![[Picasso Slide]](/staticimg/uffish_minipicasso.gif)
|
Get On, Clip In, Fall OffRandom bletherings of a dilletante cyclist. |
|
|
Get On, Clip In, Fall OffRandom bletherings of a dilletante cyclist. |
It's Friday evening, so time for a grumpy moan about an IT-related subject..
The recent havoc caused by the MyDoom virus has focused a lot of media attention on a number of things - the need to patch affected machines, the problem of apathetic users making the problem worse, the need for computer criminals to be tracked down, and so on - but little or no attention's being paid to the other factors which lead to viruses like this doing more damage than they should maybe be allowed to do. One of these factors is firewall-induced complacency.
There was an interesting article (sorry, currently only available to USENIX members) published a couple of months ago on life without a firewall, and I have to say that I agree with the assertion that a firewall is an unnecessary item and, in many cases, a total waste of money for anything other than sensitive e-commerce or banking sites, who I'd be expecting to be utterly and necessarily paranoid. For a lot of other people, however, the large amounts of money which are blown on commercial firewall and intrusion detection systems would possibly be better spent on more basic security measures.
All too often, lazy sysadmins, users and (most dangerous of all) managers assume that once they've got their firewall installed, they need to spend less time worrying about security because, well, the firewall will take care of most bad guys, right?
Wrong, in my opinion.
This kind of attitude is dangerous because it breeds complacency. Although it might be strict policy that all machines must be kept patched up-to-date, it only takes one sysadmin to take a relaxed attitude because "hey, we've got a firewall" to leave a machine open to compromises via TCP ports which the firewall will happily allow through. As far as many other security holes are concerned a firewall is completely irrelevant as they operate through mechanisms which are totally legitimately accessible to the outside world anyway. It's definitely debatable, for instance, whether a firewall will do much to protect your IIS machines against the latest buffer overflow attack, and once one of your machines is compromised, the attackers are inside your network anyway and you might as well just unplug the firewall and use it as an expensive footrest.
While a firewall may be a comforting ticklist item to give managers the warm and fuzzies in the knowledge that they have something to point to when someone senior asks them what's being done about security, it's my belief that a large number of installed firewalls are recommended and sold only to give consultants and auditors something to point to and show that Something Is Being Done. They certainly aren't the magic bullets they're all too often sold as when it comes to solving computer security problems, but having a box labelled "Firewall" generally has a much more reassuring effect than telling the big cheeses how robust your patch policy is. Of course, a firewall is usually a quite expensive box as well, so consultants like recommending them as it means lots of money being spent through them on buying the things and then even more money on expensive consultancy installing a box which most of the site's existing admins are probably unfamiliar with.
Sites which talk about firewalls too much are often ignoring a far more important principle of computer security, which is that security has to be an end-to-end matter. Everybody has to take responsibility for security-related things which affect them, whether it's the mail admins checking that the virus scanners on the mail gateways are up to date whenever the latest MyDoom comes out (because complacent users don't bother keeping the virus scanners on their workstations up-to-date), the end users actually reading the warnings from their IT people about the latest virus rather than cheerfully opening any executables they get mailed, or the systems guys making sure that all their patches are up to date and that machines aren't running services which they don't need to.
Thought should also be given to security at the procurement stage - if a certain piece of software is known for security problems, surely the best thing to do is use something with a better security reputation? If a certain manufacturer of locks was known for making locks which could be picked in five seconds with a bent pin people would rapidly stop buying their locks, so why aren't the same simple principles applied by people evaluating computer software? If they were, there would be a substantially reduced need for people to have firewalls in the first place.
Firewalls also do nothing to educate users about how to use the Internet safely. Most firewalls will see a copy of MyDoom entering your network as a completely legitimate SMTP session to the mail hub, so they certainly won't stop it. The mail MyDoom generates won't be stopped by a firewall any better than by a simple port 25 outbound block in a router ACL. And all that time, many users will still cheerfully open virus-laden mail and execute it because they haven't had it explained to them why it's a bad thing to do that. There were even reports of people receiving MyDoom and being unable to open it because their virus checkers stopped it - so they forwarded it to other people to see if they could get it to run. A firewall wouldn't stop that either, although centralised virus scanning on mail hubs possibly would.
Sure thing, for a lot of networks a firewall is probably a necessary evil in that it at least helps to guard against bad stuff. But for most sites, it's much more important to make sure that you're disabling unused or vulnerable services by default, educating your users and IT staff in how to be security-conscious and why they should be security-conscious in the first place, and making sure that patches are promptly and efficiently applied. Once that's done, though, the firewall box is probably pretty redundant anyway, and nearly all the remaining problems can be taken care of by blocking inbound connections to the most well-known vulnerable ports using simple router ACLs.
If the time which gets spent on installing and maintaining firewalls at most sites was spent on more basic tasks like those in the last paragraph, the Internet would be a far more secure place even without the firewalls. Sure, it's less easy than just being able to point to a box and feel reassured, but at least then it would be possible to have some genuine confidence that you've done all you can to secure your network rather than the false confidence that everything's all right because you have a firewall.
Posted by mpk at February 6, 2004 5:41 PM | TrackBack