the prior 'any' definition, but let's look at this closer.  In order for a firewall to be 
"essential to a security plan" there must be a plan to begin with.  Most home dial-ups don't have a security plan for a 
firewall to be essential to.  BUT, If someone asked me if they needed a firewall on their windows dial up box, my 
answer won't be "dump win95 and get open bsd" because the simple fact that they're asking probably means that they 
don't know what openBSD is!  Instead I'd say "yes but unfortunately there are no products out there that don't require 
a separate machine and cost a bundle."  And then I'd research what wrapper-type firewalls are out there and recommend 
one if it looked decent.

I tell you what though, if someone creates a firewall-in-a-box solution and markets it successfully to cablemodem/dsl 
users.  I'll just buy some stock in that company and we can take this argument to the bank.

> > > Stated more generally, the truth of `foo enhances bar' does not
> > > entail `foo is essential to bar'.

> > Depends on the level of enhancement and your definition of essential.

> No, it doesn't[1].  It does appear, however, that we have vastly different
> ideas of how the language works.  The more interesting distinction, though,
> appears to be that you believe that having a firewall is of paramount,
> unequivocal and and universal importance.

Yep, me and Webster have a screwed up idea of language
from http://www.m-w.com/cgi-bin/dictionary:
===============
Main Entry: en·hance
Pronunciation: in-'han(t)s, en-
Function: transitive verb
Inflected Form(s): en·hanced; en·hanc·ing

2: HEIGHTEN, INCREASE; especially : to increase or improve in value, quality, desirability, or attractiveness
- en·hance·ment /-'han(t)-sm&nt/ noun
=====================
Main Entry: 1es·sen·tial
Pronunciation: i-'sen(t)-sh&l
Function: adjective
Date: 14th century

2: of the utmost importance : BASIC, INDISPENSABLE, NECESSARY <essential foods> <an essential requirement for admission 
to college>
synonyms ESSENTIAL, FUNDAMENTAL, VITAL, CARDINAL mean so important as to be indispensable.

If the level of enhancement raises it to that level of importance then yes, it is essential.  I said:  depends on the 
level of enhancement and your definition of essential.  In this case, a firewall (foo) reaches that level in any 
scenario.

> > These are security schemes and would be included in the word 'any'.
> > So let me define 'any situation' where a firewall would be applicable:

> Ah!  The `it depends what the word "is" is' argument.  Okay.  I'll
> play along.

No need to play along:
================
Main Entry: 1any
Pronunciation: 'e-nE
Function: adjective
2: one, some, or all indiscriminately of whatever quantity: a : one or more -- used to indicate an undetermined number 
or amount <have you any money> b : ALL --
used to indicate a maximum or whole <needs any help he can get> c : a or some without reference to quantity or extent 
<grateful for any favor at all>
=================

Unlike our illustrious President, I'm not trying to sqirm out of responsibility.  I'm merely trying to agree on a 
common language.  Taken correctly, "any" doesn't mean all.  What I said was that if you're going to equate any to all, 
then we need to qualify any.

> > 1) uses a network LAN/WAN with TCP/IP anywhere in the architecture.
> > 2) has machines present in the architecture with OS' that are difficult or 
> >   or impossible to completely lock down (which is nearly all, especially 
> >   with managers reading every day about how great NT is)
> > 3) requires that a port or ports be open for functionality.
> > 4) has actual services running on hosts/servers.
> > 5) has end-users whose primary job does not involve network security >>(even if 
> >   it is a secondary consideration).
> > 6) has an interest in protecting information present in system(s) on that
> >   network or would be harmed by an abuse of that network.
> > 7) has a budget.
> > This is the situation in the vast majority of networks now and over the
> > next 5 or so years.

> Trivially, I'd say a workable no-firewall setup given the above constraints
> would be to simply multihome whatever servers need to be exposed to
> both the internet and the internal network (i.e., bind 8.x, a squid server,
> u.s.w.).  Secure them appropriately.  Have all your desktop toys talk to the
> internal interfaces of these boxen.

Workable for about 3 days, until Joe Manager asks for 'net access.....business use, of course.

> The question isn't whether or not most networks -are- set up that way,
> the question is whether or not most networks -need- to be set up that way[3].
> You seem to be asserting that they do.  My contention is that there are
> other ways.

Do children need to go hungry?  Do supermodels need to wear anything at the beach?  Did the U.S. need to bomb Serbia?  
Do puppies need to poop on the carpet?  Do we even need computers for that matter?  I don't assert that most networks 
-need- to be set up under those constraints.  I assert that for better or worse they are, and unless someone elects one 
of us Diety of All Things Computer, the only thing we can recommend is things that will reduce risks.

-Mike