Firewall BOF - Tuesday July 23, 1996 Brent Chapman - Great Circle Associates - Referee Introductory Material -------------------------- Firewalls Mailing List - send "subscribe firewalls [address]" to majordomo@greatcircle.com or check http://www.greatcircle.com/firewalls/. 4550 main list, 4126 fw-digest, readership estimated at 15-20 K US - 2/3 readership Top domains - com, edu, net au Questions ------------ Q: When you install a proxy firewall without sendmail, what sendmail proxies/replacements running on FW can do LHS and RHS hacking. A: smap eventually hands things off to sendmail anyway Q: What services are necessary for the next generation proxies? IMAP? A: SQL*Net, Lotus Notes A: Steve Bellovin makes the point of asking yourself why you want to pass complicated protocols thru proxies like this. A: Send email to carson@lehman.com to work on IMAP proxy. Q: Audience experiences with penetration analysis? Hiring someone else to try penetration testing. A: Saved time although some test seemed cookbook that they could have done themselves if they had time. A: Brent - How good and how honest are the people you hire. People that are good at breaking into systems have different mind sets than people who are good at defending systems. A: Steve - A lot depends on your type of service. Application gateway only doing three services won't pay to test. A: Brent - Using it for automated audits to check things like configuration. It only tells you what you test. A: Brent - Packet sniffer on the inside looking for things the firewall is supposed to block and sending alarms. Try tcpdump or etherfind or snoop. A: Steve - Look for strange addresses - means uncontrolled portion of your net or a leak in your firewall. A: Brent - Check routing tables for unkown networks. Q: Users require X. Only know about SSH or Xforward. Any safe way to do X? A: Brent - (Lists problems with X server access) Mitre paper in last year's USENIX Security Symposium. After allowing connection, you trust all connections from that end. A: Possibility of X server monitor A: xnest is a neat application Q: Useful encryption for dial-in for both Suns and Pcs? A: Hughes Netlock. A: SSH which might not work for his application. A: Encrypting modems A: Steve - IPSEC should be available soon. A: SKIP might be solution that is available now. Q: How to handle remote connections where the remote end might be compromised. A: Fred Avolio - SWIPE based, separate encryption and strong user authentication A: Steve - Don't think there is a general answer. A: Carson - Drafted a policy to address remote access from home with known configurations and a higher level of assurance. Different classes of machines, known vs. unknown. Q: How do you determine if the box at the other end of the PPP connection isn't a router? A: Steve - Don't allow routing protocols through PPP connections A: Brent - Assume the connection has a network. (Describes problems with dual career couples in the Bay Area with in home LANs that route between companies.) A: Tough decision on whether to put the terminal servers on the inside or outside of the firewall. A: Fred - Suggest that anyone coming from the outside is on the outside of the security perimeter. Authenticate, then allow services based on their identity. Recommend that terminal servers be put on the outside of the firewall. A: Jim Duncan - More than one firewall is now the norm. Q: Anyone comment on Cisco PIX box? A: Steve - Fundamental conflict between NAT and encryption. Can't do end-to-end security (like DNS). Q: How to treat SMTP, using smap on FW or proxying? A: If you are going to run smap, make sure you patch (check FW archives). Q: How many people running stuff other than IP thru/around firewall. A: IPX tunnel thru IP thru firewall A: Decnet around firewall. Q: Implementations of VPN for European. A: BSDI IPSEC being done Greece. Q: How many using SSH to tunnel into firewall for administrative purposes? A: A couple. Discussion about MD5 and S/key. S/key attacks and MD5 potential problems. Schneier may have new results on MD5 (in)security. Q: Anything better? A: SHA or RIPEM-160. Q: Does Tripwire support SHA? A: Don't think so. Q: Firewalls for ATM? A: Christoph Schuba is doing research for Xerox and the Purdue University COAST Project. A: Address filtering will be less doable in IPv6. IPv6 can autorenumber. Q: Has IETF addressed encryption for export? A: IAB did make a statement. IETF specify techically sound protocols and let politicians worry about it. Q: SQL*Net transactions thru firewall and doing audit/control? A: No, only tunneling. A: SAP and D&B internet clients will probably need this. A: Every DB vendor has their own proprietary SQL format. Q: NCSA Firewall Certification A: Anything resembling a firewall will pass the certification basically. A: 80% of compromises due to misconfiguration or misunderstandings. 80% of support calls are DNS, sendmail, and routing issues for TIS. A: No plug and play firewalls. Even the most advanced firewalls can still be misconfigured. A: Customers asking vendors for the capability to misconfigure their firewall. Brand new DNS patches from Sun update to BIND 4.9.3 with BIND 4.9.4 validation code for Sol2. Q: What to do about organization which says that since we have a firewall we don't need to worry about internal security? A: Some companies will place trust on inside employees and feel that the risk is worth it. A: Fred - some companies think that a firewall will protect them from everything, takes education. (Ran out of battery on the notebook at this point. Hopefully Rik can offer his notes to finish the session.) Steve Lodin Steve Lodin suggested that I add my notes to the ones he already posted. In regards to MD5, Steve Bellovin mentioned that S/Key only used the lower 64 bits of the 128 bits generated by MD5. Also, that success in finding two inputs which would have the same output involved using fewer iterations of the algorithm. Steve mentioned seeing a hacker tool designed to capture S/Key responses, and a tool named monkey which performs a crack-style search for keys based on bad passwords. Someone else asked if Tripwire supported SHA. The answer was no, [but I'd like to add that combining MD5 with Snefru provides 256 bits, and should be safe for a while.] At the end of Steve's notes, Fred Avolio was making the point that some sites feel that having a firewall, any firewall, makes their site secure against anything (which reminds me of something Bill or Steve said about having a vault for a front door and screen doors in the back). To continue, someone asked about blocking Java at the firewall. Brent mentioned that there have been implementation problems with Java, but no fatal design problems had appeared. [TIS and ANS have announced Java blocking.] Someone else asked about blocking Active-X, but got no direct response. Carson stated that if you allow SSL through your firewall, people can send things through the firewall which are encrypted. For example, a way cool Javascript [sic] that plays strip poker with interesting animation while doing something else. Brent then said "You don't know you are being hosed until it's too late. Tough problem." Someone asked about performance testing. Fred Avolio answered that performance testing can be pruchased, but most people don't know what their usage is or will be. Gaspar Carson suggested recording IP traffic, and playing it back at different speeds. Brent mentioned that application mix may change over time. Carson continued by saying he had seen a test of sendmail which used the same address over and over (no aliasing, DNS lookups, same rewriting each time). Someone asked about highly available firewalls. Carson suggested Veritas, uses round robin DNS to assign connections to multiple firewalls, loss of one host means loss of current TCP connections at worst. [I believe DEC sells a clustered firewall solution also.] Someone asked about gated problems. Carson suggested the gated mailing list. Someone asked about having a Web server on third leg of proxy firewall. Carson suggested using packet filtering in front of Web server on semi-exposed DMZ. At this point, things became quiet enough for Brent to adjourn the BoF. Rik