[4309] in WWW Security List Archive
Re: Access Logfile Question
daemon@ATHENA.MIT.EDU (Anton J Aylward)
Sun Feb 9 11:31:23 1997
Date: Sun, 09 Feb 1997 09:20:18 -0500
To: "Phillip M Hallam-Baker" <hallam@ai.mit.edu>,
<dennis.glatting@plaintalk.bellevue.wa.us>
From: Anton J Aylward <anton@the-wire.com>
Cc: "Paul F. Haskell" <phaskell@skyserv1.med.osd.mil>,
<www-security@ns2.rutgers.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
At 01:01 AM 09/02/97 -0500, Phillip M Hallam-Baker wrote:
## Reply Start ##
>Fire walls are not a panacea. The main idea of a firewall is
>to allow control of the information going _out_ of a company.
>They do not provide the catch all security solution many
>imagine. All they really do is provide the security officer with
>a convenient choke point at which security policies can be
>audited and enforced. If I had a security policy that Java be
>disabled on company browsers I would instrument the firewall
>to see who was breaking the policy.
While I'm not arguing with the above assertions - in fact I see too many
people
who consider a firewall to be a cure-all - there does seem to be some gross
misunderstanding of what a firewall is and how it can and should be
configured, and
what is going on behind and in front of a firewall.
Let the firewall be public/private demarcation point.
What you do behind the firewall is your business. I can advise you how to run
a clean and manageable system and follow generally accepted principles &
guidelines
so that you can hire staff who can say instantly "Yes, I understand this"
because its
pretty much standard. But I can't force you.
However, when you interface to the Internet you have to follow certain
protocols,
both high level and low level.
There are MANY types of firewall. Some allow transparency, some do
address translation,
so that everything on the internal network going to the Internet looks like
it comes from
a single IP address, that of the firewall.
There are many services, UUNET's FTP server being just one of them, which
will perform
reverse DNS to validate requests. If this fails you're out. Tough -
that's there policy.
The code for this is simple. Many other sites implement this policy. I
think its perfectly
reasonable and recommend it. If someone can't identify themselves they
MAY be a crook.
They may also be idiots who don't know what they're doing.
They may also be perfect reasonable people.
A recent client of mine had a firewall and address translation, but their
backbone provider,
a nationwide telco derived ISP with transcontinental T3/FR++ lines screwed
up. They were
providing the external DNS and hadn't bothered to put in the reverse entry.
It took 3 months
of complaining about this before they moved. Client is considering other
ISPs now because of this and other demonstrations of incompetence. Being
big (or biggest) doesn't mean the line
functionaries know what they're doing.
As for the issue of DCHP - well not everybody runs it and a lot of people
consider it an
anathema. The example I gave above makes it irrelevant. The leased line
was a hard wired
connection, part of a router based network.
I'm inserting this message because this thread has gotten a bit ridiculous.
Some of the assertions are ignoring common practice and even going too
close to suggest
that we should put up with people who fail to follow the guidelines and
commonly accepted practices. Personally I think we should politely
educate them - or their ISPs! Making
suitable support software easily or even freely available and exhorting
them to make use of it
is a step in this direction. Thanks to Paul Vixie for much work in this
direction.
My other irritations with this thread include the implied comments to the
effect that
people who do treat unidentified callers as potential break-in sources are
unreasonable.
There are also comments that firewalls are pretty lame. Yes they are, but
in my experience
they are lame because people fail to configure them properly, usually based
on lack of
understanding of what they are and what they should be doing. Lack of
policy, professionalism
and enforcement.
Lets not throw the baby out with the bathwater.
## Reply End ##
--------------------------------------------------------------------------
Anton J Aylward | Security is not something that comes in
The Strahn & Strachan Group Inc | a self-contained box. It is an attribute
Information Security Consultants | of how you do business and as such
Voice: (416) 494-8661 | needs to be managed carefully.
Fax: (416) 494-8803 | - Karen Goertzel, Wang Federal Inc.
