Got a bit distracted getting our Microsoft Surface devices up and going. While initially ambivalent about Windows Presentation Format (and its quirky XAML), I am starting to warm up to it. More on that later.
On a very cool note, we recently got our paper on public versus private firewalls accepted into NPSec 2009, a workshop at ICNP. We had a very near miss at HotSec which was a bummer but very good feedback / discussion with the chairs which helped on our shorter submission to NPSec.
In short, the paper tries to debunk the myth that private firewalls are better. The fact that this security through obscurity of private firewall rules has long been a pet peeve of mine but I have not had the math skills to do a reasonable argument beyond random, flailing hyperbole. Enter my graduate student Qi who was willing to try to prove the ramblings of his advisor. With his wife, they constructed a very nice game theory concept showing how private firewalls are lose, lose, lose across the board.
Think of the debate of public versus private in the following manner. Private firewalls back in the day could be argued to provide a reasonable defense. Inference of private rules would take time and would create a glowing, red beacon that one's network would soon be under attack. Beyond exposing oneself or small number of compromised machines, it was not easy back in the day to conduct said inference.
Contrast that with the scenario of today. Botnets are out there and are dirt cheap with massive volumes of machines. Scanning now can be done quite discretely with "disposable" hosts for folks that are more than likely extremely patient enough to wait a few hours or days for the rule inference.
Hence, what do you get from private firewall rules? You get distributed applications being a pain to debug due to how firewalls are typically configured as black holes. Moreover, distributed applications are not going away nor is the next distributed pattern likely to be easy to predict. Thus, one is paying valuable employee or system administration time tracking the problem back to the firewall. Is it your firewall? Is it my firewall?
Certainly, there are a slew vendors that would help you with that task. But why do we even need to go through that? Unless the scanner (bad guy) has some sort of ADD and can't wait just a little bit for a result (perhaps for terrorism / cyber-warfare with state-vested interests might be an exception), there is absolutely no gain to be had with the private firewall rule setup.
The paper has some nice explanations via game theory why this is the case. Moreover, while not listed in this paper, they also derived results that show if you can selectively lie, it can be used as an insurance to actually improve the overall system which is very cool. The partial truth / untruth could be used as an enhanced honey that draws attackers into a honeypot or other system.
Reactions from pitching this to various folks has been an interesting illustration in and of itself. Folks that work in security tend to instinctively flinch while folks that work in systems tend to be intrigued by it. Then again, I would add the caveat that I think that NATs are probably one of the most important security technologies :)
Showing posts with label Firewalls. Show all posts
Showing posts with label Firewalls. Show all posts
Sunday, July 19, 2009
Wednesday, February 25, 2009
Firewall Complexity
It appears that our work looking at firewall complexity in the most recent ISSA Journal is nicely coinciding with work being done in industry. Secure Passage just released a survey coming to roughly the same conclusions that we did albeit focusing primarily on Fortune 1000 companies whereas our survey was more broadly based.
Of particular note, the top two most shocking findings from the Secure Passage report:
Living firmly in the land of academia and hence being able to speak from the ivory tower, these works should be a huge wake up call for how security research should proceed. All too often in security research, the perfect becomes the enemy of the good but I think researchers forget that easy to use security (yes, Virginia there is such a thing) offers a huge benefit to the overall health of the Internet ecosystem. Certainly, there is a need for high end, complex systems such as for DARPA / etc. but by in large, complexity is not a friend of security.
Moreover, I do not think the problem is one of building a better interface for the existing tools. It is a general philosophy where complexity is viewed as an informal indicator of correctness or completeness. Unfortunately as my students can attest, try publishing something novel but not terribly complex and the results are often less than heartening. Perhaps that is best left to industry but certainly these surveys attest to the security elephant in the room that we know things are bad and really can not do too much about it*.
Hat Tip: Athena Security which has a tool for improving firewall complexity Athena FirePAC
Of particular note, the top two most shocking findings from the Secure Passage report:
Top 10 Shockers Revealed by Respondents:
1. 73 percent think firewall rule bases are too complex or out of control
2. 59 percent feel that a lack of management tools makes policy management difficult
Living firmly in the land of academia and hence being able to speak from the ivory tower, these works should be a huge wake up call for how security research should proceed. All too often in security research, the perfect becomes the enemy of the good but I think researchers forget that easy to use security (yes, Virginia there is such a thing) offers a huge benefit to the overall health of the Internet ecosystem. Certainly, there is a need for high end, complex systems such as for DARPA / etc. but by in large, complexity is not a friend of security.
Moreover, I do not think the problem is one of building a better interface for the existing tools. It is a general philosophy where complexity is viewed as an informal indicator of correctness or completeness. Unfortunately as my students can attest, try publishing something novel but not terribly complex and the results are often less than heartening. Perhaps that is best left to industry but certainly these surveys attest to the security elephant in the room that we know things are bad and really can not do too much about it*.
Hat Tip: Athena Security which has a tool for improving firewall complexity Athena FirePAC
Wednesday, February 4, 2009
Front page baby!
Very cool, our journal article looking at firewall management practices managed to make the cover of the ISSA journal. My student Mike Chapple did a very nice survey of current firewall administrators and IT managers to determine what self impressions administrators had of the correctness of their firewall configurations.
The short / sweet version is that firewall configurations are likely wrong and we know it and things are not getting better. System administrators are swamped and hoping that nothing major goes wrong. For those of you in the security business, I highly recommend using it as justification for a better raise or for hiring new people.
The short / sweet version is that firewall configurations are likely wrong and we know it and things are not getting better. System administrators are swamped and hoping that nothing major goes wrong. For those of you in the security business, I highly recommend using it as justification for a better raise or for hiring new people.
Subscribe to:
Comments (Atom)
