Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Bug

Firewall + Censorware = Trouble 72

Is your company thinking of buying a firewall that comes bundled with blocking software? Think twice. SecurityFocus ran thisstory earlier this week: "Censorware gaffe turns 'World's Most Secure Firewall' into an open door." Turns out that bundling Cyber Patrol with Network Associates' Gauntlet meant creating a custom server that "contains a buffer overflow bug, and, further, mistakenly accepts connections from the outside world" - so intruders could get root on the firewall. Makes sense to me: firewall designers keep security uppermost in mind; censorware designers don't. Update 8:55 AM: BusinessWeek is calling it "The Breach That's Shocking the Firewall Industry."
This discussion has been archived. No new comments can be posted.

Firewall + Censorware = Trouble

Comments Filter:
  • "...NAI programmers created a custom server that..."

    It is actually the firewall guys that screwed up, not the censorware. So censorware is just a bad idea for the other 101 reasons, not security.

    On a side note, does anyone actually read the stories before they are posted?

  • I'm moved to point out that when you simply layer additional features on software without analysing the total design... you are inherently adding additional layers of complexity without properly mitigating risk factors and therefore increasing the probability of failure. But... this being slashdot, everyone else probably thought that too.

    As a general rule kludged and patched together software usually doesn't work well. BUT you can make a well detailed design that is readily expandable and extensible... ie Apache is designed to be patched together and works well.

    The folly here is taking two unrelated products and "slapping" them together. I intuit that "Cyber Patrol" was never designed as a module for the "Gauntlet" firewall... neither was "Gauntlet" designed with a product like "Cyber Patrol" in mind.

    The fundamental problem here lies in the design phase of the project... the integrated system design model should have had an over-arching security function point to handle buffer attacks. The problem is compounded by the fact that the Risk Management analysis apparently missed this possibility (buffer overrun), and that the Testing Phase didn't think of testing in this area (buffer overrun attacks).

    ye gods! I actually learned something in school! Wait a minute... does technobabble count as learning?

    --// Hartsock //
  • How many remote root exploits did redhat 6.2 have? Linux is supposed to be "secure" after all, isn't it? Look how many update rpms there are. You act as though linux never had a buffer overflow (chuckle).
  • What I want to know is whether Network Associates Vice President of Marketing Jim Ishikawa said the company has prepared a patch for the vulnerability.

  • Somebody please mdoerate this piece of drive down
    as overrated?

    This is a major firewall product. This major firewall product comes with trial software that creates a hole in the one feature which is the only reason to buy the product. It is a major gaffe and is newsworthy. The fact that it involves Censorware is merely additional irony.

    Anomalous: inconsistent with or deviating from what is usual, normal, or expected
  • Mind you, I haven't tried these but here you go [squid-cache.org].
  • by Anonymous Coward
    Ever since NAI acquired TIS (Trusted Information Systems, the original makers of Gauntlet and the FWTK [FireWall ToolKit]), IMO two things have resulted:
    1. In my experience and opinion, technical support has definitely taken a turn for the worse. It has become so worthless, IME, that the company I work for doesn't plan to necessarily renew our support contract for the product.
    I have to confirm the above; I'm a programmer with a security and sysadmin background who was hired as the second techie at a small startup. My first sysadmin assignment was to get a firewall up; I chose Gauntlet on its technical merits (I prefer proxy firewalls if the threat level is high), availability of source, reputation, and cost (we could run it on a slightly old PC with BSDI (for which source is also available), which will soon not be an option).

    I had the misfortune to do this just as NAI bought TSI. Right at that time the tech support we received was unacceptable: we would be 50th or 80th in line, and it would take over half a week for an engineer to get back to us. They were also very difficult when we requested source; from posting I'm replying to, it would appear they now officially don't do this.

    One of my coworkers knew someone involved in the takeover; after plying him with drinks, he got him to admit that Network Associates had "gutted" TSI (perhaps they were following the MO of Computer Associates, which is notorious for buying companies and getting rid of most of the technical staff; I had a friend using Ingres when CA bought them, you might remember the Unix World article with "fall of Saigon" picture).

    NAI implicitly admitted this, saying they were hiring engineers at a high priority, and gave some excuse for why they needed to (perhaps they moved their tech support center? I can't remember the details now).

    Bottom line: for me, recommending a NAI product turned out to be a severe career limiting move, since the firewall was a very visible thing due to the nature of the company's business.

  • ...a simple portscan would've turned up the fact that something was amiss.

    That's a good idea. Another good idea is to do a simple ``netstat'' dump of listening sockets on the firewall. I hope that any firewall admin is already doing this--it is an important check that things are as you intended them to be. Any program which cannot bind to specific interfaces has no business on a firewall. It certainly shouldn't call itself a ``proxy''.

    I know the first time I ran ``netstat -l'' on a RedHat 6.1 system I was quite surprised by the cruft hanging around. Before that machine took on its firewall/masq duties, all those unwanted daemons were removed.

  • A firewall's s'posed to do one thing and do it well. Adding censorware to it would be like running Sendmail on it.

    - A.P.
    --


    "One World, one Web, one Program" - Microsoft promotional ad

  • I didn't moderate myself up to +5. What I did was see an article, post a short comment about it, and then went back to playing Street Fighter.

    I wouldn't have moderated this up either. I didn't think it was that good of a comment. I was just making a philsophical observation that was slightly off topic.

    But I do think that I made a good point. Software made by companies with evil management (and all companies have evil management) and companies that make software with social purposes, don't make software that is inherently technically flawed. If you look at Slashdot, or even Sun's CPR, that seems to be an unspoken assumption.

    If it would make people feel better, moderate my defense of myself down to -1, Offtopic; and then I will end up with even Karma from the whole experience.


  • And yet, somehow, your point of view is superior?

    If you don't like the article then don't read it. It's that simple, I promise you.

  • Exactly right. Companies must learn that security only happens when you *design* for security. Part of such design is separating different components and limiting the resources to which they have access. Content filters need to be compartmentalized away from the other components: best, running on a separate box and restricted to a simple ``Good content/Bad content'' protocol communicating with the firewall; at worst, running with a documented API, restricted privileges and constrained by all the policies of the firewall.
  • I am not convinced that any firewall scheme is usefully secure in a business environment. Many attacks come from within; you can't assume that any connection from within the perimeter can be trusted. It's better to use cryptographic security than to rely on a firewall.

    --

  • It was called Sonicwall, and as far as I could tell, it was working fine as a firewall.

    But as a censorware package, it had a lot to be desired. I wanted to visit my own web site, http://www.amazing.com . "This site has been blocked by SonicWall". Fine, maybe my site has wierd stuff on it someplace, it has so many pages, how can I even tell nowadays? So I added my site to the "let through anyway" list and went on.

    Then I tried visiting http://www.freshmeat.net/ to get some software for my Linux box.

    "This site has been blocked by SonicWall"

    In a moment of pure anger, I shut off filtering and rebooted the SonicWall. End of problem.

    D

    ----
  • Tsk, tsk, criticising Mattel's Cyber Patrol is a sure way to get onto its banned list [slashdot.org]. Of course, Slashdot may already be there..
  • <i>I blame them both. IMO, nothing exposed to tainted data should be running as root. Particularly on a firewall! </i>

    Unsure this is tair. We're talking about an app that needs to do a raw interface sniff through something like BPF, and then make decisions based on that sniff regarding whether or not to *actively* forward the individual packets through frames on the internal interface. This app is using entirely tainted data--everything it receives is untrusted content. Root or not, any compromise of the firewall code would be required to grant the capability to forward arbitrary packets to the internal network, which directly contravenes the stated purpose of the firewall itself.

    In short, the coders can't be blamed on a permissions level--it's conceptually impossible for the most of the serious damage to have been prevented "if only the app wasn't root". About the best I can imagine is if the execution context of the firewall didn't share read/write access to the storage medium of the firewall code. That prevents long lasting trojans, at the expense of reducing the number of sites that will upgrade their firewalls.

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com
  • irony n 1: witty language used to convey insults or scorn; "he used sarcasm to upset his opponent"; "irony is wasted on the stupid" [syn: sarcasm, satire, caustic remark] 2: incongruity between what might be expected and what actually occurs: "the irony of Ireland's copying the nation she most hated" 3: a trope that involves incongruity between what is expected and what occurs Source: WordNet ® 1.6, © 1997 Princeton University

    I think my usage falls neatly under # 2 and #3. Damn, do you all have to make me keep reliving my failures in English class???? 8^}
  • I suppose those who censor are always doomed to failure anyway, and why not start with buffer overflows ? :)
  • the other guy was right, I was complaining about your use of irony. Irony is not any incongruity between expectations and occurences, it is in particular inconguity which is more akin to "opposite", and it generally concerns "intentions" or "opinions" so that someone or thing seems disappointed or hypocritcal. Expanding on the example you came up with from the dictionary (and not trying to start a war):

    "Ireland hates England, but ends up copying England" is incongruous and ironic.

    "Ireland hates England, and tries to do everything the opposite, and winds up exactly copying France" is also incongruous, but it is not ironic.

    the tone I used before was a bit too harsh (sorry!), but I'm just bitter because I'm particularly annoyed at political uses of irony. Consider: "it is ironic that people who are anti-abortion call themselves pro-life, and yet they favor the death penalty." That's not really irony, it is more akin to hypocrisy. Except, it's not hypocrisy, either. Because, consider "it is ironic that those who object to capital punishment for murderers, have no objection to killing fetuses" or "those who are in favor of legal abortion call themselves pro-choice, yet they tend not wish abortion law to be left to the choice of the voters, nor do they demand that the FDA give women control of their own bodies when it comes to breast implants." And those who demand "reproductive freedom" don't seem to come out in favor of human cloning themselves.

    So, I'm not trying to start an argument on those issues either, but if you did want to start, start by saying what you believe and why I should believe it, and avoid pointing out how true believers can't see the other side.

  • That's not true in the case of a JavaScript file that has to be loaded from a seperate file, on a slow advert server.

    --

  • by Spudley ( 171066 ) on Friday May 26, 2000 @01:45AM (#1046935) Homepage Journal
    This proves the point about adding complexity to a system.

    The most secure systems are generally speaking, the simplest. It should be obvious that the fewer things a system has to do, and the fewer ways of doing those things, the less chance there is for there to be a security hole (or any other kind of flaw).

    Obviously, some for applications it's better to have some 'more-than-one-way-to-do-it'. Firewalls do not fall into this category.

    A Firewall should be there for one purpose, and one purpose only: to control access to a network. Adding features like cyberpatrol was asking for trouble. If you want cyberpatrol software, install it seperately, behind the firewall, so that they can't interfere with each other.
  • The Smartfilter web filter list is over 5 meg, with close to a million entries, and it's updated weekly. Which open source individuals are going to maintain that list?


    ...phil
  • Forget the first part of that equation: you can lop the firewall part right off, and it still holds true.

    (THUS, mathematics tells me that Firewalls must be equal to 0....)
  • by dylan_- ( 1661 ) on Friday May 26, 2000 @02:20AM (#1046938) Homepage

    Hmm...

    Mozilla x (Perl + Python) = New IDE [slashdot.org]

    Firewall + Censorware = Trouble [slashdot.org]

    It seems the million dollars for solving mathematical puzzles [slashdot.org] is preying on the minds of the Slashdot folks....

    dylan_-


    --

  • by Anonymous Coward
    This doesn't seem to be a major security hole, it is confined to one specific firewall and one particular censorware product.

    Well, if you read the article you should have noticed that they say that the censorware product is installed by default, and it automatically turns itself off after 30 days if you don't pay. My interpretation of this is that it is active in the default install and unless you specifically turn it off it will be active for 30 days. (I could be wrong, of course. Maybe it has to be turned on manually... I don't know.)

    So, in case it is actually on by default, then it is a major security hole!

    - A

  • by Anonymous Coward
    I work at a *big* corporation, and although it hasn't happened for a while, there was a period when our proxy would get confused, and respond to perfectly innocent http requests, with cached porn JPEGs.

    ... quite "extreme", some of them, too. I wonder which URL gets logged -- they one you asked for, or the one it delivers.... scary.
  • It's unfortunate that this issue is going to be confused by the fact that the censorware caused it. This will leave many network administrators with the impression that as long as they are not doing content-based filtering or blocking, they're ok.

    In fact, this is the first remote-root exploit in a commercial firewall in a long time and it is due entirely to the fact that commercial vendors are under pressure by the market to throw the damned kitchen sink into their products. Firewalls need to be simple enough to be auditable. Simple enough to be understandable by a human at a time and place by herself.

    Commercial firewalls like Checkpoint's FW1 and Gauntlet (among many other offenders) are selling like hotcakes for bad reasons. Smart organizations are implementing simpler solutions like OpenBSD-based ipfilter (Darren Reed's well-tested stateful packet filtering running on Theo Raadt's well-audited kernel). They are then (as other folx have suggested) supplementing with things like squid for proxying (and hopefully on a box separate from the firewall!) and even still using things like the TIS toolkit (now from NAI but originally authored by Marcus Ranum. Smart organizations run secure MTAs like qmail and do virus filtering on the mail server only if they have to (it's a task better taken care of at the client, IMHO).

    These are not fancy tools, but they perform their objectives simply enough that they can be trusted.

    Security should not be about features, ever. It should be about verifiability and trustworthiness.
  • I am not suprised knowing some of the coding practices at MSI!

    Hashing the CyberNot list is not the issue. It is designed for speed, not security. If the list access was slow, it would make the product useless, if you had to wait an addition .5 seconds on every lookup. Hashing the list was probably meant as a prevent someone from taking the list and selling their own product (a filter, or a list of XXX sites). Using the same hash for the password was just plain lazy/sloppy!

  • I guess it's not meant to be an open-source product, by any chance? ;)
    Actually, Gauntlet originated from the TIS firewall toolkit, and used to be "crystal box" source - paying customers could get it for review. I don't know what the licences are like since Network Associates bought TIS.

    Back when I worked for Norman Data Defense on their firewall product (which failed, so don't wonder if you never heard of it) they wanted to add in CyberPatrol. I screamed and yelled at management that this was an incredibly stupid thing to do, that it would be a huge gaping security hole to run sofware that we couldn't control on the firewall box.

    (Disclosure: I used to work at TIS (though not on Gauntlet) and own Network Associates stock.)

  • "I think the key is rapid response, and I think we demonstrated that this weekend."

    This is true if you are informed by your own people that your product has a flaw. If you are informed by a client, hang your head in shame. The whole point of a firewall is security that should be tested and retested and broken and fixed before it is released.

    What a black eye for NAI's reputation ...

  • Linux is not Red Hat. Does SuSe have the same overflows? What about Slackware? (yea right)
    Debian?

    Not to mention that Linux is just a kernel....
    This is something I would expect from one of those AC Microsoft employees that are paid to troll slashdot.
  • I blame them both. IMO, nothing exposed to tainted data should be running as root. Particularly on a firewall!

    "Firewalls" (really a misnomer when you talk about single box solutions) should have the absolute minimum of accts, and being as services are also a bad idea, system accts must also be minimal.

    I don't know the details but according to the article _I_ read, the exploit allowed you to _get_ root access via a modified buffer overflow, so in all likelihood it was a suid program.

    I think there would be some agreement if I stated that the policymakers have the power to override any objections the coders might have raised (assuming the were even informed of the bundling beforehand)
  • I'd just like to note my disgust with the moderators on this comment.

    Security is the overriding issue here and Gauntlet is a widely used product.
    The fact remains that a poor decision was made by NA management that had a detrimental effect on the efficacy of the product, placing a large number of customer (who paid a goodly sum, I might add) at risk.
    Sum this with the fact that NA has been lax WRT informing their client base of the problem that _they_ (NA management) created by placing marketing concerns over quality.
    If Glowing Fish makes assumptions about what he assumes /. agenda to be, he is certainly within his rights.

    Maybe I should be more steamed with /. over the shortcomings of the moderation system (ie, post early, post often == higher karma), but designing a system for moderation isn't an easy chore.

    I can see why the current system was chosen so I won't argue with it, but it really bothers me that many of those who chose to moderate do so with their _own_ agendas instead of trying to be objective.

    You can flame me if you want, and I wouldn't be surprised if I got moderated down enough to get my acct yanked over it but, seriously, how the hell can you guys rank this a 5? I knocked off a point for being overrated and two minutes later it's back at the top of the pile. I mean, the poster considers _root_ exploits on a widely used security product not "a major hole", but because he discerns this merely as /. pushing their censorware agenda it goes to the top of the pile?

    Moderation was put in place because some people chose to be unruly but the mob mentality that it generates is really a shame, basing it purely on a participation basis really falls short of the ideal.

    Just to be clear, I support peoples right to disagree, and I support their right to have an opinion of what is worthy of merit. I'm not saying GlowingFish doesn't have right to be heard or be critical of /., but I am saying I'm disappointed in the behaviour of the majority here.

    Mark this post into oblivion if you feel the need to, I feel better after spouting off so I still win.
  • For those of you saying, "Story? What story?" it can also be reached minus frames and ads, and/or while using a proxy like Internet Junkbuster [junkbuster.com]. But disable JavaScript before you read the story here [securityfocus.com].

  • Somebody please mdoerate this piece of drive down as overrated?

    I did, and it went right back up. I had a nice rant over it.
    I suppose I could have sent Rob an email, but we should really police ourselves a little better.
  • by SPC ( 16922 ) on Friday May 26, 2000 @12:42AM (#1046950) Homepage
    When I first looked at the article I thought it was about free-speech and a security breach, much in the way of a cause-and-effect connection. And therfore it seemed to me that it was saying that setting up a firewall is bad.

    Please, let's be clear on this: There *are* Firewall/Censorware pacakges that don't automatically create security holes in your network.

    Some are even good censorware, like using junkbuster in conjunction with a firewall to reject evil cookies and filter unwanted ads, and repel crackers.

    It's amazing how much faster it is to surf without waiting for some silly ads to finish downloading, so you can see the rest of the page.

    (Just my $0.02)

    --

  • Just how secure the "World's second most Secure Firewall" is. heh.
  • Trying to integrate a product that has a homebrew hash in its encryption (See earlier story on the hacking of Cyberpatrols database) and something that is to be used for security could never be a good idea.
  • by Glowing Fish ( 155236 ) on Friday May 26, 2000 @12:45AM (#1046953) Homepage

    This had not been a censorware product that caused the security hole? This doesn't seem to be a major security hole, it is confined to one specific firewall and one particular censorware product.

    If Slashdot is trying to show a technical flaw, that is cool. And if Slashdot is trying to say that censorware is wrong\unethical, that is also okay. But by combining the two, what Slashdot seems to be subliminally implying is:

    "Unethical" software is inherently techincally flawed.

    Of course, no one would come out and say that, because it is totally ridiculous. But by showing examples, the idea is implanted.

  • by whoop ( 194 ) on Friday May 26, 2000 @02:40AM (#1046954) Homepage
    People bitch when ZD puts up blatant Slashdot-bait articles, one week it's anti-Linux, the next it's pro-Linux. This site is turning into the same damn thing. We have ridiculous topics like that C++ Builder license thing, rather than anyone asking Borland to clarify, you go into crazy hysteria mode immediately.

    NewsFlash: Sendmail causes Unix to end world. Nuclear submarines may launch missles when fourteen-year-old crackers request it. This gives further proof that you can only trust closed mailing systems like Microsoft Exchange and wonderful Windows operating systems. Any other mail transport agent is insecure and liable to lead to the destruction of mankind.

    Now, how many of you would be sitting back saying, "Yup. Right on! All open source Email systems are truely evil ." to such an article. If you hate Censorware, hate it for what it does, don't go generating hysteria over this. Email, web traffic, flushing the toilet do not cause security holes, specific programs do.

    Slashdot: News for paranoids, spreading the hysteria.
  • by Bryan Andersen ( 16514 ) on Friday May 26, 2000 @02:47AM (#1046955) Homepage

    I didn't see anything misleading at all. The article header tells it like it is. When they added in the CyberPatrol module, it added in a security breach. Not only that, it also setup an open proxy server. That's doubly bad.

    What is truly pathetic about this is it's relatively simple to get rid of many buffer overflows by selecting languages and or libraries that range limit all IO. Using calls to routines like gets() and scanf() is asking for trouble. Even though they are standard C functions, they are also not safe due to their design. They don't limit the length of the data they store into buffers. C++'s standard IO routines also contain builtin buffer overflows. This is truly pathetic because it was well known that the non range limited IO routines in C were a security flaw long before C++ was invented. So what did they do, they perpetuated the problem by continuing to not do range limiting.

  • Now that list is going to get some subscribers ;)
  • seems a little complex from what i saw on thier site, but anyway, what do these commercial firewalls, especially gauntlet, have over packet filters like ipf? maybe i should ask them.


    does this actually stop malformed or otherwise decided to be bad by policy network data? it seems to claim that each entire packet can be scanned for arbitrarily defined "evil data"


    no offense, but i still dont see myself trusting the security of anything so critical on software i dont have source for, especially if its so complex. maybe im just silly/paranoid that way. i agree with the other posters about having other apps do the other tasks, but im also not into censorware. funny. never seen free or open source censorware....

  • by Anonymous Coward
    Ever since NAI acquired TIS (Trusted Information Systems, the original makers of Gauntlet and the FWTK [FireWall ToolKit]), IMO two things have resulted:
    1. In my experience and opinion, technical support has definitely taken a turn for the worse. It has become so worthless, IME, that the company I work for doesn't plan to necessarily renew our support contract for the product.
    2. To me it seems NAI is more interested in adding "bells and whistles", such as "friendly" GUIs, add-ons like CyberPatrol, and improved performance and features under the Ms-WinNT version than it does improving and supporting the reliable, trusted Unix versions. (Indeed: they just announced End-Of-Life for the turn-key BSDI version.)
    In other words: it looks to me like NAI is slowly turning Gauntlet into just another "me too", mass-market, point-and-click, Ms-Windoze-Pee-Cee-toy product. Which is really a cryin' shame! Gauntlet always took hits for being more resource-intensive and slower than competing products (it is a proxy firewall), but at least in the past you could always count on two things: you could trust it (I still do--but I wonder for how much longer?) and you could depend on competent tech support in a timely fashion. In short: Gauntlet was a firewall for power-Admins that had a clue! (Hell, they used to ship the thing with source! Patches actually patched the source, re-compiled and installed :-). But no more :-(.)

    Just one (increasingly unhappy) Admin's opinion. Speaking for myself and not the company for which I work.

  • I think Í am the only one (with my work coleagues) that have no problem with firewall an proxy. Simply it because here mangers don't pay attention to logs from email servers and the proxy. If we would, we can view sex and porn sites but it doesn't matter anymore for us.
    The lesson is: if you liberate the information, people tire to see that and turn to work, because it's more grateful than to see static pictures.

    My 2 cents.
  • </i>does this actually stop malformed or otherwise decided to be bad by policy network data? it seems to claim that each entire packet can be scanned for arbitrarily defined "evil data</i>

    Wouldn't that be a feature of any stateful inspection proxy? Or am I misinterpreting staeful inspection.
  • So the GNU/Linux operating system never had a buffer overflow? You can't tell me there has never been a slackware exploit. I used the redhat example because its one of the most popular distros. Judging from your email address I certainly hit a nerve :) I'll stick to BSD where the exploits are few and far between.
  • You are wrong, slashdot is right.

    See previous discussions on censorware. If you know the Wild Wild Web good enough you will immediately notice that censorware is not just wrong. It is technically unachievable and most companies trying to do it need a very heavy clue stick. Or are doing it for The Kids^H^H^H^HMoney only. Most if not all censorware packages vary between lame and ultra lame as both network knowledge, protocol knowledge and programming.

    So tightly integrating a firewall package with software that is known to be lame by design is plain stupid. So is overfeaturing a firewall toolkit anyway. Simpler the better.

    Also, I have personal doubts against the original article anyway. And they are:

    Gauntlet has always been manufactured by a founder and promoter of the key escrow abomination

    It has previous bad record. See BUGTRAQ archive. So I would not call it the most secure...

  • Which open source individuals are going to maintain that list?

    Any well funded organisation that feels its morally superior I'd guess. Add a few set operators to allow people to block selections of lists (e.g. you could set it to block sites in the catholic church list and the anti pornography lobby list, apart from those sites about health issues, which would be supplied by a health organisation).

    Companies that wish to use it could manage a combined list of undesirable sites. A system where the block list was supplied by anyone who wants to use it would be a lot more accurate than one produced by a single organisation.
  • Part of the problem is understaffed IT departments that have fairly large budgets and have everything implemented by contractors.
    There is a _major_, IMHO , misperception that one box that does packet filtering == a proper firewall. I wouldn't necessarily disagree that its better than nothing (aside from a false sense of security != A Good Thing), but to make a car analogy (I know, I know, but thats why they call them "analogies"), a single box "firewall" is like riding in an airbag equipt car and figuring you don't need a seatbelt.
    You can do all kinds of testing that shows good survivability, but testing isn't the same as production.

    People need to learn the hard way, I guess.
  • post#38 currently marked as redundant...
    Redundant, huh? I guess cluefull-ness must be stomped.

    hartsock, you are right on the money

    Hey, maybe if I bitch enough I can get the automatic bonus point!
  • by docfbl ( 53453 ) on Friday May 26, 2000 @08:04AM (#1046966)
    Unfortunately, we now have another reason to show why your firewall (or any other security device, IMHO)should be the only software running on a particular machine, other than the OS.

    Unfortunately, in these days of consolidation and price sharing, nobody seems to be listening. I don't know how many requests I get a week from different people asking for different software to be installed on the firewalls ("Can we make the firewall a DNS server? SMTP server? NTP server?")

    This also highlights another thing we in the security industry should be worried about: Bugs in code. With packages such as checkpoint becoming larger and larger, it is getting harder to keep track of the internals of exactly what is happening inside these security products. While it probably isn't feasible, it would be nice to have some sort of outside auditing done on the code, as a sanity check. Heck, open source it. :)

    Also, this may make people take a closer look at firewall appliances such as the nokia. Having something that is pretty much a dedicated firewall solution (aka, stripped down OS, running nothing else but firewall) becomes more attractive.

    So, the recipe for a good firewall is:

    1) Install OS
    2) De-install everything not needed to let the box run.
    3) Harden OS (also, take a look at known security bugs for the OS you are running, it may save you grief in the long run).
    4) Install firewall code. If you don't need some portion of the firewall, don't install/activate it! Also, RTFM. The release notes and web pages of the companies involved can save you trouble in the long run.

    Of course, you need a little more than this to develop true 'network security', but this will at least help you get the firewall portion right.....

    --Doc
  • I'm not really concerned about karma, I don't post often enough to build it up, some topics I avoid because its just swimming against the tide and others I don't feel I would be contributing anything useful. Sometimes I see things at +2 (my usual default) that is debatable if it is appropriate to be there (ie "Hey so and so its that you?" and similarly trivial stuff), no problem there really, but when I drop the threshold down and see lots of good stuff that gets lost in the noise, it gives me a feeling that mebbe some people are taking their moderator status for granted, which makes the whole /. experience a little poorer.
    If you look at my user info you can see I've been a long time reader, so yes, I do care that things get out of hand sometimes.

    But hey, it's a slow day and I got caught up in the moment.
    FWIW I hear you WRT the AC posting, I was going to do that with my original rant, but I figured, what the hell, somebody had to say it.
  • Buffer overflows in a security product are simply inexcusable for anything written in the past decade. They've been the cause of most of the non-Microsoft security holes since the Morris Worm , and anybody who's building firewall code should not only be using libraries that aren't susceptible to them (e.g. no gets()) or languages that don't allow them (if Java's not too slow), but they should be explicitly looking for them in code reviews, and doing enough code review they don't slip through.


    A separate problem is the complexity of the programming interface. I haven't seen it, but the descriptions in the articles sound like NAI had to do a lot of work to interface to it, enough that they did so unsuccessfully. But censorware's designed to be used in firewalls, so the interfaces need to be clean and well-documented, because you can't afford security mistakes here. There should be two or three parts to the interface - one that takes a URL and returns approve/reject, and one that provides administrative control over preferences, which is obviously more complex but should still be easy to do cleanly. The potential third part is processing the returned http itself (looking for dirty words or whatever), which is also hard, and needs to be cleanly designed so you can use it safely.

  • Here's why I think:

    Synapses.

    And loads of them, too, not just one or two. I'm talking about billions, if not trillions, of the little suckers pumping out neurotransmitter. Synapses are where learning takes place inside the brain as well as serving as the connections between neural dendrites and axons. Yep, if it wasn't for synapses I don't know *where* I'd be today.

    /AGH agh don';t read this er AGAHH ok now somuch better NO agh the pain arrr I not no errrrr
    aggh/

    here's why I think

    the buggers

    the buggers they get inside you and they twist and crawl and i can feel them now they are eating away at my intestines and agh the pain they cause me every day the buggers wont someone help get the buggers out i need to get the buggers out out if it wasnt for them id be happy maybe
  • Stateful inspection only inspects the state of the packet, or connection. i.e., they look at whether a packet is a SYN, or ACK, or FIN, or whatever, and then decide whether or not to let it through (of course, they also do all the tasks of simple packet filtering, like checking whether source and destination ports against a rule list, etc.). Proxies look at far more, and in fact they not only look at the packet they actually turn around and write their own to pass on to the inside server. No outside packets should ever actually be passed through a proxy in reality, the proxy server takes the packet, inspects it, drops it on the floor, and writes it's own replacement packet. As such they can exert far more control over a connection than something that just decides whether or not to allow a packet to pass based on certain criteria. Proxies can actually look at the payload (in fact, they have to) and do things like strip out ESMTP keywords in traffic to your mail server, rip Java/ActiveX content out of HTTP traffic, etc. Same goes for outbound connections.

    Regards,

  • I'm sure that the simple hash encryption is only used for the block lists, etc. on the CyberPatrol part of the firewall. The firewall specific stuff is most likely using another (stronger) form of encryption than the CyberPatrol part. The problem here results in the communication between the two resulting in potential for security problems.

  • Actually, it's just an unfortunate coincidence that of all the various things that could have gone wrong with this Firewall, it was the bridge to the Censorware app that did. As Schneier argues, excess complexity really is the death of security, and the bottom line was that an app intended to filter packets had detailed, layer 7 filtering hoisted onto it through a hack, rather than a chosen design. It doesn't matter what was hacked in--something was hacked, it wasn't thought out well enough, and it went boom.

    It's just a rather inconvenient failure for the Censorware industry that it was one of theirs that took the system down.

    But there's a much more interesting failure, one that I don't really think has been paid enough attention to: It's not that Gauntlet had a security breach, it's that the breach came from 30-Day Trialware installed by default on a mission critical service.

    If an app I choose to install turns out to have a hole, I'm more than willing to give the authors time to repair the hole. But if an app I *don't* choose to install turns out to install some other app with a hole, one I didn't realize would be installed by default, didn't realize would by default communicate my download logs to the central office(Hi Realnetworks! How's that Download Demon doing?), didn't realize was being shoved on me as a supposed freebie but as an actual privacy and security disaster...

    Then the honesty that underlies every commercial reaction gets toasted.

    I don't blame the coders for having a bug in their bridge code. I blame the policymakers for specifying that the bridge should be enabled by default. Such behavior is inappropriate for employee desktops; whoever made the call that this kind of sales strategy should be applied to the most security critical of product lines bears the responsibility for the disaster that ensued.

    The only good to come out of it is that, slowly but surely, we're going to win Corporate America's support of industry codes of conduct as a last ditch defense against regulation. Some good, eh guys?

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com
  • I think you're reading far too much into this - while Slashdot shows up the technical flaw I can't see any implication that 'censorware is unethical' in the write-up.

    As for the association between the two; that's taking it even further.

    For my money, it just shows that when you take two products with different end-goals and try to merge them, you may end up sacrificing some of each...just it seems the sacrifice has come from the wrong side.
  • You can set squid up to block sites all different ways using ACLs. There's at least one place to get lists of porn sites in squid's ACL list format (I believe it's in the FAQ), so you can easily accomplish this job with free software. It's also easy to set up your firewall to transparently send all web traffic through squid. Why bother with the commercial packages at all?
  • by PigleT ( 28894 ) on Friday May 26, 2000 @01:04AM (#1046975) Homepage
    (As an implication): >"Unethical" software is inherently techincally flawed.

    There are a couple of other options for what /.'s saying:
    (1) technically-flawed software is also unethical;
    (2) oh look, combining things has just given us the worst of both worlds => this is a complete crock of software.

    I'm surprised nobody's pointed out this absolute hoot of a sales pitch..:

    Gauntlet Firewalls combine the most secure method of firewall protection - application gateway- with the speed of stateful inspection packet filters via our patent-pending Adaptive Proxy technology. Adaptive Proxies protect both in-bound and out-bound services, supporting high throughput and the latest web-based technologies without sacrificing security with important features including user transparency, integrated management, strong encryption and content security.

    I guess it's not meant to be an open-source product, by any chance? ;)
    ~Tim
    --
    .|` Clouds cross the black moonlight,

  • Or firewall product shipped with a copy of CyberPatrol censorware which I did not install. Instead, I (every now and then) simply email everyone a copy of the proxy access logs. I don't read them, I have better and more interesting things to do than be a corporate censor. Must be working though, seems there is a great interest by the users in determining what the IP address of thier station is >:-)
  • you are so biased against speech censorware that you are thinking in a fog: "censorware censors self" would be ironic. "censorware contains security hole like a zillion other pieces of software" has no irony; it is simply a troll for people who share your [yawn] POV
  • Firewalls need to be simple enough to be auditable. Simple enough to be understandable by a human at a time and place by herself.

    The impression I got from the article was that a simple portscan would've turned up the fact that something was amiss. It would seem that that'd be an easily automatable procedure that professional firewall vendors should go through as part of their testing procedure.

    ObSoapbox: It'd be nice if, for such mission critical applications, vendors listed their testing metholody along with the normal advertising figures and specifications.

  • Scanning is one option, but there are companies out there who rely on that firewall to keep all the bad guys out. (i.e. no backup plan) If you can get root access, you can essentially destroy any protection that the firewall was once providing and potentially run rampant depending on what is exposed internally. (promiscuous r* commands, XWindows and packet sniffers come to mind for starters...)
  • I'm surprised that people continue to make this mistake. Buffer overflows are one of the classic attacks. Then, this company boasts it's trustworthiness. It takes a long time to build up confidence in a product but it doesn't take long to shake that confidence.
  • It seems simple to at first to make a firewall you have a set of rules packet comes in check let though or drop it. But it is never that simple. Fire walls and now Censorware are very complex they do way too much. It seems that the only way corporations can to compete with one another is to pack more stuff in to it. They don't think having a more secure platform or an open platform will sell. Most managers don't understand the advantage but they understand I can have logs of every sight person X goes to and why. The old Unix module of small simple parts that work together is better. If you want Censorware and a fire wall then have two boxes If you want a router a fire wall and Censorware then get three boxes. Novell, Microsoft and NA really want you to buy the big do everything box. It helps to lock you in to there products. The Right Paradigm is the opposite. The use opensource open standards modular products that get tested by everyone. IT is almost impossible to have a big do all firewall that is 100% Secure. It is like having a 100% bug free Program. The best you can have is a simple small program with a very high probability of being bug free.
  • by Izaak ( 31329 ) on Friday May 26, 2000 @04:20AM (#1046982) Homepage Journal
    I just gave a security lecture to a bunch of graduating comp sci students. I focused mainly on buffer overflows, how they are exploited, and how to avoid writing them. I actually stepped through the process of writing some vulnerable code, overflowing it and disecting it in the debugger, and then writing a simple exploit. It really looked like I grabbed their attention (hopefully for the right reasons). Perhaps they will now avoid some of the common mistakes that lead to these news stories.

    Thad

  • by LinuxGeek ( 6139 ) <djand.nc @ g m ail.com> on Friday May 26, 2000 @01:09AM (#1046983)
    My take is that this story highlights the technical oversights that CyberPatrol is making.

    I have strong concerns about the methods they employ to select what content and sites to filter and this points to severe technical problems with their implementation. I think you read the wrong message into its /. submission. It is more like a headline of "Technically incompetent bomb maker blows off own foot" or "Neighborhood bully gets butt kicked, lunch money stolen", irony is quite humors as long as it wasn't your firewall. I would be quite pissed if it was my firewall they pooched.
  • Every time someone integrates complex functionality you have the opportunity for errors.

    The more complex the system more more likely it is to have problems. Same issue for cars (eg a Formula 1 car less reliable than a Ford Focus, but it has a different job to do so..).

    Like I always say KISS - Keep It Simple Stupid (Ok so the Army uses this as well).

    The simpler the system more reliable it _tends_ to be.

    When security is involved, I like simple because I'm stupid.
  • If I read the article correctly, I can't see why CyberPatrol needs to set up a *server* on the firewall.

    I thought all the gagware needs to do, is to send a request to a CyberPatrol ACL server with the URL in question and wait for a simple yay/nay reply...

    Yours confused, Mincemeat
  • by Anonymous Coward
    Products like WebSENSE have over 1 million hosts in its filter list. Would you really want a squid ACL list that big? Is it possible that doing something like this could affect performance?

"What the scientists have in their briefcases is terrifying." -- Nikita Khrushchev

Working...