USENIX Security Symposium Firewalls BOF Tuesday, June 6th Writeup co-authored by Rik Farrow and Steve Lodin. These are the words and conversations as heard or misheard by the authors. Standard disclaimer applies. (Steve Bellovin will follow up with his comments and corrections.) Moderator: Fred Avolio [FA] Panel: Marcus Ranum [MR] Brent Chapman [BCHAP] Bill Cheswick [BCHES] Steve Bellovin [SB] Introduction by Fred Avolio - shameless plugs for firewalls books by Bill Cheswick and Steve Bellovin, the future book by Marcus Ranum and Tina Darmohray by publisher Prentice-Hall, and the "Building Internet Firewalls" book by Brent Chapman and Elizabeth Zwicky. [BCHAP] - Firewalls mailing list started at Firewalls BOF at 1992 USENIX Security Symposium in Baltimore with 60 people talking four hours about firewalls. Subscription information available via majordomo@greatcircle.com. In the last year: 78% increase in subscriptions 218% increase in digest subscriptions 70% US addresses, 30% international 1137 message/month in Jan with 2MB traffic are current high water marks --------------------------- Questions from the audience: ---------------------------- ----------------------------------------------------------------------------- [?]: Can anyone's firewall handle 100 Mbit FDDI traffic? Can any application gateway scale to that speed? ---------------------------------------------------------------------------- [SB] - No, don't think application gateway can do it but they are going to try (looks at Ches). [MR] - Don't think it will scale and don't think FDDI and firewall are compatible. Generally, you don't want to filter your FDDI backbone. Think stateful encryption and application gateways will happen at the kernel level. [BCHAP] - Best seen is TAMU Drawbridge FDDI-FDDI packet filtering 18 Mbit/sec at the limit of the test loads on a midrange 486. [BCHES] - breaking up ftp data and control and telnet. The slow applications like telnet don't need the full bandwidth like ftp data. [MR] - You might want to bypass certain applications around your application gateway like MBone. ----------------------------------------------------------------------------- [?]: Jim Duncan - Do you request or require customer policy before you work with a customer to help them implement a firewall? Trivial security policies excluded. ----------------------------------------------------------------------------- [BCHAP] - Don't know of anything specifically but require a clue from the customer [MR] - The client specifically needs a security policy. They need to know what networks you want to trust ahead of time. [FA] - Everyone has some policies, whether it is written down or not. TIS requires filling out of questionnaire to pull out policy information but doesn't know anyone who would say they wouldn't install a firewall without one, more likely they would help create a policy. [MR] - Look at it as a benchmark of the quality of the firewall service provider. The provider will help develop the policy. [BCHES] - Determines what services are needed (really creating a policy) only discussing firewalls at 3:30 before catching the plane (for internal AT&T sections). They usually end up talking about defense in depth. Usually there is a high-mucky muck in there throwing in zingers. At 3:20, you say, this you can do with a router, this is really going to get you in deep yogurt. [MR] - Self diagnosis is usually bad and incorrect. [SB] - Deep yogurt is Web servers. Put it outside the firewall and let it protect itself. ----------------------------------------------------------------------------- [?]: How much growth for internal firewalls? ----------------------------------------------------------------------------- All - Lots!!!! [BCHES] - AT&T has 170,000 hosts on corporate nets. [SB] - AT&T developed internal firewall product and AT&T needs lots of firewalls for the 2000 routers on its internal nets. They also MUST protect the switches which is difficult because of "policy". [MR] - Military market is very dynamic which suggests adaptive field programmable security policies. [SB] - Host-centric files like DNS are fiendishly difficult to administer across an organization and firewalls are much the same so it doesn't scale well yet. [BCHAP] - Eagle and Checkpoint are providing more centralized point and click administration. ----------------------------------------------------------------------------- [?]: Steve Romig - Address the work at the IP Security Working Group (IPv6) and how this affects firewalls with the encapsulated payloads? ----------------------------------------------------------------------------- [SB] - Badly! There is contention between end to end encryption and firewalls. Encryption will not get rid of the need for firewalls. IP Security stuff is designed to operate host-host or host-gateway. This stuff has got to be integrated into the firewall software. You're right, this is a serious issue. When you are allocating security ids, bind them to port numbers as well. At decryption time, I only decrypt based on port [BCHAP] - Same issues now when doing encrypted IP tunneling. With IPv6 the problem is only going to get worse. ----------------------------------------------------------------------------- [?]: How do you determine the size of network? ----------------------------------------------------------------------------- Everybody - DNS tree walk, AutoHack, and network monitoring tools, etc... [BCHES] - Ping the entire network. Only protect what you control. [MR] - It's a solved problem. [BCHAP] - It's a management problem, not a technical problem. [BCHES] - It gets worse when you are buying and selling companies that modify your security perimeters. ----------------------------------------------------------------------------- [?]: Some upper management person had the opportunity to find the Wells Fargo banking page on the inside and it wasn't working. How do I securely implement SSL inside without exposing the internal network? ----------------------------------------------------------------------------- [Rik Farrow] Use the Netscape proxy server (Chapman concurs). ----------------------------------------------------------------------------- [?]: Mike Ressler - Internal firewalls look more interesting. You might have to firewall two people working in the same hall. Do you talk about this? ----------------------------------------------------------------------------- [BCHES]: Some people think you can dial your firewall from very secure to middle secure, but hacking is binary by nature (0/1). I would replace interesting with intractable. You get hacked or you don't. There isn't a half-way secure firewall. [BCHAP] - Insider attacks are more common yet they don't get the attention or money. Executives want to prevent the appearance of a negative front page NYT article which is a different threat. [SB] - Security measures are ways to reduce risks, which are based on tradeoffs. Different parts of the company have different needs and you need to balance it. The official firewall isn't secure enough to comply with the law for issuing credit cards. [BCHES] - The services that you want are not secure (NFS) is the problem. [MR] - It takes a leap of faith - scrap the current application suite which is here because of worrying about backwards compatibility. ----------------------------------------------------------------------------- [?]: Risks of tunneling through a firewall? ----------------------------------------------------------------------------- [MR] - TCP tunneling can even occur over email! If you are worried about it (because of secret info), DON'T connect to the Internet, give users an AOL account instead. [SB] - You can do traffic analysis, but you aren't going to win. I gave a talk at a three letter agency, wrote slides about traffic analysis, covert channels, etc. But this is a people problem. If you've got sensitive stuff on the inside, the proper solution is not to connect to the outside network. [BCHAP] - Tells a story of a Sun security problem. Sun's security policy was no modems instead using a terminal server with dialback accounts. Didn't work well, engineers hated it, took a month to get an account. The security people thought the engineers had no choice since there was a digital phone system inside. However, the common hack at Sun was to go to Frye's get a V.32 modem, plug it into the SPARC, and unplug nearest fax line and plug into modem at night. Former employee kept getting in this way over and over. 1) Most companies try to hire people who are problems solvers. If the firewall is a problem, they will solve it. 2) Management didn't realize difficulties with using the secure network. Engineers didn't think about the security implications of what they were doing. [SB] - You have to make it possible and convenient for the people to do the right thing. Intelligence community believes that it is a people problem and that you have to get people to go along with your security policy. Match your security policy against the corporate culture. ----------------------------------------------------------------------------- [?]: Martin of Erikson - Scared of MR's SMTP tunnels. I have a SMTP only firewall. ----------------------------------------------------------------------------- SB: Providing the tunnels is not the answer. Slide by Steve Bellovin: ------------------------ o Packet filters, dynamic packet filters, circuit relays, application gateways (arguably the most secure). Can the market support all of them? o Users' demand for more transparency o Tension between end-to-end encryption and firewalls (port numbers and perhaps addresses are encrypted). o Active attacks (firewalls don't deal with this, but encryption does) o Ease of informal Internet connections (dial out PPP) o WWW, the emphasis on Web security has been on SHHTP. But HTTP leaks a remarkable amount of information about the client. Plus no security for HTML. Michigan Weather map server will say, "Do xhost +our_host" so it can use your X server for its display!! HotJava really scares me. [Sun] thought about these things, but it scares me. [HotJava allows you to send applications along with the data, for example, a tool for viewing a binary file, or something which formats your hard drive. OLE 2 from Microsoft will be worse when networked. rf] o IPv6, with its nested headers. What do you do when you don't recognize an IP header? How about mobile IP? I don't know the answers to this, well maybe some of it. But it scares me. [End of SB's slide, with some comments inserted] [BCHAP] - Terminal servers assume you are working from a single machine at home. Many people have a network at home. Some work for two different companies with ISDN drops which can route between the two companies. Don't assume it is a single machine (could be a gateway). Enforce it with filter rules. [SB] - Is the home machine secure? Not usually and corporate policy usually doesn't apply. [MR] - Marcus' mother is on the Internet and she doesn't realize it. That is considered scary :-) ----------------------------------------------------------------------------- [?]: How about X over firewalls and the future of that? ----------------------------------------------------------------------------- [BCHAP] - Not firewalls problem, it's a protocol problem and it's insecurable. You're hosed. [MR] - X is one of the software to be purged. [SB] - Jeremy Eskin wrote about a v3 X server, a secure X server, where they describe the approach that didn't work. Running the X server on the outside and application on the inside is considered an acceptable risk. Running the X server on the inside with the app on the outside, well I have the code, I might do it. Maybe the approach described tomorrow works, but I have my doubts. [BCHAP] - xnest program run on the firewalls (chroot for X concept) taken to the feasibility stage. It was posted to Firewalls, check the archive. ----------------------------------------------------------------------------- [?]: How to monitor outside router connected to Internet using SNMP ----------------------------------------------------------------------------- [MR] - SNMP is Security Not My Problem. Develop some agency on the outside. SNMP v2 will solve some of this. Want to turn this off on the outside router. Find out if the router is down by waiting until someone complains that "The firewall is down". [BCHAP] - Use syslog to find security information [SB] - Get utilization information from your service provider. Have an agent on the firewall, use udp-relay. [BCHAP] - Hook up console to modem and connect with an expect script. ----------------------------------------------------------------------------- [?]: How to push routing protocol through the firewall (like BGP4)? ----------------------------------------------------------------------------- [SB] - Any routing protocol through the firewall is dangerous. What if someone advertises a better route that goes through the outside for two of your internal networks? Don't run routing protocol between outside and inside. [BCHAP] - Not usual to run routing across the firewall. ----------------------------------------------------------------------------- [?]: Internal firewall, two related organizations, and people want to run BPG4 dynamically. ----------------------------------------------------------------------------- [MR] - If you want to firewall these guys out because they're turkeys, we could rely on a screening router to provide an adequate degree of control. But if they will launch an active attack, you shouldn't trust routes from these guys. [SB] - Depends a lot on internal policy. Think about default in one direction, and routing in the other. Listen to routes from the inside, advertise to the outside. Closing by Fred Avolio - Wrap up now, thanks Groucho, Marko, Zeppo and Zippo.