Input requested for second edition of "Firewalls and Internet Security"

Mailman List Mirror (Read Only)
1

What are the current thoughts about firewalls and Internet security.
The problem is the complexity level of trying to maintain those
perimeters, DMZs and firewalls is increasing. Massive firewall
complexes with swiss-cheese rules, and huge network perimeters with
numerous external access points are very difficult to manage.

Although many of the oldest firewall creators have long pointed out the
limitations of firewalls, currently practicing security consultants
rely mostly on Internet security designs with firewalls, DMZs and defining
perimeters. This may be partly because some security consulting firms
are also VARs for firewall vendors; but I don't think its that simple.

Currently my favorite summary of the issues, and one potential alternate
security design is

Network Security Credo
T. Gray, et al
University of Washington
http://staff.washington.edu/gray/papers/credo.html

What may be more interesting to NANOG is what should be the model Internet
security architecture for public network operators? How do you define a
security perimeter? Should ISPs install firewalls at every external
Internet connection? Is there a different between carrier-grade security
and enterprise-grade network security requirements?

Is the Orange Book really dead?

2

The problem is the complexity level of trying to maintain those
perimeters, DMZs and firewalls is increasing. Massive firewall
complexes with swiss-cheese rules, and huge network perimeters with
numerous external access points are very difficult to manage.

They're still popular because *most* sites have only a small number (1 to 5
or so) official entrance points into the net, and can probably hire one
or two people with a clue to babysit the firewall units. The perimeter
may be difficult to manage, but the interior is, in general, totally out of
control.

Although many of the oldest firewall creators have long pointed out the
limitations of firewalls, currently practicing security consultants
rely mostly on Internet security designs with firewalls, DMZs and defining
perimeters. This may be partly because some security consulting firms
are also VARs for firewall vendors; but I don't think its that simple.

As I like to say, firewalls are *not* a complete solution by themselves.
They need to be addressed as "part of this complete security breakfast".

Unfortunately, users are involved, and you end up having to decide if
you want to make some toast while the users burn the scrambled eggs, or
if you want to say 'screw it' and get an Egg McMuffin on the way to work. :wink:

Or stated differently - let's say you're a consultant. Which can you sell
to the customer more easily - a firewall, or telling them that somebody needs
to explain to the VP that 'viceprez' is a Bad Password?

Is the Orange Book really dead?

It's dead as far as providing an actual useful spec, as far as I can tell.
It had a number of problems - an actual rating was only for *ONE* specific
configuration, and changing it (even by upgrading memory or adding disks)
would technically invalidate it. The whole RAMP thing to maintain a rating
across a software upgrade was a true horrorshow paperwork-wise, and it
didn't addresss network connectivity (although to be fair, there were other
Rainbow Books that talked about RAMP and network stuff). It's still useful
as a framework reference, mostly due to its ubiquity.

/Valdis

3

Or stated differently - let's say you're a consultant. Which can you sell
to the customer more easily - a firewall, or telling them that somebody needs
to explain to the VP that 'viceprez' is a Bad Password?

That may partially explain why people sell it or even why they buy it.

On the other hand, if we are supposed to be documenting best practices,
why document bad practices just because its easier for vendors or
consultants to sell? www.google.com seems to find a lot of repetition
of the same firewall lore, with only a limited amount of critical
analysis.

> Is the Orange Book really dead?

It's dead as far as providing an actual useful spec, as far as I can tell.
It had a number of problems - an actual rating was only for *ONE* specific
configuration, and changing it (even by upgrading memory or adding disks)
would technically invalidate it. The whole RAMP thing to maintain a rating
across a software upgrade was a true horrorshow paperwork-wise, and it
didn't addresss network connectivity (although to be fair, there were other
Rainbow Books that talked about RAMP and network stuff). It's still useful
as a framework reference, mostly due to its ubiquity.

As a rating, evaluation, certification regime the rainbow series, common
criteria, etc have their issues. As handbooks or textbooks, the rainbow
books were useful to a new practioner in the field.

My concern is O/S (Orange Book) and application security seems to be
almost completely dead in the computer security field. Network security,
IDS, firewalls, etc is where most of the action is. But host security
is still were the buck starts and stops.

4

As to whether ISP's should install firewalls at every external
Internet connection, I think the question would be more appropriately
phrased as: Should ISP's have policy enforcement mechanisms at every
gateway?

The answer to this is "Yes". Much of the problem that exists right
now can be attributed to the fact that ISP's and enterprise networks
do not have *any* way of enforcing policy between any of the devices
on their network, their customers, or anyone elses. Maybe a nice web
based interface for customers to alter filters applied by a radius
profile for the ISP interface they are connected to would be a start.