[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise Web Service Environment?
- From: "Johnson, David E" <david.e.johnson@xxxxxxxxx>
- Subject: RE: [WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise Web Service Environment?
- Date: Fri, 28 Mar 2008 08:38:10 -0700
------_=_NextPart_001_01C890E9.E0704D46
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Outside of helping our friend with his dissertation, the point is
actually moot and not worth getting hot over. How about some
non-engineering truths?-
1. Financial--The industry will not kill a sector as long as there are
buyers who will believe the FUD. If you disrupt and attack partner or
customer solutions, they do not buy your stuff. This is the real meaning
of coopetition.
2. Legal--As a friend once told me, try not doing the minimum legacy
defense in depth (ie, Firewalls) that a "reasonable" non-IT professional
would do and see how you hold up after a failure.
3. Organizational Politics--reduce your department and requirements and
see how long it takes you to be demoted and reduced in influence to a
position relative to the size of your budget and direct reports.(OK,
maybe you get booted up for saving $ and your successor gets demoted).
Dave
=20
=20
-----Original Message-----
From: arian.evans@gmail.com [mailto:arian.evans@gmail.com] On Behalf Of
Arian J. Evans
Sent: Thursday, March 27, 2008 8:43 PM
To: Justin Thomas; WASC Forum
Subject: Re: [WEB SECURITY] Query: Are Firewalls obsolete in an
Enterprise Web Service Environment?
=20
So basically all we have left is "reducing attack
surface by IP restrictions?" And we don't even
need a firewall for that. I do that in my webserver.
=20
I said in my first reply that firewalls were useful for:
=20
+ Port and protocol pairing
+ IP restrictions
=20
and I'll add
=20
+ Nice centralized management GUI for that stuff
=20
You could add rate limitation, but most real world
firewall deployments don't have enough memory
to handle many IPS and anti-DDoS functions.
=20
In the real world I see very little web software
with IP restrictions.
=20
In the real world firewalls don't seem to be
useful at protecting sensitive information
in our vulnerable software.
=20
It sure doesn't seem to be helping much with
protecting cardholder data either.
=20
So, I think we are agreeing on what firewalls
can be used for.
=20
Yet I'm still saying that compared to all the
very real threats we're facing, the attacks that
we are undergoing, and the software weaknesses
that are being exploited....that's just not really
that relevant or useful.
=20
And all I'm hearing in response are the mindless
platitudes of "Defense in Depth" and "Reduced
Attack Surface".
=20
Um, okay, sure.
=20
=20
--=20
--=20
Arian Evans, software security stuff
=20
reformed hacker turned animal rights activist to meet hot chicks
concerned with those tasty animals
=20
=20
=20
=20
On Thu, Mar 27, 2008 at 2:30 PM, Justin Thomas
<justin@brynnandjustin.com> wrote:
> "Can someone put forth some meaningful statement about how your
> network firewalls somehow protect your applications fromthe WASC 24
or
>=20
> Mitre CWE or Phishing or web service-specific attacks?"
>=20
> I'll bite.
>=20
> By limiting basic exposure. If a service exists to facilitate a
> partner connection, for example, only that partner should be
permitted
> through the perimeter (or, perhaps, partner) firewall (by their
> network addresses) to access the servers and network ports on which
> that service is exposed.
>=20
> On Thu, Mar 27, 2008 at 1:34 PM, Arian J. Evans
>=20
> <arian.evans@anachronic.com> wrote:
>=20
>=20
> > Well, let me re-iterate lest your points be confused
> > for my statements. I'm not sure whom you were
> > responding to, but I want my points to be clear:
> >
> > 1. I said the perimeter is dead. And it is. Sorry,
> > but you're just wrong. I could write ten paragraphs
> > or you could go visit salesforce.com, successfactors.com
> > and docs.google.com, and see if any of your
> > "large enterprise's" data is in them.
> >
> > 2. I never said WAFs are useless. I said the
> > exact opposite. I said the vendors' marketing
> > messages are the problem. I also said the vendors
> > aren't doing much to address semantic issues
> > (aside from marketing drivel), which are very
> > important in our web apps (but less in web services).
> >
> > 3. I never said web services change everything.
> > But I do think their use-case changes a lot.
> >
> > All your CORBA apps ran over a flat internal
> > network, maybe a WAN. And they ran un-
> > encrypted. Same with all your other headless
> > apps or message queue systems.
> >
> > The controls were all server side, if there
> > were any controls.
> >
> > Web services change two paradigms:
> >
> > 3.1 The contention methods you use to
> > connect them (e.g. PUBLIC not private
> > internet and encryption)
> >
> > 3.2 Data constraints and validation: Most
> > "web apps" put their data control somewhere
> > around the presentation layer or close in MVC.
> >
> > Once you glue a bunch of web apps together
> > via web services, and everyone on the planet
> > is doing this today, half of your data controls
> > in your application no longer work as designed.
> >
> > Seriously. The perimeter is dead. Get over it.
> >
> > There hasn't been a SQL Slammer worm in
> > OVER FIVE YEARS. Wake up. It's Phishers
> > and SQL Injection bots, and you aren't dealing
> > with either one of those via your "perimeters".
> >
> > I have asked repeatedly, and I'll ask again:
> >
> > Can someone put forth some meaningful
> > statement about how your network firewalls
> > somehow protect your applications from
> > the WASC 24 or Mitre CWE or Phishing
> > or web service-specific attacks?
> >
> > I'm still waiting for some useful examples,
> > beyond ipchains config to rate-limit in case
> > the "hackers" decide to DoS your web
> > service some day (which, incidentally, in
> > 10 years of responding to incidents, I've
> > only seen used against online gambling sites).
> >
> > I will even humor syntax arguements about
> > how your IPS or "AI" can detect and remove
> > ASCII Char(127) or a "UNION SELECT *
> > FROM *" from a querystring. Or whatever
> > "thing" it does to protect you.
> >
> > If not, case closed, thread dead.
> >
> > -ae
> >
> >
> >
> > On Thu, Mar 27, 2008 at 10:44 AM, Rafal M. Los
<rafal@ishackingyou.com> wrote:
> > > Arian, all,
> > >
> > > I've been working in "extremely large enterprises" for
at
> > > least 5 years, going on forever, and I can see where the
> > > idea that "the perimeter is a myth" can be perceived. While
> > > I understand how you may think that, the thought is still
wrong.
> > >
> > > Let's take as fact that malicious activity as a whole
has
> > > evolved over the past 10 years in a manner that makes
> > > "network access control" an order of magnitude less
> > > important. Since just about everyone can agree on that,
> > > I'll take my argument from that beachhead and move on,
> > > addressing specific points.
> > >
> > > 1) The perimeter is "dead"
> > > First, let me say that I disagree that the perimeter is
a
> > > thing of the past. While the perimeter has certainly become
> > > "blurry" in some cases, this generality isn't a case where
> > > it happened by necessity, rather, by accident. I've been
> > > through enough integrations where the border between "us"
> > > and "them" has all but dissolved to know that this isn't by
> > > design. It just happens sometimes when we architect
> > > carelessly, or just let things happen. I will argue that
> > > this is a bad thing, and should be addressed by a proper
> > > review from your enterprise architecture group, involving
> > > your security folks, obviously. The perimeter, while it has
> > > become fuzzy in some places needs to be maintained for the
> > > overall health of a business. Access to resources should be
> > > limited, and controlled, and without firewalls in the
> > > enterprise this becomes more disparate and difficult. The
> > > problem most architects see with firewalls is that they are
> > > effectively the bouncer at the door to the bar, and this
> > > assumes the bar has only one entrance/exit - or that all
> > > entrances/exits (egress/ingress points) have a bouncer (or
> > > firewall in this case) at those points. The problem comes
> > > in places like highly meshed networks where access into a
> > > segment happens from many places, or "network segments" are
> > > virtual rather than physical entities. While technology and
> > > today's business tends to drive us in IT to dissolve borders
> > > in the name of productivity and usability - it doesn't mean
> > > we should be giving in to those drivers in exchange for our
> > > own common sense.
> > >
> > > 2) WAFs (although mis-named) are useless
> > > Web Application Firewalls (although I personally feel
they
> > > should be called Web Application Gateways) are wonderful
> > > when implemented properly. While they definitely do NOT
> > > substitute for good coding practice (I can talk about this
> > > point all night long) it still helps you filter out those
> > > high-probability, easy-to-execute attacks classified as "low
> > > hanging fruit". There are at least 2 WAF vendors that I
> > > have personally reviewed and can talk about at length if
> > > anyone's interested, although I don't want to promote any
> > > particular vendor here. WAFs should do the following two
> > > things: 1) understand the application flow & parameters and
> > > 2) filter out "bad" things (signature/regexp based
> > > detection). A combination of the two will certainly help
> > > eliminate a good portion of the web vulnerabilities out
> > > there. Having reviewed over 500 applications in my time, I
> > > can honestly say that the 80/20 principle applies. 20% of
> > > the vulnerabilities cause 80% of the damage. Those, I
> > > strongly feel, are the things that we can as security
> > > professionals identify and remediate via automated methods
> > > and tools. The other 80% of vulnerabilities are the ones
> > > that are logic-flaw based, requiring the attacker to really
> > > understand things like process flow, business logic in order
> > > to cause issues. Unfortunately, those vulnerabilities will
> > > never be detected by any automated tool - simply because it
> > > requires the power of the human mind and the understanding
> > > of a warm body to identify those attacks. The problem with
> > > those attacks is that they typically take extensive time to
> > > identify and exploit - thus the reason why attackers opt for
> > > scanners and automated tools like SQL injectors to find and
> > > exploit the easy holes. I go back to one of my favorite
> > > cartoons in IT... there is a bear chasing 2 hikers and one
> > > of them stops to tie his shoe. The other hiker is screaming
> > > at him that the bear will catch him, and that they must
> > > outrun the bear... the hiker tying his show smiles and says
> > > "I don't have to outrun the bear, I just have to outrun
> > > you!" This is the world of business folks - the low hanging
> > > fruit is what will be exploited. If you don't understand
> > > the ideas of acceptable risk, and "good enough" - you're in
> > > trouble. So sliding back to my point... while WAFs may not
> > > be the magic silver bullet, and conceding that there are a
> > > lot of really dumb implementations out there (CheckPoint's
> > > AI, and many others) WAFs are useful and should be used in
> > > conjunction with secure code development practices and
> > > tools. Does this mean that the "firewall" is dead, no. It
> > > means that while a firewall has its place, it's clearly not
> > > at the application layer, and doesn't serve much more
> > > purpose at the higher-level points in OSI mode.
> > >
> > > 3) Web Services somehow makes everything "different"
> > > I swear if I hear one more person tell me that "Web
> > > Services has fundamentally changed everything" I'm going to
> > > scream. This simply isn't the case. We've had web services
> > > for years, but we've simply not called it that before. How
> > > many of us have had to deal with headless applications which
> > > act as data-processing engines via HTTP? I know I have.
> > > Web services hitting the market simply tells us that we have
> > > to look at our architectures and re-evaluate some of the
> > > things we've been doing, and apply those lessons-learned
> > > from serving pages to the "Web" to yet another slightly
> > > different method of doing so. Let me admit that
> > > fundamentally, web services are slightly different than a
> > > web server, in that there are re-usable components, an ESB,
> > > and lots of things all happening in the same "security
> > > zone". This doesn't fundamentally change the game, though,
> > > in my humble view. A firewall outside at the perimeter can
> > > still keep the usual barrage of crap from consuming your
> > > valuable resources on the Web Service. That being said, if
> > > you have a web service that's open to the world - a firewall
> > > isn't really going to help THAT web service be more
> > > protected, outside of keeping the rest of the ports on that
> > > machine (real or virtual) from being accessed from the
> > > outside or hostile world. Firewalls have their uses in
> > > every aspect of our businesses, keeping segments separate
> > > and acting as the big-mesh screen that pulls out the obvious
> > > and the unwelcome at a ip/port/protocol layer. But just
> > > like with web servers, once you've figured out that some web
> > > server is vulnerable on port 80 to an attack, the firewall
> > > will let you poke at that defect all day long without the
> > > use of a more intelligent device behind the firewall.
> > >
> > > In summary - firewalls are far from dead and useless, the
> > > perimeter is alive and well (or at least it should be) and
> > > if you're arguing otherwise I say to you - "You've given in
> > > to the pressures that the business has put on IT to "just
> > > make it happen, worry about the security later".
> > >
> > > This is my opinion, and I'm sticking to it.
> > >
> > > Cheers all.
> > >
> > >
> > > Rafal (Ralph) M. Los
> > > IT Security - Response | Mitigation | Strategy
> > >
> > > E-mail: rafal@ishackingyou.com
> > > Direct: +1 (847) 426-2621
> > > Mobile: +1 (404) 606-6056
> > > - gPGP: 0xFFC63B33
> > > - Blog: http://preachsecurity.blogspot.com
> > > - Web: http://www.ishackingyou.com
> > > - LinkedIn:http://www.linkedin.com/in/rmlos
> >
> >
> > >
> > >
> > >
> > > Arian J. Evans wrote:
> > > > William --
> > > >
> > > > Bang. Dead. Done. Network firewalls are obsolete, or better
> > > > said -- they have less value today than they did in
1995-2003,
> > > > especially for the purposes of protecting your software.
> > > >
> > > > Apparently others are not thinking correctly about this yet.
> > > >
> > > > The perimeter has been dead for a long time. I used to tell
people
> > > > this back around 2001 when I was helping glue web services
and
> > > > asynchronous message queues together for financial
institutions.
> > > > People didn't get it while their precious data was flapping
in the
> > > > wind the whole time.
> > > >
> > > > Network firewalls have a valid use as an access control
mechanism,
> > > > for port and protocol pairing, and IP filtering, but that's
it.
> > > >
> > > > Networks have little to do with applications, and network
security
> > > > has little to do with application security, though it exists
almost
> > > > entirely because of it. (Necessary, but not sufficient.)
> > > >
> > > > The firewall vendors have desperately tried to add junk
features
> > > > to play in this space -- let's take Checkpoint's
"AI"...."Application
> > > > Intelligence". I could argue most of the features are junk,
but
> > > > let's say, for the sake of amusement, that Checkpoint
actually
> > > > has some "application intelligence".
> > > >
> > > > It won't ever seen the interesting traffic. Not only does it
lack
> > > > the notion of session and state, but it is a syntactical
device
> > > > trying to solve a semantic problem. Never gonna work.
> > > >
> > > > Even more so -- any interesting sessions are SSL encrypted,
> > > > and no network devices are able to inspect that traffic.
(true,
> > > > this could be solved with minimal implementation, but out
> > > > in the real world -- no one terminates SSL except on their
> > > > webservers or load balancers. Seriously.)
> > > >
> > > > Let's discuss web application firewalls. They aren't
firewalls.
> > > >
> > > > They are intermediary proxies trying to syntactically scrub
> > > > traffic, and largely they all fail due to poor
implementation,
> > > > poor design/interface, or lack of good data.
> > > >
> > > > "Software Security" is one part syntax problem, and one
> > > > large part semantic problem. Nothing with the word
> > > > "firewall" in it today understands the semantic web.
> > > >
> > > > The WAFs could, and hopefully we can get them to do so
> > > > once they let go of their insane marketing messages.
> > > >
> > > > Incidentally -- I think this will change soon though. A
> > > > couple of WAF vendors already "get it", and a few more
> > > > are coming to market that will (hopefully) give us what
> > > > we all need from web application "firewalls".
> > > >
> > > > But they won't be a "firewall", despite the fact we'll
> > > > probably still call them that.
> > > >
> > > > --
> > > >
> > > > The world has already had plenty of free network penetration
> > > > tests. SQL Slammer was a great one, for example.
> > > >
> > > > With recent SQL Inject bots/massive scripted attacks, the
> > > > software world is starting to get them too.
> > > >
> > > > SQL injection is a syntax problem, so we COULD solve
> > > > that with a little (or a lot) of perimeter data scrubbing aka
> > > > a firewall, but there are many classes of weaknesses
> > > > that require a semantic notion of use-case or infered
> > > > understanding of the software to "protect".
> > > >
> > > > The problem here is that the perimeter is dead, so it's
> > > > damn near impossible to "firewall" off an entire piece
> > > > of software and make money with it too.
> > > >
> > > > I think the WAFs (web app "firewalls") will evolve
> > > > to be protocol aware IPS devices e.g.-apply
> > > > "virtual patches" to known issues.
> > > >
> > > > Possibly, some day, somebody will take all the
> > > > lessons we learned from NBADs and apply them
> > > > to software use-case and then we'll have a really
> > > > smart, business-enabling WAF that is semantic
> > > > in nature, and possibly statistical with regards
> > > > to syntax issues.
> > > >
> > > > But today, most are still poorly marketed as "firewalls"
> > > > that magically "learn" your software and "firewall"
> > > > it off somehow. They can't and they don't, and
> > > > they've missed that firewalls are dead anyway.
> > > >
> > > > So yes: all of the perimeter network widgets
> > > > marketed as Firewalls/IDS/IPS are pretty much
> > > > dead and useless for the currently evolving
> > > > threat landscape.
> > > >
> > > > If the WAFs evolve into known weak attack-vector
> > > > blockers, or use-case enforcers, they will probably
> > > > make a great network widget solution, but they
> > > > really won't be anything like a network "firewall".
> > > >
> > > > Network Firewalls are great at detecting and blocking
> > > > things like nmap scans.
> > > >
> > > > If you want to detect or to block those nmap scans,
> > > > by all means, have at it.
> > > >
> > > > But, but, who cares.
> > > >
> > > > I believe I heard PCI or VISA say most cardholder
> > > > data is lost through SQL Injection.
> > > >
> > > > I'd love for IBM's managed services to publish
> > > > some attack and compromise statistics (or anyone
> > > > with a large amount of measured network traffic).
> > > >
> > > > But, until someone releases some really hard
> > > > data, I'm going to go with what we read in the
> > > > news that is causing companies real issues,
> > > > and it's almost never anything that a firewall
> > > > can do much about.
> > > >
> > > > It's usually rogue wireless, or too high of a privilege
> > > > level in the software, or a flaw in some piece of
> > > > software that someone bad had access to.
> > > >
> > > > Firewall or not.
> > > >
> > > > Thanks for the great question. Cheers,
> > > >
> > >
> >
> >
> >
> > --
> > --
> > Arian Evans, software security stuff
> >
> > reformed hacker turned animal rights activist to meet hot chicks
> > concerned with those tasty animals
> >
=20
------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec
=20
Have a question? Search The Web Security Mailing List Archives:=20
http://www.webappsec.org/lists/websecurity/
=20
Subscribe via RSS:=20
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
=20
------_=_NextPart_001_01C890E9.E0704D46
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40";>
<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"City"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"place"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
@font-face
{font-family:"\@MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 77.95pt 1.0in 77.95pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>Outside of helping our friend with his dissertation, the point =
is
actually moot and not worth getting hot over. How about some =
non-engineering truths?-<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>1. <b><span style=3D'font-weight:bold'>Financial</span></b>--The =
industry
will not kill a sector as long as there are buyers who will believe the =
FUD. If
you disrupt and attack partner or customer solutions, they do not buy =
your
stuff. This is the real meaning of =
coopetition.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>2. <b><span style=3D'font-weight:bold'>Legal</span></b>--As a =
friend once
told me, try not doing the minimum legacy defense in depth (ie, =
Firewalls) that
a "reasonable" non-IT professional would do and see how you =
hold up
after a failure.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>3. <b><span style=3D'font-weight:bold'>Organizational =
Politics</span></b>--reduce
your department and requirements and see how long it takes you to be =
demoted
and reduced in influence to a position relative to the size of your =
budget and
direct reports.(OK, maybe you get booted up for saving $ and your =
successor
gets demoted).<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>Dave<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>-----Original Message-----<br>
From: arian.evans@gmail.com [mailto:arian.evans@gmail.com] On Behalf Of =
Arian
J. Evans<br>
Sent: Thursday, March 27, 2008 8:43 PM<br>
To: Justin Thomas; WASC Forum<br>
Subject: Re: [WEB SECURITY] Query: Are Firewalls obsolete in an =
Enterprise Web
Service Environment?</span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>So basically all we have left is "reducing =
attack<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>surface by IP restrictions?" And we don't =
even<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>need a firewall for that. I do that in my =
webserver.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>I said in my first reply that firewalls were useful =
for:<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>+ Port and protocol pairing<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>+ IP restrictions<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>and I'll add<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>+ Nice centralized management GUI for that =
stuff<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>You could add rate limitation, but most real =
world<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>firewall deployments don't have enough =
memory<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>to handle many IPS and anti-DDoS =
functions.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>In the real world I see very little web =
software<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>with IP restrictions.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>In the real world firewalls don't seem to =
be<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>useful at protecting sensitive =
information<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>in our vulnerable software.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>It sure doesn't seem to be helping much =
with<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>protecting cardholder data either.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>So, I think we are agreeing on what =
firewalls<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>can be used for.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>Yet I'm still saying that compared to all =
the<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>very real threats we're facing, the attacks =
that<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>we are undergoing, and the software =
weaknesses<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>that are being exploited....that's just not =
really<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>that relevant or useful.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>And all I'm hearing in response are the =
mindless<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>platitudes of "Defense in Depth" and =
"Reduced<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>Attack Surface".<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>Um, okay, sure.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>-- <o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>-- <o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>Arian Evans, software security =
stuff<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>reformed hacker turned animal rights activist to meet hot =
chicks<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>concerned with those tasty animals<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>On Thu, Mar 27, 2008 at 2:30 PM, Justin =
Thomas<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'><justin@brynnandjustin.com> =
wrote:<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> "Can someone put forth some meaningful statement about =
how
your<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> network firewalls somehow protect your applications =
fromthe
WASC 24 or<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> Mitre CWE or Phishing or web service-specific =
attacks?"<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> I'll bite.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> By limiting basic exposure. If a service exists =
to
facilitate a<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> partner connection, for example, only that partner =
should be
permitted<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> through the perimeter (or, perhaps, partner) firewall =
(by
their<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> network addresses) to access the servers and network =
ports
on which<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> that service is exposed.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> On Thu, Mar 27, 2008 at 1:34 PM, Arian J. =
Evans<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> <arian.evans@anachronic.com> =
wrote:<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>><o:p> </o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > Well, let me re-iterate lest your points be =
confused<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > for my statements. I'm not sure whom you =
were<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > responding to, but I want my points to be =
clear:<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > 1. I said the perimeter is dead. And it =
is.
Sorry,<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > but you're just wrong. I could write ten
paragraphs<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > or you could go visit salesforce.com,
successfactors.com<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > and docs.google.com, and see if any of =
your<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > "large enterprise's" data is in =
them.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > 2. I never said WAFs are useless. I said =
the<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > exact opposite. I said the vendors' =
marketing<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > messages are the problem. I also said the =
vendors<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > aren't doing much to address semantic =
issues<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > (aside from marketing drivel), which are =
very<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > important in our web apps (but less in web =
services).<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > 3. I never said web services change =
everything.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > But I do think their use-case changes a =
lot.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > All your CORBA apps ran over a flat =
internal<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > network, maybe a WAN. And they ran =
un-<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > encrypted. Same with all your other =
headless<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > apps or message queue =
systems.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > The controls were all server side, if =
there<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > were any =
controls.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > Web services change two =
paradigms:<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > 3.1 The contention methods you use =
to<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > connect them (e.g. PUBLIC not =
private<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > internet and =
encryption)<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > 3.2 Data constraints and validation: =
Most<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > "web apps" put their data =
control
somewhere<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > around the presentation layer or close in =
MVC.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > Once you glue a bunch of web apps =
together<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > via web services, and everyone on the =
planet<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > is doing this today, half of your data =
controls<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > in your application no longer work as =
designed.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > Seriously. The perimeter is dead. Get over =
it.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > There hasn't been a SQL Slammer worm =
in<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > OVER FIVE YEARS. Wake up. It's =
Phishers<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > and SQL Injection bots, and you aren't =
dealing<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > with either one of those via your
"perimeters".<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > I have asked repeatedly, and I'll ask =
again:<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > Can someone put forth some =
meaningful<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > statement about how your network =
firewalls<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > somehow protect your applications =
from<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > the WASC 24 or Mitre CWE or =
Phishing<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > or web service-specific =
attacks?<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > I'm still waiting for some useful =
examples,<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > beyond ipchains config to rate-limit in =
case<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > the "hackers" decide to DoS your =
web<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > service some day (which, incidentally, =
in<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > 10 years of responding to incidents, =
I've<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > only seen used against online gambling =
sites).<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > I will even humor syntax arguements =
about<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > how your IPS or "AI" can detect =
and
remove<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > ASCII Char(127) or a "<st1:place =
w:st=3D"on">UNION</st1:place>
SELECT *<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > FROM *" from a querystring. Or =
whatever<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > "thing" it does to protect =
you.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > If not, case closed, thread =
dead.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > -ae<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > On Thu, Mar 27, 2008 at 10:44 AM, Rafal M. =
Los
<rafal@ishackingyou.com> wrote:<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > Arian, =
all,<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> >
> I've been working =
in
"extremely large enterprises" for =
at<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > least 5 years, going on =
forever, and I
can see where the<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > idea that "the perimeter =
is a
myth" can be perceived. While<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > I understand how you may think =
that, the
thought is still wrong.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> >
> Let's take as fact =
that
malicious activity as a whole has<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > evolved over the past 10 years =
in a
manner that makes<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > "network access =
control" an
order of magnitude less<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > important. Since just =
about
everyone can agree on that,<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > I'll take my argument from that
beachhead and move on,<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > addressing specific =
points.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > 1) The perimeter is =
"dead"<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> >
> First, let me say =
that I
disagree that the perimeter is a<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > thing of the past. While =
the
perimeter has certainly become<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > "blurry" in some =
cases, this
generality isn't a case where<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > it happened by necessity, =
rather, by
accident. I've been<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > through enough integrations =
where the
border between "us"<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > and "them" has all =
but
dissolved to know that this isn't by<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > design. It just happens
sometimes when we architect<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > carelessly, or just let things
happen. I will argue that<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > this is a bad thing, and should =
be
addressed by a proper<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > review from your enterprise
architecture group, involving<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > your security folks, =
obviously.
The perimeter, while it has<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > become fuzzy in some places =
needs to
be maintained for the<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > overall health of a =
business.
Access to resources should be<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > limited, and controlled, and =
without
firewalls in the<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > enterprise this becomes more =
disparate
and difficult. The<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > problem most architects see =
with
firewalls is that they are<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > effectively the bouncer at the =
door to
the bar, and this<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > assumes the bar has only one
entrance/exit - or that all<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > entrances/exits (egress/ingress
points) have a bouncer (or<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > firewall in this case) at those
points. The problem comes<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > in places like highly meshed =
networks
where access into a<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > segment happens from many =
places, or
"network segments" are<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > virtual rather than physical
entities. While technology and<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > today's business tends to drive =
us in
IT to dissolve borders<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > in the name of productivity and
usability - it doesn't mean<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > we should be giving in to those
drivers in exchange for our<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > own common =
sense.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > 2) WAFs (although mis-named) =
are
useless<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> >
> Web Application =
Firewalls
(although I personally feel they<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > should be called Web =
Application
Gateways) are wonderful<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > when implemented =
properly. While
they definitely do NOT<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > substitute for good coding =
practice (I
can talk about this<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > point all night long) it still =
helps
you filter out those<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > high-probability, =
easy-to-execute
attacks classified as "low<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > hanging fruit". =
There are
at least 2 WAF vendors that I<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > have personally reviewed and =
can talk
about at length if<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > anyone's interested, although I =
don't
want to promote any<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > particular vendor here. =
WAFs
should do the following two<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > things: 1) understand the =
application
flow & parameters and<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > 2) filter out "bad" =
things
(signature/regexp based<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > detection). A combination =
of the
two will certainly help<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > eliminate a good portion of the =
web
vulnerabilities out<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > there. Having reviewed =
over 500
applications in my time, I<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > can honestly say that the 80/20
principle applies. 20% of<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > the vulnerabilities cause 80% =
of the
damage. Those, I<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > strongly feel, are the things =
that we
can as security<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > professionals identify and =
remediate
via automated methods<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > and tools. The other 80% =
of
vulnerabilities are the ones<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > that are logic-flaw based, =
requiring
the attacker to really<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > understand things like process =
flow,
business logic in order<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > to cause issues. =
Unfortunately,
those vulnerabilities will<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > never be detected by any =
automated
tool - simply because it<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > requires the power of the human =
mind
and the understanding<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > of a warm body to identify =
those
attacks. The problem with<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > those attacks is that they =
typically
take extensive time to<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > identify and exploit - thus the =
reason
why attackers opt for<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > scanners and automated tools =
like SQL
injectors to find and<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > exploit the easy holes. I =
go
back to one of my favorite<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > cartoons in IT... there is a =
bear
chasing 2 hikers and one<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > of them stops to tie his =
shoe.
The other hiker is screaming<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > at him that the bear will catch =
him,
and that they must<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > outrun the bear... the hiker =
tying his
show smiles and says<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > "I don't have to outrun =
the bear,
I just have to outrun<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > you!" This is the =
world of
business folks - the low hanging<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > fruit is what will be =
exploited.
If you don't understand<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > the ideas of acceptable risk, =
and
"good enough" - you're in<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > trouble. So sliding back =
to my
point... while WAFs may not<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > be the magic silver bullet, and
conceding that there are a<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > lot of really dumb =
implementations out
there (CheckPoint's<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > AI, and many others) WAFs are =
useful
and should be used in<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > conjunction with secure code
development practices and<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > tools. Does this mean =
that the
"firewall" is dead, no. It<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > means that while a firewall has =
its
place, it's clearly not<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > at the application layer, and =
doesn't
serve much more<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > purpose at the higher-level =
points in
OSI mode.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > 3) Web Services somehow makes
everything "different"<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> >
> I swear if I hear =
one more
person tell me that "Web<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > Services has fundamentally =
changed
everything" I'm going to<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > scream. This simply isn't =
the
case. We've had web services<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > for years, but we've simply not =
called
it that before. How<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > many of us have had to deal =
with headless
applications which<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > act as data-processing engines =
via
HTTP? I know I have.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > Web services hitting the market =
simply
tells us that we have<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > to look at our architectures =
and
re-evaluate some of the<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > things we've been doing, and =
apply
those lessons-learned<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > from serving pages to the
"Web" to yet another slightly<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > different method of doing =
so.
Let me admit that<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > fundamentally, web services are
slightly different than a<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > web server, in that there are
re-usable components, an ESB,<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > and lots of things all =
happening in
the same "security<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > zone". This doesn't
fundamentally change the game, though,<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > in my humble view. A =
firewall
outside at the perimeter can<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > still keep the usual barrage of =
crap
from consuming your<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > valuable resources on the Web
Service. That being said, if<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > you have a web service that's =
open to
the world - a firewall<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > isn't really going to help THAT =
web
service be more<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > protected, outside of keeping =
the rest
of the ports on that<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > machine (real or virtual) from =
being
accessed from the<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > outside or hostile world.
Firewalls have their uses in<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > every aspect of our businesses,
keeping segments separate<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > and acting as the big-mesh =
screen that
pulls out the obvious<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > and the unwelcome at a
ip/port/protocol layer. But just<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > like with web servers, once =
you've
figured out that some web<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > server is vulnerable on port 80 =
to an
attack, the firewall<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > will let you poke at that =
defect all
day long without the<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > use of a more intelligent =
device
behind the firewall.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > In summary - firewalls are far =
from
dead and useless, the<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > perimeter is alive and well (or =
at
least it should be) and<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > if you're arguing otherwise I =
say to
you - "You've given in<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > to the pressures that the =
business has
put on IT to "just<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > make it happen, worry about the
security later".<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > This is my opinion, and I'm =
sticking
to it.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > Cheers =
all.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > Rafal (Ralph) M. =
Los<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > IT Security - Response | =
Mitigation |
Strategy<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > E-mail: =
rafal@ishackingyou.com<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > Direct: +1 (847) =
426-2621<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > <st1:City =
w:st=3D"on"><st1:place w:st=3D"on">Mobile</st1:place></st1:City>:
+1 (404) 606-6056<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > - gPGP:
0xFFC63B33<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > - Blog:
http://preachsecurity.blogspot.com<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > - =
Web:
http://www.ishackingyou.com<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > -
LinkedIn:http://www.linkedin.com/in/rmlos<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > ><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > Arian J. Evans =
wrote:<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > William =
--<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > =
><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > Bang. Dead. Done. Network
firewalls are obsolete, or better<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > said -- they have less =
value
today than they did in 1995-2003,<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > especially for the =
purposes of
protecting your software.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > =
><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > Apparently others are not
thinking correctly about this yet.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > =
><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > The perimeter has been =
dead for a
long time. I used to tell people<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > this back around 2001 when =
I was
helping glue web services and<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > asynchronous message =
queues
together for financial institutions.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > People didn't get it while =
their
precious data was flapping in the<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > wind the whole =
time.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > =
><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > Network firewalls have a =
valid
use as an access control mechanism,<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > for port and protocol =
pairing,
and IP filtering, but that's it.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > =
><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > Networks have little to do =
with
applications, and network security<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > has little to do with =
application
security, though it exists almost<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > entirely because of it.
(Necessary, but not sufficient.)<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > =
><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > The firewall vendors have
desperately tried to add junk features<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > to play in this space -- =
let's
take Checkpoint's =
"AI"...."Application<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > Intelligence". I =
could argue
most of the features are junk, but<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > let's say, for the sake of
amusement, that Checkpoint actually<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > has some "application
intelligence".<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > =
><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > It won't ever seen the
interesting traffic. Not only does it lack<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > the notion of session and =
state,
but it is a syntactical device<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > trying to solve a semantic
problem. Never gonna work.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > =
><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > Even more so -- any =
interesting
sessions are SSL encrypted,<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > and no network devices are =
able
to inspect that traffic. (true,<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > this could be solved with =
minimal
implementation, but out<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > in the real world -- no =
one
terminates SSL except on their<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > webservers or load =
balancers.
Seriously.)<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > =
><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > Let's discuss web =
application
firewalls. They aren't firewalls.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > =
><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > They are intermediary =
proxies
trying to syntactically scrub<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > traffic, and largely they =
all
fail due to poor implementation,<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > poor design/interface, or =
lack of
good data.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > =
><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > "Software =
Security" is
one part syntax problem, and one<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > large part semantic =
problem.
Nothing with the word<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > "firewall" in it =
today
understands the semantic web.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > =
><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > The WAFs could, and =
hopefully we
can get them to do so<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > once they let go of their =
insane
marketing messages.<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > =
><o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > Incidentally -- I think =
this will
change soon though. A<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>> > > > couple of WAF vendors =
already
"get it", and a few more<o:p></o:p></span></font></p>
<p class=3DMsoPlainText><