Date: Mon, 5 Mar 2001 21:45:40 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Mike Meyer" <mwm@mired.org> Cc: <questions@FreeBSD.ORG> Subject: RE: FreeBSD Firewall vs. Black Ice Message-ID: <000501c0a600$ad1020a0$1401a8c0@tedm.placo.com> In-Reply-To: <15012.2780.995581.824426@guru.mired.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Mike Meyer >Sent: Monday, March 05, 2001 1:54 PM >To: Ted Mittelstaedt >Cc: questions@FreeBSD.ORG >Subject: RE: FreeBSD Firewall vs. Black Ice > > >Ted Mittelstaedt <tedm@toybox.placo.com> types: >> Right, but you were talking about cost-benefit as though having a cracked >> site is a cost that has to be considered. What I'm trying to >point out is >> that there's no excuse for having a cracked site - ie: the cost >of a cracked >> site is a bogus cost because el-cheapo firewalling that isn't half-bad is >> available to anyone, no matter how little they know about firewalling. > >Um - do you really believe that there's such a thing as an uncrackable >firewall? Short of disconnecting from the network, that is. > It depends on your definition of uncrackable. If a crack is a successful DoS attack that crashes servers (telnetting into the Echo port on pre SP3 NT servers is a cute one) then no I don't believe there is such a thing. But, most of the customers I've dealt with are mainly concerned with network-initiated cracks that extract files and data from their network, not cracks that crash their systems. I do think that the el-cheapo firewalls, whether they be Black Ice or a LinkSys router with natting turned on, are sufficiently advanced today as to fit the bill. Of course, as I explain to people, if you pick up a virus or something that makes your machine initiate a connection from the inside to the outside, then your hosed. But, even the most expensive firewalls out there can't protect against that sort of thing unless they are constantly maintained with fresh code from the firewall vendor, and that costs a lot of money that most people are unwilling to expend. Most people are willing to pay for a garden-variety firewall that protects against a file extraction attack, and I think that they can get this for little effort and little money as long as a few simple rules are followed (like, don't offer any services from servers behind the firewall, period, including e-mail) But, getting into really advanced firewalling, such as that intended to block DoS attacks (which is difficult because you really need the participation of the ISP to do a decent job of that anyway) and permit services to be safely offered from the inside, well those kinds of firewalls they really aren't willing to invest the time in maintaining. >Those "not half-bad" boxes work to keep script kiddies out, and will >continue to do so if you update them regularly. They are only slightly >harder to configure use than a rock, no matter how much you know about >firewalling and networking. But I'm not convinced they'll stop a >determined attack. > No, of course they won't. >For firewalls, it's really a cost-cost analysis. One cost is yours - >how much it costs to set up and maintain your firewall. The other cost >is the attackers - how much it's going to cost them to get through >your firewall. The trick to avoiding breakins is to make their cost >higher than the benefit they get from breaking in. Raising your cost >should raise theirs. Setting things up so you have very low recovery >times will lower theirs - and may not raise yours. > I actually beg to differ with you here - I think your analysis has a severe flaw. Simply put, you are considering the "determined" cracker to be a rational person. They are not, they are basically a psychopath that is not rational, and does not (often) respond to a cost-of-entry type of block. A determined cracker is going to work and work and work forever at your firewall, attempting to get in, and doing everything from network attacks to social-engineering attacks. These people don't care that it may take 5 years of hammering on something before they finally happen onto a mistake or oversight that will let them in. Fortunately, very few crackers out there are the Real McCoy crackers that have this personality. You can make things sufficiently difficult to defeat the script kiddies, but don't think for a second that you can ever make the cost of getting in so high that it will make a determined cracker go away. To these folks the harder it is to get in, the more determined they are to find a way in. Many of them have thrown years away on attempting to break in to a location, and are still working away at it. >Most home LANs probably won't attract the attention of anything more >than script kiddies, so the PNP router/firewall boxes are probably >sufficient. If you're a large company, a major web presense, an ISP, >or a firewall expert (I'm not - I just had the privilege of having one >of the best as a friend and client), you'll attract a more expert >class of attention - and thus need a better firewall. > It really depends on what services you are offering. >> >The thing is, that whilst you know that's asking for trouble and I know >> >that's asking for trouble; that's what the client is asking for! >> There's a time when you have to give the customer trouble if that is what >> they are asking for. If they truly want NT then provide it to >the best that >> it can be done and then when it falls apart, you can tell them >"OK, now that >> we have gone down that road and you have satisfied yourself that it's >> worthless, let me do it the right way for you now" > >This is part of the consultants credo: "You must sometimes give the >customer what they want. This is sufficiently strong medicine that a >single does is usually enough." > I love that quote! Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com > <mike >-- >Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000501c0a600$ad1020a0$1401a8c0>