[Dshield] Secure computing (was: Port 135)

Lauro, John jlauro at umflint.edu
Tue Oct 29 04:28:08 GMT 2002


Just adding my ramblings as someone from another academic
organization...

> We've had 20 years of no laws but rather consent standards with no
teeth,
> and few firewalls installed on a voluntary basis -- and look where
we are.

Almost all, if not all firewalls have been installed on a voluntary
basis, and it has been far more then a few...

> Clearly the time for that experiment has runs its course.

It is far from over.  There will be plenty of new applications and
services for the internet that haven't even been dreamed about yet.
That is why many educational institutions don't like firewalls or run
them default open instead of default closed.  Here I run several
firewalls with different levels of protections to/from different nets.
I have better things to do then constantly determining what ports to
open for the latest experiment on the net.  Most of our servers are
blocked for very limited incoming traffic (and more importantly
outgoing traffic such that a compromised machine is useless).
However, most end-users only have the standard incoming trouble ports
(www, telnet, ssh, ftp, etc) blocked unless they request them open.
If no OS ships with it on by default, we rarely block it on user nets.
 
> People are trying to use the Internet in production, but in reality
the
> Internet is just in beta test with organizations playing around
seeing how
> little they can do (and by "organizations" I mean organizations, not
> simply academic organizations).

How little???  That's a cynical point of view... Many people from
academic organizations look at it as how much they can do.  They do
not want to be "limited" by a firewall.  It's a subtle philosophical
difference, but a very important one.  If you want to change anyone's
position on the matter, it helps if you first understand their point
of view.  Although spending as few resources on it is sometimes a
factor for academic organizations, it's rarely the main one why
firewalls are avoided by many in academia.

There is little you can't block with host based filter rules, and
access lists in a router (which some would argue is a firewall).  That
said, personally I find it far easier to have a firewall already in
place, with better support for logging, and generally easier to make
live changes to...

If your real goal is to get junk packets and hackers off the net, then
firewalls might not be your best bet anyways.  Your time might be
better spent recommending passive IDS.  It may not instantly block the
abusers, but it also does not go so sharply against academic freedom.
In many ways it can be better then firewalls in terms of protecting
the internet from a sites users, assuming it's configured right and
the logs are checked...  A hacker stuck behind a firewall quickly
figures out how to get around it, and one wide open is more likely to
just create more log "evidence" on the IDS of their questionable
activities.


> > We trust that our machines are
> > patched and as secure as we can make them (but still
> > operational).
> 
> The new security patches you applied last week -- they weren't on
two
> weeks ago were they.
> 
> So two weeks ago your system wasn't secure was it.
> 
> The basic principle of security is defense in depth.  Do not depend
on any
> one thing because an attacker can defeat it unexpectedly, and be in,
and
> you won't have any chance of stopping them.

Here is one option...  assuming you know he is in...
Unplug the network cable....  :)


Here is one thing to think about as a reason not to use a firewall...
Your entire network becomes one big honey pot.  If you have any holes
in your servers, the hackers on the internet will find them for you.
A hack from the outside will often be easier to detect and less likely
to alter sensitive data, compared to if someone internally hacks you.
With thousands of students potentially wanting to hack your system
from within, you can harden your servers better by just running them
without a firewall to your network.  (I am not recommending this, just
throwing it out as something to think about).





More information about the list mailing list