On Wed, 28 Feb 2001, Steven M. Bellovin wrote:

> In message <20010228183137.A2007@rek.tjls.com>, Thor Lancelot Simon writes:
> >Nonsense.  Plenty of people who configure firewalls for a living consider
> >any network login access to the firewall box, wherever from, to be a problem.
> >
> >Maybe that's not good advice _for you_, but it's absurd to suggest that your
> >own advice applies to the general case -- there just about *is* no "general
> >case" in firewall security.
> 
> The general case is "understand whwat your requirements are".  For 
> corporate production systems, remote access generally is a requirement. 
> It's not always stated, which in practice tends to mean that *when* 
> (not "if") an emergency hits, someone deploys some quick-and-dirty ad 
> hoc solution that isn't secure.

No corperation that I know of will allow any remote access to a firewall
via interfaces which the firewall is firewalling.  Out of band management,
such as serial consoles, and private non-routable management networks are
the usual, and all these are secured against remote acess by means such as
SecureID (for dialin) or equiv.

> Put another way, if something breaks on the firewall, can you afford to 
> be offline until a competent wizard can get there physically?  For 
> corporate firewalls, the answer is almost certainly "no".  That may be 
> the case for home firewalls, too, if there are other folks at home who 
> aren't wizard-rated.

The difference here is that 1) corperations who are worried about such
reaction times have 24 hr support staff, and people on call to aide those
supporting, and 2) the typical home user is looking for "set-it
and have it work" security, not five 9's of uptime.  Maintainence required
on a well-setup firewall (one which logs externally, etc...) is minimal to  
none, so console/serial access is acceptible.

Of course, everyone has their own special circumstances.  I'm not saying
"don't ever open up services on your firewall", I'm saying "I personally
wouldn't, and neither would many others."  Apply grain of salt, configure
your firewall, and smile because it's running NetBSD ;-)

[snip]

> ssh isn't risk-free -- nothing is -- but it's a plausible approach.  
> IPsec might be another, though that's problematic from, say, hotel room 
> Ethernets that live behind NAT boxes.

Not to drag this on, but any process is capable of having a buffer
overflow attack, an internal problem, etc...  Opening up _any_ service
opens the risk of an exploit.  If I were a hacker, I'd look for the
easiest weakness in a system.  If I can get control of the firewall,
that's a good shoe-in to the network.  Your chain is only as strong as its
weakest link.  [insert random cliche here]

Take care,

-
Jon
 --------------------------------------------------------------------
 - The opinions expressed are not necesarily those of my employer.
   "I wonder how many people actually read my .sig?"