The InfoSec Blog

You don’t need a Firewall Security Policy

Posted by Anton Aylward

A member of a discussion list I subscribe asked for a Firewall Policy template.

A usual, I was alarmed enough by this to want to comment and drag it back to the discussion on "assets".

I don't think you should have a "Firewall Security policy".
This is why.

A great book on firewalls once described the firewall as

The network's response to poor host security

You can occasionally see articles on host-centric security drifting by ...

A firewall is a "network PERIMETER protection device".

Do you have a well defined perimeter to which you can apply enforcement policies, or is your 'perimeter' like so many businesses these days, a vague and nebulous concept that is weakly defined? One thing that is "in" these days is "De-perimiterization". See "The Jericho Forum".

The firewall model is inherently one of a 'hard outer shell and soft vulnerable centre'. As I said, its based on the idea of poor host security. Good host security will mean that the hosts don't have any un-necessary open ports. Scan you network. If there are no open ports why do you need a firewall?

Oh, right: port 80. And all the hundreds of services behind it.
In effect those are your 'open ports'. Yes, there are firewalls that claim to do 'deep packet inspection'.  Check what they actually do.

There are other uses for a firewall?   Well some people use it as a NAT device. Some people use it to control outbound connections - "data leakage".   What they are really saying is that they haven't built their information architecture in a robust and secure manner.  Back to the 'poor host security'.  Perhaps you should be doing this sort of thing in your switch or router with ACLs.  Partition your network.

So why did I start by saying "assets"?
Some people think that the assets are the hardware.
Focusing on the hardware as opposed to the services, the information and the processes leads you to think in terms of things like 'firewalls' rather than in abstracts like "perimeters" and "access controls".

By addressing a "Firewall policy" you are focusing on equipment rather than fundamentals.

Enhanced by Zemanta

Google Phasing out Windows

Posted by Anton Aylward

http://www.h-online.com/security/news/item/Report-Google-phasing-out-internal-use-of-Microsoft-Windows-1012679.html

"According to a report in the Financial Times, Google are phasing
out the use of Microsoft's Windows within the company because of
security concerns. Citing several Google employees, the FT report
reports that new hires are offered the option of using Apple Mac
systems or PCs running Linux. The move is believed to be related to a
directive issued after Google's Chinese operations were attacked in
January. In that attack, Chinese hackers took advantage of
vulnerabilities in Internet Explorer on a Windows PC used by a Google
employee and from there gained deeper access to Google's single sign
on service.

Security as a business decision?
Don't make me laugh!
Look at what precedence they've shown!
Look at Microsoft's attitude and approach to security (no matter how flawed the end result) and compare it with the public stance Google has taken.

No, this is about Business Politics.
Microsoft has been 'staggering' this last decade and now Apple is on the ascendency and the real battle will no longer be in the PC world but in the consumer world with embedded systems.
On the surface this will be Android vs Apple, but since embedded Linux goes so much further, embedded in TVs, GPS units, traffic light controllers, and perhaps it will even replace UNIX in telephone
exchanges (ha-ha-ha!) there's more potential.
(Freudian slip: I just wrote portential.)

Yes, Microsoft hasn't been asleep in the embedded market, or the phone/PDA market, but compared to Linux its a resource hog. To top that, its also proprietary, so vendors rely on Microsoft for the porting to new processor/hardware and for support. Linux/Android doesn't have that limitation. And there are plenty of 'kiddies' eager to play with Android (source) on a new toy.

No, this isn't a security issue, its a business and political issue.
If Google is pushing its range of Android products then it doesn't want to have people - journalists, investors, bloggers - saying "yes, but you USE Windows even though you preach Linux".

Or perhaps you though Google was taking the "High Moral Ground"?
No, I think they are taking the advice of Sun T'Zu and applying it to business

"For them to perceive the advantage of defeating the enemy, they must
also have their rewards."

Betcha Google will be supplying Android phones/slates/pads to its workers.

"He who knows when he can fight and when he cannot, will be victorious."

Look at that ZDNet article and think about the timing of Google's announcement.

"It is essential to seek out enemy agents who have come to conduct
espionage against you and to bribe them to serve you. Give them
instructions and care for them. Thus doubled agents are recruited and used."

Think about that one.

"Opportunities multiply as they are seized."

And look how Android is spreading.
Balmer said Linux was a virus - yes a "meme".

"Thus, what is of supreme importance in war is to attack the enemy's strategy."

Indeed. Microsoft has proclaimed a commitment to "security". Bill Gates said so. That is their "strategy". But Google is working on the fact that Microsoft products still have security flaws. Regardless of the reality, that is "voice" of this announcement. They are saying that Microsoft's strategy isn't working. They are attacking it in the minds of the consumers.

Reblog this post [with Zemanta]