Thursday, September 27, 2007

Public vs. Private Firewall Policies

One of the mantras in the security world that has perplexed me is the notion that firewall policies should always be kept hidden from everyone else. The rationale of course is that if the rules are hidden, it will make it that much harder to the attacker to gain entry into the system.

However, I am not sure I completely buy that rationale. Is it really that much effort to probe for open ports on guarded systems? Does it really take that long or is itjust a few more minutes while one of the countless botsin the botnet does the remote scanning? Moreover, does the detection of said port scan do any good either withthe sheer volume of typical port scanning going on in a day to day sense?

From a distributed systems vantage point, the silent failure modes of firewalls can be painful to debug. Sure, if the firewall sends an ICMP Port Not Available, that would be great but most simply sink traffic off into /dev/nullleaving the application to slowly time out, often with abysmal service properties. At what point does the benefit of faster debugging outweigh the "security" benefit of hidden firewall rules? I'm guessing the threshold is much lower than what is typically employed. Debugging a normal system is hard, make the system distributed and itturns quickly into a nightmare.

To be fair, there are cases where I think hiding rules is appropriate, specifically when access is constrained to asubset of hosts. The important information to hide is notnecessarily what ports are exposed but to whom access is granted. One could argue that the hiding of this information does significantly impede the progress of the attack as scanning from an arbitrary host gives imprecise information, sort of a Byzantine-esque (I use this term loosely, not precisely) quality to information gathering. Then again,there are likely levels also in this case as well. A simple 'restrict to the local network' policy (aka the local subnet) really doesn't buy that much time or defense but a 'restrict to an obscure host or bank of admin hosts' would potentially improve defenses.

Perhaps should there be a notional ICMP Firewall Denied message to assist with debugging? Likely too problematic for security purposes(reflection DoS attacks) but interesting from a debugging standpoint. The increased tamping down of ICMP messaging (our campus blocks inbound) also likely makes this a non-starter. Perhaps something in TCP? A can of worms but maybe a nominal TCP options field? Something truly crazy would be the ability to query any host for its firewall ruleset. Crazy indeed.

No comments: