From owner-freebsd-questions Mon Mar 5 23:11:21 2001 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (okc-65-26-235-186.mmcable.com [65.26.235.186]) by hub.freebsd.org (Postfix) with SMTP id 6B97937B718 for ; Mon, 5 Mar 2001 23:11:16 -0800 (PST) (envelope-from mwm@mired.org) Received: (qmail 21988 invoked by uid 100); 6 Mar 2001 07:11:15 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15012.36243.367080.708889@guru.mired.org> Date: Tue, 6 Mar 2001 01:11:15 -0600 To: "Ted Mittelstaedt" Cc: Subject: RE: FreeBSD Firewall vs. Black Ice In-Reply-To: <000501c0a600$ad1020a0$1401a8c0@tedm.placo.com> References: <15012.2780.995581.824426@guru.mired.org> <000501c0a600$ad1020a0$1401a8c0@tedm.placo.com> X-Mailer: VM 6.89 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Ted Mittelstaedt types: > But, most of the customers I've dealt with are mainly concerned with > network-initiated cracks that extract files and data from their network, not > cracks that crash their systems. I do think that the el-cheapo > firewalls, whether they be Black Ice or a LinkSys router with natting > turned on, are sufficiently advanced today as to fit the bill. Of > course, as I explain to people, if you pick up a virus or something > that makes your machine initiate a connection from the inside to the > outside, then your hosed. But, even the most expensive firewalls > out there can't protect against that sort of thing unless they are > constantly maintained with fresh code from the firewall vendor, > and that costs a lot of money that most people are unwilling to > expend. Actually, the most expensive firewalls out there *can* protect against kind of attack without the level of maintenance that I think you're implying. That's what the proxy box in the DMZ is for - to prevent unauthorized access to the internet from boxes on your internal network. The only time you need fresh code - as opposed to standard bug fix type maintenance - is when you want to enable some new form of access from your lan out. Of course, the cost of these firewalls is in inconvenience to your internal users. > >For firewalls, it's really a cost-cost analysis. One cost is yours - > >how much it costs to set up and maintain your firewall. The other cost > >is the attackers - how much it's going to cost them to get through > >your firewall. The trick to avoiding breakins is to make their cost > >higher than the benefit they get from breaking in. Raising your cost > >should raise theirs. Setting things up so you have very low recovery > >times will lower theirs - and may not raise yours. > > I actually beg to differ with you here - I think your analysis has a > severe flaw. Simply put, you are considering the "determined" cracker > to be a rational person. They are not, they are basically a psychopath > that is not rational, and does not (often) respond to a cost-of-entry > type of block. I think it's simply a slightly different definition of "cost". The cost for a monomaniacal attacker is their time. If nothing else, if they're attacking your site, they aren't attacking someone elses. > A determined cracker is going to work and work and work forever at your > firewall, attempting to get in, and doing everything from network attacks to > social-engineering attacks. These people don't care that it may take 5 > years of hammering on something before they finally happen onto a mistake or > oversight that will let them in. Fortunately, very few crackers out there > are the Real McCoy crackers that have this personality. There's at least one other type of cracker who can - and will - mount that type of attack. Basically, those who are doing it at a professional level, and consider things like building a custom DES key cracker to be part of the job. Of course, these people tend to hide their breakins, and tend to break into places that are embarrassed to admit that they were broken into, so it's hard to get any kind of idea about how much of this kind of thing is going on. > You can make things sufficiently difficult to defeat the script kiddies, but > don't think for a second that you can ever make the cost of getting in so > high that it will make a determined cracker go away. To these folks the > harder it is to get in, the more determined they are to find a way in. Many > of them have thrown years away on attempting to break in to a location, and > are still working away at it. That's pretty much what I was saying originally. There is no way to spend enough on a firewall to make it impossible for a sufficiently determinted attacker to break in. You look at what you're doing, decide how likely you are to attract either professional or monomaniacal attention, and choose a firewall accordingly. > >Most home LANs probably won't attract the attention of anything more > >than script kiddies, so the PNP router/firewall boxes are probably > >sufficient. If you're a large company, a major web presense, an ISP, > >or a firewall expert (I'm not - I just had the privilege of having one > >of the best as a friend and client), you'll attract a more expert > >class of attention - and thus need a better firewall. > It really depends on what services you are offering. I think that's what I just said. http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message