Firewall Wizards mailing list archives
Re: Firewall RISKS
From: "MIKE SHAW" <mas () sbscorp com>
Date: Mon, 28 Jun 1999 11:41:38 -0500
It's been awhile...but this is the first I could reply.
If you mull over nothing else in this message, ponder the above. In fact, stop reading now and figure out answers to the above before going on. If you don't have a handle on these issues, the rest will be pretty much pointless.
I've got a fine handle on those issues. Unfortunately this isn't a discussion of the perfect security model. We're discussing the role of firewalls in security models in general.
Dialup internet access is an `obscure' example? Setups involving dialup to ISPs constitute less that one percent of all topologies? That all aside, and also ignoring that home dialup use is probably one of the functions with the -least- specialised topology, I would still point out that (from this end at least) observing that a security setup is `specialized' is in no way a Bad Thing.
*sigh* no dial ups fall under the prior 'any' definition, but let's look at this closer. In order for a firewall to be "essential to a security plan" there must be a plan to begin with. Most home dial-ups don't have a security plan for a firewall to be essential to. BUT, If someone asked me if they needed a firewall on their windows dial up box, my answer won't be "dump win95 and get open bsd" because the simple fact that they're asking probably means that they don't know what openBSD is! Instead I'd say "yes but unfortunately there are no products out there that don't require a separate machine and cost a bundle." And then I'd research what wrapper-type firewalls are out there and recommend one if it looked decent. I tell you what though, if someone creates a firewall-in-a-box solution and markets it successfully to cablemodem/dsl users. I'll just buy some stock in that company and we can take this argument to the bank.
Stated more generally, the truth of `foo enhances bar' does not entail `foo is essential to bar'.
Depends on the level of enhancement and your definition of essential.
No, it doesn't[1]. It does appear, however, that we have vastly different ideas of how the language works. The more interesting distinction, though, appears to be that you believe that having a firewall is of paramount, unequivocal and and universal importance.
Yep, me and Webster have a screwed up idea of language from http://www.m-w.com/cgi-bin/dictionary: =============== Main Entry: en·hance Pronunciation: in-'han(t)s, en- Function: transitive verb Inflected Form(s): en·hanced; en·hanc·ing 2: HEIGHTEN, INCREASE; especially : to increase or improve in value, quality, desirability, or attractiveness - en·hance·ment /-'han(t)-sm&nt/ noun ===================== Main Entry: 1es·sen·tial Pronunciation: i-'sen(t)-sh&l Function: adjective Date: 14th century 2: of the utmost importance : BASIC, INDISPENSABLE, NECESSARY <essential foods> <an essential requirement for admission to college> synonyms ESSENTIAL, FUNDAMENTAL, VITAL, CARDINAL mean so important as to be indispensable. If the level of enhancement raises it to that level of importance then yes, it is essential. I said: depends on the level of enhancement and your definition of essential. In this case, a firewall (foo) reaches that level in any scenario.
These are security schemes and would be included in the word 'any'. So let me define 'any situation' where a firewall would be applicable:
Ah! The `it depends what the word "is" is' argument. Okay. I'll play along.
No need to play along: ================ Main Entry: 1any Pronunciation: 'e-nE Function: adjective 2: one, some, or all indiscriminately of whatever quantity: a : one or more -- used to indicate an undetermined number or amount <have you any money> b : ALL -- used to indicate a maximum or whole <needs any help he can get> c : a or some without reference to quantity or extent <grateful for any favor at all> ================= Unlike our illustrious President, I'm not trying to sqirm out of responsibility. I'm merely trying to agree on a common language. Taken correctly, "any" doesn't mean all. What I said was that if you're going to equate any to all, then we need to qualify any.
1) uses a network LAN/WAN with TCP/IP anywhere in the architecture. 2) has machines present in the architecture with OS' that are difficult or or impossible to completely lock down (which is nearly all, especially with managers reading every day about how great NT is) 3) requires that a port or ports be open for functionality. 4) has actual services running on hosts/servers. 5) has end-users whose primary job does not involve network security >>(even if it is a secondary consideration). 6) has an interest in protecting information present in system(s) on that network or would be harmed by an abuse of that network. 7) has a budget. This is the situation in the vast majority of networks now and over the next 5 or so years.
Trivially, I'd say a workable no-firewall setup given the above constraints would be to simply multihome whatever servers need to be exposed to both the internet and the internal network (i.e., bind 8.x, a squid server, u.s.w.). Secure them appropriately. Have all your desktop toys talk to the internal interfaces of these boxen.
Workable for about 3 days, until Joe Manager asks for 'net access.....business use, of course.
The question isn't whether or not most networks -are- set up that way, the question is whether or not most networks -need- to be set up that way[3]. You seem to be asserting that they do. My contention is that there are other ways.
Do children need to go hungry? Do supermodels need to wear anything at the beach? Did the U.S. need to bomb Serbia? Do puppies need to poop on the carpet? Do we even need computers for that matter? I don't assert that most networks -need- to be set up under those constraints. I assert that for better or worse they are, and unless someone elects one of us Diety of All Things Computer, the only thing we can recommend is things that will reduce risks. -Mike
Current thread:
- Re: Firewall RISKS, (continued)
- Re: Firewall RISKS Tim Kramer (Jun 16)
- Re: Firewall RISKS Stephen P. Berry (Jun 15)
- RE: Firewall RISKS kevin . sheldrake (Jun 16)
- Re: Firewall RISKS Stephen P. Berry (Jun 20)
- RE: Firewall RISKS andrew . c . howard (Jun 16)
- RE: Firewall RISKS kevin . sheldrake (Jun 20)
- Re: Firewall RISKS Stephen P. Berry (Jun 21)
- RE: Firewall RISKS Sheldrake, Kevin (Jun 23)
- Re: Firewall RISKS Stephen P. Berry (Jun 23)
- RE: Firewall RISKS Sheldrake, Kevin (Jun 25)
- Re: Firewall RISKS MIKE SHAW (Jun 28)