Comments on: A Firewall Quiz

By: afshin lamei

afshin lamei — Thu, 11 Oct 2007 09:51:29 +0000

A firewall with a single “allow any” can increase the security if we assume that it is an stateful firewall and “allow any” means from internal network to external. Because there is not any other assumption , such as logging or Intrusion detection capability, we can say that from the internal network point of view, it is more secure. also we must notice that any firewall is a single point of failure, specially when working in router (non-transparent) mode.

By: kraigus

kraigus — Thu, 27 Sep 2007 11:59:54 +0000

No worries.

By: kraigus

kraigus — Wed, 26 Sep 2007 00:01:27 +0000

a – if it’s one or the other, then it’s less. As others have said, you’re increasing your attack surface with no extra gain.

Extra credit 1 – makes no difference. Labels are meaningless; if your firewall protects people then it protects them, if it doesn’t, it doesn’t. People are going to do stupid things, regardless of whether or not they know they have a firewall.

Extra credit 2 – the schools your kids go to may not teach arithmetic like they used to, but how about the rules of punctuation?

By: Dan Weber

Dan Weber — Tue, 25 Sep 2007 14:25:42 +0000

*First question:*

This device can lower your security, if either:

a) the users/operators assume that the network is now protected

b) the device has its own vulnerabilities, giving attackers a new potential launching pad.

I’m not sure you can assume ‘a’, if everyone knows that the device has no rules.

I’m not sure ‘b’ applies, either, if you say that vulnerabilities are only the result of rules. That’s probably not accurate, but we’re making up suppositions so why not?

*Bonus question:*

Well, “firewall” is merely a label that describes where you are going to make your stand. Could be the network, could be the host, could be the CPU, could be the hard drive.

But, as I said in ’1a’, if users/operators think “there’s a firewall” they could unfairly decrease their risk assessment of the local network.

By: Clint Laskowski

Clint Laskowski — Tue, 25 Sep 2007 13:54:22 +0000

Okay, I’ll post my answers:

My first reaction was to say that the fireall (with a single “allow any” rule an no NAT) would still make the network more secure because it would provide some logging which might be useful as a detective control. But, assuming logging is a result of a rule, it appears there would be no logging (since there are no other rules). So, I’d say it would (c) have no impact on the security of the environment.

As to the extra credit question, I would say the label “firewall” makes no difference on the security impact of a device with firewall-like capabilities. Then again, a device that resolves to a network name of something like “firewall.victim.com” might scare some attackers away because they’d think victim.com must have some defenses in place if they have a firewall; at the same time, it might invite more aggressive attackers interested in the challenge of defeating the firewall.

Okay, how’d I do?