Firewall Wizards: RE: Intrusion Detection

[John McDermott <jjm () jkintl com>]

Russ,

--- On Fri, 17 Apr 1998 19:04:02 -0400  Russ <Russ.Cooper () rc on ca> wrote:

> > In many ways it would be nice to have some universal sort of way to
> > explain policy to devices, but in doing so machine misinterpretation
> > of that policy might distribute errors to multiple devices.
> Well, there are pros and cons here. I might prefer to have the same
> error throughout my environment rather than having the potential to
> create errors in numerous independent implementations.
I agree to the extent that it might be acceptable to have the same error in 
all devices of the same type (e.g. firewalls).

> If I misconfigure and open a hole, I do so everywhere using a common
> policy deployment. If I don't, I multiply the times of opportunity to
> introduce a hole (each configuration introduces another opportunity),
> and reduce the possibility of discovering it myself (because I have to
> audit numerous implementations).
Agreed.  This clearly is why some sort of universal policy editor or some 
such thing might be nice.

> > I'm far from saying that I have even a really strong clue how to deal
> > with this in a clean way, but too tight a coupling could lead to a
> > serious problem, as I see it.
> Well, I won't argue your "serious problem", but maybe we need to define
> serious better. I would end up with a more "wide-scale problem" using
> mass policy deployment. That could possibly lead to an increased
> opportunity for exploit.
The issue here is greater than that as I see it.  Marcus talked about IDSs 
as a way to discover whether a firewall is implementing policy the way one 
wants.  For this reason, if they are configured in tandem, a "policy leak" 
might be created.  That is, an error in the firewall configuration might 
not be detected by the IDS because of a similar configuration error there.

> On the other hand, if I only have to monitor a single policy
> configuration method, I might be able to do a better job of it. For
> example, instead of having to have a Firewall Administrator at every
> site, I might be able to take half as many bodies and place them in a
> central Firewall Operations Center (FOC), and then use an approval
> policy that has configuration changes signed off by multiple
> individuals.
Yes, sure.  This is a very big win. If you have a good verification system 
as you propose (and if the organization is large enough to have that many 
knowledgable firewall folks), it would probably mitigate the problem.  You 
understand that "the buck must stop" at a human, but too many organizations 
with whom I deal seem to trust the software too far.

> If the process is automated, then the same theories apply to the process
> that modifies how the AI deals with things.
>
> Cheers,
> Russ Cooper
--john
-------------------------------------
Name: John McDermott
VOICE: 505/377-6293 FAX 505/377-6313
E-mail: John McDermott <jjm () jkintl com>
Writer and Computer Consultant
-------------------------------------