Are Firewalls Obsolete? The Debate



Similar documents
THE ROLE OF IDS & ADS IN NETWORK SECURITY

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work

Network Security: State of the Art, Hot Topics

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

1. Thwart attacks on your network.

Network and Host-based Vulnerability Assessment

Host Security. Host Security: Pro

The Future Of The Firewall

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

Firewall Design Principles Firewall Characteristics Types of Firewalls

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

How to Defend Yourself Against Spyware Attack

Deploying Firewalls Throughout Your Organization

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

High Speed Internet - User Guide. Welcome to. your world.

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How

Debugging With Netalyzr

Network- vs. Host-based Intrusion Detection

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Basics of Internet Security

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

VULNERABILITY ASSESSMENT WHITEPAPER INTRODUCTION, IMPLEMENTATION AND TECHNOLOGY DISCUSSION

8 Steps For Network Security Protection

NCS 330. Information Assurance Policies, Ethics and Disaster Recovery. NYC University Polices and Standards 4/15/15.

What Do You Mean My Cloud Data Isn t Secure?

THE EXECUTIVE GUIDE TO DATA LOSS PREVENTION. Technology Overview, Business Justification, and Resource Requirements

Security 101: BIG-IP ASM and IPS Differences Defined

INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph I MCA

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

From Network Security To Content Filtering

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview. Firewall Security. Perimeter Security Devices. Routers

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Firewall Evolution - Deep Packet Inspection by Ido Dubrawsky last updated July 29, 2003

From Rivals to BFF: WAF & VA Unite OWASP The OWASP Foundation

Guideline on Firewall

Nine Steps to Smart Security for Small Businesses

Network Security. Computer Security & Forensics. Security in Compu5ng, Chapter 7. l Network Defences. l Firewalls. l Demilitarised Zones

Mobile Device Strategy

Scott Lucas: I m Scott Lucas. I m the Director of Product Marketing for the Branch Solutions Business Unit.

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Network Security and Firewall 1

SECURITY ISSUES INTERNET WORLD WIDE WEB FOR THE AND THE

Name. Description. Rationale

Buyer s Guide to Managed WordPress Hosting

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

DNS for Internet Firewalls

What would you like to protect?

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

Enterprise Security Interests Require SSL with telnet server from outside the LAN

Yahoo Attack. Is DDoS a Real Problem?

Firewalls: An Effective Solution for Internet Security E. Eugene Schultz Payoff

SNMP SECURITY A CLOSER LOOK JEFFERY E. HAMMONDS EAST CAROLINA UNIVERSITY ICTN 6865

5 DEADLY MISTAKES THAT BUSINESS OWNERS MAKE WITH THEIR COMPUTER NETWORKS AND HOW TO PROTECT YOUR BUSINESS

Strategies to Keep Your VoIP Network Secure

Why The Security You Bought Yesterday, Won t Save You Today

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

WHITE PAPER. GoToMyPC. Citrix GoToMyPC Corporate Security FAQs. Common security questions about Citrix GoToMyPC Corporate.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 8 Desktop and Server OS Vulnerabilities

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Intro to Firewalls. Summary

Risks with web programming technologies. Steve Branigan Lucent Technologies

8 Steps for Network Security Protection

How To Protect Your Network From Attack

The Software Developers Guide to. Making Your Program Work With. Microsoft App-V. Tim Mangan. TMurgent Technologies, LLP

GETTING MORE FOR LESS AS LOG MANAGEMENT AND SIEM CONVERGE

February Considerations When Choosing a Secure Web Gateway

May Palo Alto Networks 232 E. Java Drive Sunnyvale, CA

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

WHITE PAPER. Network Security: A Simple Guide to Firewalls

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

Application Firewalls

Payment Card Industry (PCI) Data Security Standard

The Advantages of a Firewall Over an Interafer

Beyond the Hype: Advanced Persistent Threats

Firewalls for small business

Firewall Design Principles

G/On. Basic Best Practice Reference Guide Version 6. For Public Use. Make Connectivity Easy

Transcription:

Are Firewalls Obsolete? The Debate Pro: Marcus J. Ranum! Con: Marcus J. Ranum 1! Firewalls are Dead Opening Position: Firewalls are a kludge - let s have real network security instead! New services and increasing interconnectedness of everything defeat the design of firewalls Firewalls don t really solve anything - they just give warm fuzzy feelings! 2 (C)Copyright, 1996, Marcus J. Ranum. All rights reserved. 1

Long Live Firewalls! Opening Position: Firewalls continue to be necessary because the standard software base simply isn t good enough to withstand attack - and the situation isn t getting any better! Firewalls draw a useful boundary between interconnected networks In many cases a firewall is the only protection a network can have 3! Firewalls: too Expensive Managing a firewall is a headache $15,000 and up for a firewall is absurd Vendors and consultants cannot justify expense in terms of actual value provided by product As net evolves we need to replace our $15,000 firewalls every 3-5 years 4 (C)Copyright, 1996, Marcus J. Ranum. All rights reserved. 2

Firewalls: Costly? Average cost for damage control of security incident is $100,000* Some sites report losses (in time, opportunity, business) over $1,000,000* Replacement cost and rate for firewalls is comparable to other computing devices: who is still using 386/33s which cost $2,000 4 years ago? *source: CSI Poll 5! Interference Unwelcome Firewalls block valuable services and reduce utility of the net Whenever a new service is invented the firewall needs to be reconfigured Firewalls are a tremendous impediment to achieving electronic commerce or the kind of collaborative environment the Internet was intended to be 6 (C)Copyright, 1996, Marcus J. Ranum. All rights reserved. 3

Firewalls? Intrusive? Not all firewalls are intrusive The problem is not really the firewall it is the application Reasonably designed applications can support firewalls Some applications can gain performance and ease of use benefits from firewalls (e.g.: firewall + web caching proxy) 7! Software Security Newer Internet-ready software has security built in (e.g.: Netscape +SSL) Operating system security is improving Windows NT is C2! What we really need to do is keep fixing the software base rather than refusing to communicate 8 (C)Copyright, 1996, Marcus J. Ranum. All rights reserved. 4

Software? Secure? Pick your favorite nightmare: Installed Base Legacy Systems Backwards Compatibility As for system software security: It takes one hole in one system and it s all over Newer O/S like NT will have new bugs 9! My Router is Enough For performance reasons a firewall is impractical If I configure my router correctly I can get adequate security if I know what I m doing Since there is new software coming out all the time the only thing I know can handle it is my router 10 (C)Copyright, 1996, Marcus J. Ranum. All rights reserved. 5

Enough Routers A router that is correctly configured to provide security is a firewall Performance concerns are a real consideration If you re concerned about the performance of your firewall then buy a fast one In the future networks and systems will be faster and so will firewalls 11! Incoming Traffic Data streams that are allowed in by firewalls may not be protected Some firewalls perform application specific security on data streams Others do not Sometimes you can t Splits security between firewall and system on backend 12 (C)Copyright, 1996, Marcus J. Ranum. All rights reserved. 6

Incoming Traffic (cont) Attacker Internet SMTP session allowed unmodified through firewall to backend system with a sendmail hole Router w/some screening Firewall SMTP Server w/ sendmail 6.8 Internal Network 13 Incoming Traffic This is a serious problem Incoming traffic reduces to a software security problem on the host Any software where you re providing an interesting or significant service should be appropriately protected 14 (C)Copyright, 1996, Marcus J. Ranum. All rights reserved. 7

What Perimeter? Firewalls assume that there is a boundary of some sort around the network Not all networks have clear enforceable boundaries Some networks are too big Need a firewall at each entry/exit point This sells a lot of $15,000 firewalls! 15 Perimeter Erosion Don t blame the firewall if your network doesn t have a perimeter It is a policy and network design problem It shows past lack of concern about security As networks evolve there will still be administrative boundaries (of some sort) between them 16 (C)Copyright, 1996, Marcus J. Ranum. All rights reserved. 8

Viruses In the future viruses and attack programs are likely to be an even greater threat than they are today Firewalls don t stop viruses And they aren t going to! 17 Viruses Firewalls are not the correct tool for virus-proofing Virus scanners are Don t blame firewalls for not blocking viruses That s like complaining because your car is a lousy can-opener 18 (C)Copyright, 1996, Marcus J. Ranum. All rights reserved. 9

Java and Applets Firewalls answer to Java and applets is to block the applet That s not real security! That s not an adequate response in the long term If (when?) computing becomes increasingly applet/browser based firewalls become irrelevant 19 Java and Applets This is a serious problem Firewalls at least may provide an impediment to attackers that are exploiting a successful attack program or applet Damage containment 20 (C)Copyright, 1996, Marcus J. Ranum. All rights reserved. 10

Not Real Security Firewalls are counter-evolutionary They let us hunker down helplessly in dark corners rather than facing the problem and developing real security solutions Firewalls are basically a form of denial exercise The net equivalent of sticking our fingers in our ears and screaming Go Away! 21 Real Security People were in denial long before there were firewalls! Researching the next generation of security tools is for researchers not people with production networks Let the people with real work to do hunker down Let the researchers research 22 (C)Copyright, 1996, Marcus J. Ranum. All rights reserved. 11

IPV6 IPV6 with encryption and security options will make firewalls obsolete Everything will be Virtual Private Network(VPN) based and encrypted Hackers will no longer be able to sniff or intrude without access to cryptokeys Firewalls will go away and we ll dance on their graves 23 IPV6 IPV6 standard for security is likely to be delayed (more) (it s already been ages) Software will not be quickly deployed In some cases never Export control Worst of all IPV6 doesn t address transitive trust and operating system bugs 24 (C)Copyright, 1996, Marcus J. Ranum. All rights reserved. 12

What About the Future? It is clear that the network is getting more complex It is clear that firewalls are getting very complex as well We re about ready for the firewall paradigm to shift 25 What About the Future? It is clear that there will always be administrative boundaries between networks It is clear that there will always be something to enforce those boundaries There will always be firewalls They re going to evolve 26 (C)Copyright, 1996, Marcus J. Ranum. All rights reserved. 13

Summary Firewalls not a solution for the future Firewalls barely a solution for today What we need is better software not more expensive artificial walls All that firewalls and firewall builders know how to do is say don t allow this! and don t do that! 27 Summary Firewalls are not a panacea Firewalls are a useful technology We need to combine firewalls with better host/application security There are some things it may never be safe to do over the net Wanting something badly enough doesn t necessarily make it so 28 (C)Copyright, 1996, Marcus J. Ranum. All rights reserved. 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information