[9423] in bugtraq
Fw: Fw: No Security is Bad Security
daemon@ATHENA.MIT.EDU (Scott Seidler)
Tue Feb 9 12:27:22 1999
Date: Mon, 8 Feb 1999 15:22:59 -0500
Reply-To: Scott Seidler <sseidler@EASTERNDATACOMM.COM>
From: Scott Seidler <sseidler@EASTERNDATACOMM.COM>
To: BUGTRAQ@NETSPACE.ORG
Aleph - Im reforwarding this to you as submitted on friday - it is a
rebuttal to JIM MAZE's comments re the post i made earlier. He seems to be
unreachable using his listed email at: jmaze@ezsafe.com.
I havent seen it posted so im assumoing it lost in the void.
thanks,
--Scott
<cut>
THIS IS A REBUTTAL FOR JMAZES POST OF FRIDAY FEB 04, 1999----------
> From: Scott Seidler <sseidler@easterndatacomm.com>
> To: jmaze@ezsafe.com
> Cc: BUGTRAQ@netspace.org
> Subject: Re: Fw: No Security is Bad Security
> Date: Friday, February 05, 1999 12:26 PM
>
> HI Jim,
>
> I agree wholeheartedly in a number of the things you mention in your
post.
> Some things were left out because of
> a salesly sounding post - which got the original post bounced by Aleph.
>
> The point i was trying to make re: cost and security is loosley this: If
a
> company is not willing to shell out some additonal
> money to implement a proper solution for their environment. They should
> expect a greater possibility of a compromise.
>
> In our typical client base, where a small company wants a 56K or
fractional
> T1 link to the internet. They have a hard time
> shelling out cash for the monthly access alone (and at that speeds we are
> not talking all that much money). These customers
> tend to not want to implement what they deem to be more expensive
> solutions. They typically have NO security other than maybe
> some filtering (and often thats a maybe), or at best are willing to add
> firewall software to their router. Unfortunatley - their router
> is also the smallest and least expensive in the line. The extra burden of
> the added software in an environment that has a number
> of pcs makes handling firewalling tasks and often default gateway tasks a
> heavy burden to this unit. Add the usual dual use of routing to remote
> sites and supporting the internet link into the same router - and you can
> give yourself an overburdened box that if
> compromised leaves your any other site remotley connected to you as
> vunerable as youve become.
>
> Is a PC based solution good for them too? absolutely - If its implemented
> properly like you said - Again Im agreeing with you.
> Unfortunatley - these types of customers - my customers (small-mid) have
> little if any internal support staff in IS and most weve seen are not up
to
> par or already overburdened to properly install - or at least upkeep a
> software based solution. And often by the time you explain the costs of
the
> pc to run it, operating system costs (most of our customers are NOT
willing
> to run Linux or BSD) and the cost of the software itself - its not much
> more to get a hardware based platform thats simpler to set up and offers
> top rated support.
>
> We typically use the Cisco PIX firewall in most of our customer
> applications. It has many options that appeal to alot of environments
> and has a tremendous reputation CHeck out this little sniglet from a
recent
> email i recieved from Cisco announcing NSA testing results:
> <snip>
> >The PIX Firewall underwent an arduous seven month product testing
scenario
> >that mapped the PIX security targets (ST) against the user application
> >scenario prescribed by the Government's Protection Profile. The PIX
> >Firewall Security Target was found to comply to the requirements at CC
> >Evaluation Assurance Level 2 (EAL2) , as defined in the Common Criteria
> for
> >Information Technology Security Evaluation (CC), Version 2.0. The PIX
> >Firewall has subsequently become the first, and only, Firewall to be
> >certified as conforming to the US Government Application Level Firewall
> >Protection Profile for Low Risk Environments.
> <snip>
> .. Not to mention the throughput through the unit rated to T3. Its really
> simple to install as it comes completely shut down to the outside world
> with only a handful of commands to create a one way firewall - whereas a
OS
> would need to be "stripped down" as you mentioned, and specifically setup
> for the Firewalls use.
>
> Unfortunalety - putting the customers in-house capabilities aside - the
> time it takes to set up a pc based solution and configure even free OS
into
> it with free security software (factoring the time it takes as well to
get
> some technical support on the set up etc.) a Hardware based solution like
> the PIX for a street price of about 8K ends up cheaper every time weve
> looked at it.
>
> So I guess i do really agree with what you said - IF the inhouse
personnel
> have the time and knowhow to gather the systems, the software, and IF
they
> have the time to invest to set it all up and keep it locked with fixes
and
> patches. (and there are the bugs). IF they can do all that and not
include
> a dollar value on their time, then it wont cost that much money for good
> security.
>
> Unfortunatley, these are not our typical customers, as a matter of fact,
it
> isnt ANY of our customers.
>
> So to get back to the original point i was making re: money and security
> that seemed misleading: IF you have the time and IF
> you have the expertise and IF your company will even allow you to use
> Freeware (most wont) then you COULD spend little
> money and get a great security solution IF you dont factor the customers
> time.
>
> For our customer base - this isnt a solution.
>
> Oh, and lastly -- IF you thinks selling a Cisco product (any Cisco
product)
> is a high margin sale - then you dont sell Cisco.
>
> -- Scott
>
> sseidler@easterndatacomm.com
>
>
>
> Your post is attached::::
>
> ----------
> > From: Jim Maze <smail@NETWORKSECURITY.NET>
> > To: BUGTRAQ@netspace.org
> > Subject: Re: Fw: No Security is Bad Security
> > Date: Thursday, February 04, 1999 4:12 PM
> >
> > Hey Aleph, I have a few comments to add regarding this post.
> >
> > Scott Seidler wrote:
> >
> > > It seems that the more you can spend on a firewall and other
security
> > > measures, the better you are at protection.
> > >
> >
> > This is misleading. This is why many companies spend hundreds of
> > thousands of dollars on state-of-the-art security solutions only to
wind
> > up a victim of a successful attack because they are still vulnerable
due
> > to poor implementation. The level of security achieved from a
> > particular security solution is not directly tied to cost. I've seen
> > Mom-and-Pop shops that are using free security measures such as Linux
> > based firewalls, s/key authentication, SSH, and TCP wrappers that are
> > much more secure than your average Firewall-1 implementation. The key
is
> > implementation, not cost. Now, if more expensive commercial solutions
> > ARE implemented correctly, they often do offer significant advantages
> > over some of the freeware tools out there, but unfortunately many
> > security consulting firms are focused on pushing the products out the
> > door rather than proper and careful implementation of the products.
> >
> > > While no firewall will claim 100% protection, we have learned that
> some
> > > are better than others for simple reasons.
> > >
> > > Software based firewalls, while they usually have more options to
> integrate
> > > directly, might require a more technical
> > > suport base internally than most smaller companies or agencies may
> have.
> > >
> > > Additionally, the daily upkeep and constant vigil to find out about
> > > software patches and vunerabilities tend to be secondary (or third,
or
> > > fourth, etc) to the daily jobs of most systems people. Thus old bugs
> and
> > > often blatant overlooks become the doorway with the "open for
> business"
> > > sign hanging above them.
> > >
> > > Unfortunately, basing a firewall on a multpile use operating system
> (NT,
> > > UNIX, etc) can leave unexpected doorways open and allows for
> opportunity
> > > for "pilot error" mistakes. Just the time to keep up with them all is
> too
> > > great for most system managers.
> > >
> >
> > Again, implementation is more important than the particular platform,
> > vendor, or technology. If a software based firewall is configured
> > properly, it will not be vulnerable to 99.9% of the bugs out there.
Why?
> > Because a proper implementation of a software firewall includes a
> > stripped down OS that contains only the basic kernel and networking
> > componenets necessary for the firewall to operate. While I am a big
> > advocate of regularly patching systems, it is often not necessary to
> > apply most patches on a software firewall, simply because the patched
> > binaries are not installed to begin with. I agree that multiple use OS
> > based firewalls have the *potential* to become a victim of an OS bug,
> > but it's not very likely if the device is implemented properly.
> >
> > > So far we have implemented successfully many hardware based
firewalls.
> The
> > > positives on this type of platform far outweigh the marginal extra
cost
> for
> > > the purchase price. These are single function - Firewall only - types
> of
> > > devices.
> > >
> > > Some hardware based platforms have no user accessable operating
system
> to
> > > have potential open ended problems with, and right out of the box
they
> seem
> > > to set up with limited commands when acting as a one way only
> firewall. Of
> > > course there are many more programming options in these units that go
> way
> > > beyond the scope of this posting and are, as Aleph has pointed out to
> me on
> > > the first issue of this email (appreciated by the way Aleph -
thanks),
> too
> > > vendor specific to really elaborate on.
> > >
> >
> > No argument here - I agree completely.
> >
> > > Suffice to say that Network Address Translation (NAT) and Protocol
> Address
> > > Translation (PAT) are not the only things to base
> > > a Firewall purchase on. There are many other options and hooks that
> make a
> > > really good firewall, such as interaction with other
> > > devices (routers, high end authentication, encryption, etc.).
> > >
> >
> > While debating over software vs. hardware, you haven't touched on the
> > whole issue of choosing the right underlying firewall technology for a
> > given environment. While things like NAT and PAT and interoperability
> > with other security devices are definitely important, the underlying
> > technology used by the firewall should be one of the major deciding
> > factors as well. For example, you may want to use an application
gateway
> > firewall for perimeter security while using stateful packet filtering
> > internally where more flexibility is required. Many comanies (and
> > consulting companies) overlook this issue.
> >
> > > Addtionally, Two types of products that allow for on-line
> > > monitoring/reporting/ detection and also allow for security audits
and
> even
> > > testing of vunerablities are a must for any budget that can afford
> them.
> > >
> > > You can try Cisco (http://www.cisco.com) or Network Associates
> > > (http://www.nai.com/default_ngc.asp) for examples of these products.
> > >
> > > Some of these fit really well into the big router manufacturer
> operating
> > > system schemes by even allowing an automatic rewrite to
> > > the ACL (access control list) to block a detected party. And dont
> forget
> > > the ever possible "page me when you find something wierd" option too.
> > >
> > > Both of these systems are not inexpensive with price tags of around
10k
> for
> > > the systems I have seen.
> > >
> > > I have had great feedback on these types of products from my
customers
> -
> > > especially the firewalls and felt i could dissiminate the info to my
> fellow
> > > Bugtraq-ers.
> > >
> >
> > Again, I agree.....but for organizations with a smaller security
budget,
> > freeware tools should be presented as an alternative to high-cost
> > commercial products. As security professionals, our focus should be on
> > providing the best possible solutions to our customers that fit into
> > their security budget - not just on pitching high-margin product lines.
> >
> > That's my nickel.
> >
> > -maze
