Re: The state of firewall management...

[Marc Herbert <Marc Herbert gmail com>]

Graham Lyon a écrit :
> 2009/6/24 Marc Herbert <Marc Herbert gmail com>
> 
>> Graham Lyon a écrit :
>>> I'll agree that if your system doesn't have ports open by default then
>>> you're fine, but if for instance your package manager pulls in mysql or
>>> postfix or similar as a dependency for some package that doesn't really
>> need it to use its network capabilities

> Yes, such a situation would be a misconfiguration. But, going on to say that
> because this is a misconfiguration issue and therefore there is no need for
> a firewall is a little foolish. The firewall would mitigate any threat that
> would exist (at least on public networks)

So I guess the problem is: how do you protect a minority of mysql users
from an unlikely and easy to fix packaging error, without bothering with
a firewall the vast majority of desktop users who do not care?


> - belt and braces, etc....

Belt + braces is nice in theory but in reality people tend to give up
one once they started to use the others. Windows experience shows that a
firewall makes most people feel protected and not care any more about
network security.


> What's complicated about it?! Sorry - but that's really an incorrect
> statement. As for which user understands the configuration of their
> firewall, that's the whole point of this daemon - *it* understands and *it*
> can do the configuration, all the user has to do is say that it's a
> public/private network and the rest is taken care of.
> 
> 1) You've just connected to a wireless network
> 2) Do you know whether this is a public or private network already? If not,
> ask.
> 3) If it's public, block all incoming traffic on that interface.

Please let me quote your message from yesterday:

> A firewall isn't only about prevention access to network listening
> daemons, it's about granularity in that restriction :)

And indeed, the first thing people will do is allowing skype and other
similar P2P software to escape their firewall (or worse: disabling their
whole firewall). Your configuration simplicity (or worse: your entire
firewall) is just gone. So now you have to manage an extra firewall
configuration, where managing just your network services gets you the
same result. Complexity is security's worst enemy.


> Imagine you're a user who's decided
> you'd like to start learning php for the first time:

So for a start: I am definitely NOT the average desktop user.

> you install apache,
> mysql and php. What's the first thing you do? Carefully comb the
> documentation and the default configuration files, looking for security
> holes and ways to tighten up the security of the setup or do you get
> straight in there with the programming and learning and only worry about the
> security aspects a few months down the line when you're about to put in your
> first production ready server? If your answer is the second one then you're
> a liar :)

My answer is that I use a Linux system which is not insecure by default,
meaning apache and mysql are bound to the loopback address by
default. Based on this, this system does not need and has no firewalling
by default. Moreover the package manager refuses to start MySQL until I
have input a non-default password, giving me some extra security. I can
safely skip reading the documentation and worry about the security
details later.

Once I need to test my server remotely, I spent no more than 5 minutes
learning how to unlock the loopback safety.  Later I connect to a public
network. NetworkManager then runs a dead-simple "netstat -l" command and
warns me that I left my apache server running by accident. So I just stop
apache. Job's done.

And by the way, all this is (almost) already happening today. But not in
the Windows world for sure.


 
> The point is that in a perfect world where we all carefully configure our
> systems to be secure, the daemons are all written with perfect code with no
> security weaknesses and that any code that we ourselves write (eg a
> php-based site running on the apache server, or similar) is also written
> perfectly and so will not have any weaknesses THEN we can not bother with a
> firewall. If you think we live in this world, you're a tad naive...

I can safely afford to be naive because I live in a non-Windows world
where the average desktop user is not running any daemon at all.

I understand that other users could use a firewall. But the minority
should never inflict the firewall plague to the majority. Else what
next?  Antiviruses to make everyone's desktop twice slower? No thanks.

How many times have you heard the following support answer:
"please try to (temporarily...) disable your firewall?"


> For instance without a firewall you can list all your security holes with
>> just a simple "netstat -l"; no added confusion.
> 
> This could just be me, but I didn't actually know about that command before
> you mentioned it. Now what about your poor little idiot user who couldn't
> possibly comprehend a firewall - does he know about that command?

You are unfairly mixing concepts (firewalling) with low level commands
(iptables). The netstat command is an implementation detail. The
relevant concept is "network services enabled", certainly more intuitive
than the firewalling concept most people have no clue about. I have met
countless skilled system administrators helpless in front of firewall
configuration, even with a GUI interface.

My suggestion was for integration between NetworkManager and active
network services. NM would be the one running the netstat command (or
anything equivalent).

Oh and by the way, if you run "netstat -lp" as root you get the daemon name.


> A firewall is hardly distant, and it's hardly a bad way of doing this. I'll
> admit that blocking it at the service-level would be better, but like I
> said; what if I want to then access it from another machine when I'm at
> home? Do I have to change the apache config? Didn't think so...

The alternative is to just shut down the daemon when you are in
public. It is most intuitive solution and nothing can be safer. Less is
more, especially in security.


> How many users do you see saying "I'd like to try out programming in php,
> what should I do to set it up?" on the forums every week? 
> [...]
> Tell me that this, combined with
> the various other use cases out there, is not worth sorting something out
> for. Or are they power users and, as such, left out in the cold on their
> own?

I must admit this "middle-ground" category did not initially cross my
mind. I think the best for them would be... belt and braces by
default. I mean loopback+firewall. Then they can easily choose the
configuration that suits them best. But please make sure that this does
cause everyone else to have firewalling by default!


> In all likelihood, if we go down the route of disabling network services
> when we hit a public network, we are likely to miss one. This leaves a
> security weakness that simply adding a single firewall rule that blocks all
> incoming traffic on that interface would not leave.

I like it, as long as this applies only to the minority of people
actually running some network services. The majority of average end
users never running any (non-loopback) network service should never see
or be bothered by any firewall-related question, especially not when
trying to run skype or bittorrent.


> Sorry if I've come off as quite agressive in this email, I'm told that my
> writing style has that affect. Please don't take it as an attack on you or
> anything like that.

You are fine.