Re: Firewall Primitives

["Marcus J. Ranum" <mjr () ranum com>]

Mikael Olsson wrote:
> Any chance I could get you to agree that this also _could_ be related 
> to the sheer number of protocols in common use today?

Absolutely!!! I think that it was back in '91 that I posted
to the firewalls mailing list: "if you can't say it with
FTP, telnet, NNTP, or SMTP it probably isn't worth saying" ;)
Ah, well, I've eaten better words than those... ;)

The fact that there are HUGE numbers of new protocols and
many of them are designed by idiots, poorly documented, and
proprietary makes packet-filtering firewalls nearly a
necesssity. It's why (in the early days) CheckPoint did
so well: you could let some braindamaged cruft through a
checkpoint more easily than through a proxy firewall.
Note: I said "let through" not "secure" - though there
were people who felt that going and telling a firewall
"let Oracle back and forth on port XYZ" meant that
the firewall was somehow "securing Oracle."  Fortunately
Oracle is now unbreakable...

> Doing thorough app logic on telnet, SMTP, NTTP and FTP is one thing.
> (Well, actually, the FTP assumptions broke completely when Java was 
> introduced, but that's another story :))

Early on, we did app logic on HTTP as well. That was when I
was leading Gauntlet development. During the 4 months it took
to get out a solid HTTP proxy, CheckPoint ran away with the
checkered flag. BUT while that was happening, Dave Dalva (who
was on my team) found numerous horrific security holes in
the Mosaic Browser - holes that clients were exposed to if
they were using packet filtration. (e.g.: the way that Mosaic
used to invoke telnet://ip.ip.ip.ip:port URLs was:
sprintf(buf,"telnet %s %d",host,port);
system(buf);
I kid you not...)

> AFAIR, things started going south when HTTP was becoming popular and
> wasn't proxyfied soon enough. (And, yes, I do recall why that was.)

Yup.

> But, really, I can't say I'm surprised that the vast majority of 
> firewall installs are just packet filters (or proxies using mainly
> plug-gws).  When you move beyond well-defined standardized protocols 
> (in which I most certainly do NOT include the fast-moving target HTTP), 
> anything approaching thorough application analysis becomes... hard.   
> "Whoops! New version of $business-critical-multimedia-app released! 
> The proxy broke again!"

Yup. As William Hugh Murray says "Connectivity trumps security
every time."  Nobody thinks to ask "HEY!? Why did my business
critical multi-media app suddenly start performing this new
operand 'delete-file' in its command stream that the proxy
doesn't know about???!?"

My conclusion after being a vendor for lo these many years is
that customers *DESERVE* the security they get.

mjr.
---
Marcus J. Ranum                         http://www.ranum.com
Computer and Communications Security    mjr () ranum com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards