Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 6 Mar 2001 01:11:15 -0600
From:      Mike Meyer <mwm@mired.org>
To:        "Ted Mittelstaedt" <tedm@toybox.placo.com>
Cc:        <questions@FreeBSD.ORG>
Subject:   RE: FreeBSD Firewall vs. Black Ice
Message-ID:  <15012.36243.367080.708889@guru.mired.org>
In-Reply-To: <000501c0a600$ad1020a0$1401a8c0@tedm.placo.com>
References:  <15012.2780.995581.824426@guru.mired.org> <000501c0a600$ad1020a0$1401a8c0@tedm.placo.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Ted Mittelstaedt <tedm@toybox.placo.com> types:
> But, most of the customers I've dealt with are mainly concerned with
> network-initiated cracks that extract files and data from their network, not
> cracks that crash their systems.  I do think that the el-cheapo
> firewalls, whether they be Black Ice or a LinkSys router with natting
> turned on, are sufficiently advanced today as to fit the bill.  Of
> course, as I explain to people, if you pick up a virus or something
> that makes your machine initiate a connection from the inside to the
> outside, then your hosed.  But, even the most expensive firewalls
> out there can't protect against that sort of thing unless they are
> constantly maintained with fresh code from the firewall vendor,
> and that costs a lot of money that most people are unwilling to
> expend.

Actually, the most expensive firewalls out there *can* protect against
kind of attack without the level of maintenance that I think you're
implying. That's what the proxy box in the DMZ is for - to prevent
unauthorized access to the internet from boxes on your internal
network. The only time you need fresh code - as opposed to standard
bug fix type maintenance - is when you want to enable some new form of
access from your lan out. Of course, the cost of these firewalls is in
inconvenience to your internal users.

> >For firewalls, it's really a cost-cost analysis. One cost is yours -
> >how much it costs to set up and maintain your firewall. The other cost
> >is the attackers - how much it's going to cost them to get through
> >your firewall. The trick to avoiding breakins is to make their cost
> >higher than the benefit they get from breaking in. Raising your cost
> >should raise theirs. Setting things up so you have very low recovery
> >times will lower theirs - and may not raise yours.
> 
> I actually beg to differ with you here - I think your analysis has a
> severe flaw.  Simply put, you are considering the "determined" cracker
> to be a rational person.  They are not, they are basically a psychopath
> that is not rational, and does not (often) respond to a cost-of-entry
> type of block.

I think it's simply a slightly different definition of "cost". The
cost for a monomaniacal attacker is their time. If nothing else, if
they're attacking your site, they aren't attacking someone elses.

> A determined cracker is going to work and work and work forever at your
> firewall, attempting to get in, and doing everything from network attacks to
> social-engineering attacks.  These people don't care that it may take 5
> years of hammering on something before they finally happen onto a mistake or
> oversight that will let them in.  Fortunately, very few crackers out there
> are the Real McCoy crackers that have this personality.

There's at least one other type of cracker who can - and will - mount
that type of attack. Basically, those who are doing it at a
professional level, and consider things like building a custom DES key
cracker to be part of the job. Of course, these people tend to hide
their breakins, and tend to break into places that are embarrassed to
admit that they were broken into, so it's hard to get any kind of idea
about how much of this kind of thing is going on.

> You can make things sufficiently difficult to defeat the script kiddies, but
> don't think for a second that you can ever make the cost of getting in so
> high that it will make a determined cracker go away.  To these folks the
> harder it is to get in, the more determined they are to find a way in.  Many
> of them have thrown years away on attempting to break in to a location, and
> are still working away at it.

That's pretty much what I was saying originally. There is no way to
spend enough on a firewall to make it impossible for a sufficiently
determinted attacker to break in. You look at what you're doing,
decide how likely you are to attract either professional or monomaniacal
attention, and choose a firewall accordingly.

> >Most home LANs probably won't attract the attention of anything more
> >than script kiddies, so the PNP router/firewall boxes are probably
> >sufficient. If you're a large company, a major web presense, an ISP,
> >or a firewall expert (I'm not - I just had the privilege of having one
> >of the best as a friend and client), you'll attract a more expert
> >class of attention - and thus need a better firewall.
> It really depends on what services you are offering.

I think that's what I just said.

	<mike
--
Mike Meyer <mwm@mired.org>			http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15012.36243.367080.708889>