[ale] OT: Firewall purchase

Jonathan Rickman jdr at xcorps.net
Thu Jul 22 12:47:32 EDT 2004


> > > > > A custom firewall + no break-in is cost competitive 
> as compared 
> > > > > to $100 for the Netgear toy + $50,000 to recover from 
> the break-in.
> > This is FUD without some evidence or logical explanation and not a 
> > remark I'd expected from a professional security expert.  A debate 
> > would have provided an opportunity to recover from this remark.
> Calling my advice FUD is disappointing.  However, for the 
> evidence enter
> 
>      connection hijack
> 
> into Google and read some of the 74,000 entries on connection 
> hijacking, which is how to break through a NAT'ing (and other 
> firewalls).  Some of the hits are unrelated to the topic but 
> there are many, many that are.


I think everyone needs to take a step back and look at what you are
discussing.

The NAT issue-
NAT alone is subject to hijacking attacks and sophisticated spoofing attacks
leading to the exposure of systems behind it, though in practice, neither
are trivial to accomplish and require a certain measure of expertise. NAT
will protect you from the casual interloper and the neverending stream of
automated exploits in worm format that seem to have become so common that we
now consider them background noise. The problem is that within that
background noise there is the chatter of fingers typing furiously at the
keyboard. These little fingers are connected to devious minds who have the
skill and knowledge to use the aforementioned techniques to waltz right into
your network. There...that's the NAT issue in a nutshell.

The FUD issue-
I think the term FUD was tossed out rather hastily, and frankly I'm not sure
what NAT had to do with it in the first place as the Netgear device
mentioned before Bob's post (FVS318) does stateful inspection and therefore
is not subject to the same form of atttacks as a NAT only device. Now, I'm
not recommending this box for a business network by any means, but the mere
presence of the thing is not going to automatically mean that the network is
insecure. Maybe there was a teeny bit of merit to the FUD comment based on
this, but I'm inclined to think it was driven more by emotion than reason. 

The REAL issue-
Security is a process, not a product...period. The most secure products in
the world are nothing without a secure process by which to implement them.
The most insecure products in the world can be made reasonably secure
through secure processes. Witness the fact that I have never had an IIS
server that I personally configured broken into. Does that mean that IIS
should be considered a security panacea? Some might say yes, others would
start "product bashing" rather than "process praising." Both would be wrong.
Some would suggest that I have just been lucky. Frankly, I would not take
offense at that type of thing, nor would I reconsider my position due to the
comments. Software packages, hardware devices, and everything in between are
nothing more than tools that are there to perform certain tasks. The use, or
lack thereof, of a specific product does not automatically mean that a
system is secure or insecure. A Volvo may be a safe automobile that has a
greater ability to protect the passengers in the even of a crash, but if it
is running on bald tires with busted headlights on a rainy night...it is
also more likely to end up in the crash to begin with. Meanwhile, the guy in
the Ford Pinto drives by wondering what happened to that guy in the wrecked
Volvo, and continues on his merry way. He has already forgotten that the
driver of the Volvo made a passing remark to him earlier in the Home Depot
parking lot about how unsafe Ford Pintos were in an accident while
mentioning that he was a Volvo owner, in a snobbish tone.

In closing, this discussion could use a lot less heat and a lot more light. 

--
Jonathan "Who normally loves a good flamewar" Rickman



More information about the Ale mailing list