Firewalls & VPNs

Terry Gray

UW Computing & Communications

13 September 2000

Start with a Security Policy

• Defining who can/cannot do what to whom...

• Identification and prioritization of threats

• Identification of assumptions, e.g.– Security perimeters– Trusted systems and infrastructure

• Policy drives security…lack of policy drives insecurity

Priorities

• Application security (e.g. SSH, SSL)

• Host security (patches, minimum svcs)

• Strong authentication (e.g. SecureID)

• Net security (VPNs, firewalling)

Network Security Axioms

• Network security is maximized…when we assume there is no such thing.

• Firewalls are such a good idea…every host should have one.

• Remote access is fraught with peril…just like local access.

Perimeter Protection Paradox

• Firewall “perceived value” is proportional to number of systems protected.

• Firewall effectiveness is inversely proportional to number of systems protected.

Network Risk Profile

Bad Ideas

• Departmental firewalls within the core.

• VPNs only between institution borders.

• Over-reliance on large-perimeter defenses...

• E.G. believing firewalls can substitute for good host administration...

When do VPNs make sense?

• When legacy apps cannot be accessed via secure protocols, e.g. SSH, SSL, K5.

• AND

• When the tunnel end-points are on or very near the end-systems.

See also ‘IPSEC enclaves’

When does Firewalling make sense?

• Large perimeter:– To block things end-system administrators

cannot, e.g. spoofed source addresses.– When there is widespread consensus to block

certain ports.

• Small perimeter/edge:– Cluster firewalls– Personal firewalls

The Dark Side of Firewalls

• Large-perimeter firewalls are often sold as panaceas but they don’t live up to the hype, because they:– Assume fixed security perimeter– Give a false sense of security– May inhibit legitimate activities– May be hard to manage– Won't stop many threats– Are a performance bottleneck– Encourage backdoors

Even with Firewalls...

• Bad guys aren’t always "outside" the moat• One person’s “security perimeter” is another’s

“broken network”• Organization boundaries and filtering

requirements constantly change• Security perimeters only protect against a

limited percentage of threats… must examine entire system:– Cannot ignore end-system management– Use of secure applications is a key strategy

Suggestions

• Do the application, host, and auth stuff.

• Try to cluster critical servers, then evaluate additional protection measures...

– Physical firewall protecting server rack?

– Local addressing + NAT?

– IPSEC enclave?

– Logical firewall/Inverse VPN?

– Personal firewalls, e.g. ZoneAlarm?

Policy & Procedure• Need to work on policies, resources, and consensus

(e.g. re tightening perimeters.)• C&C Efforts:

– Dittrich & Co.– Trying to get more high-level support.– Writing white papers. – Pro-active probing.– Security consulting services.– IDS, attack analysis, etc.– Virus scanning measures.– Acquiring/distributing tools, e.g.SSH.– Evaluating more aggressive port blocking.

Resources

• http://staff.washington.edu/gray/papers/credo*

• http://staff.washington.edu/dittrich

• http://www.sans.org/