[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [RRG] Renumbering... ACL alternatives?

To: Tony Li <tony.li@tony.li>
Subject: RE: [RRG] Renumbering... ACL alternatives?
From: Pekka Savola <pekkas@netcore.fi>
Date: Mon, 18 Aug 2008 10:23:53 +0300 (EEST)
Cc: "'Christian Vogt'" <christian.vogt@nomadiclab.com>, "'Noel Chiappa'" <jnc@mercury.lcs.mit.edu>, rrg@psg.com
In-reply-to: <67FD447745684B4F98360E7117C779B4@ad.redback.com>
References: <20080816165144.2FAD66BE5BD@mercury.lcs.mit.edu> <E11E2692-3853-4F87-ADC2-A44334378026@nomadiclab.com> <67FD447745684B4F98360E7117C779B4@ad.redback.com>
User-agent: Alpine 1.10 (LRH 962 2008-03-14)

On Sat, 16 Aug 2008, Tony Li wrote:

|Exactly, I fully agree.  The next question is whether the practice of
|configuring remote addresses in filtering devices is common.  I hope
|it's not.  Does anyone on this list have experience or data on this?

Unfortunately, the practice of putting remote addresses into firewall ACLs
is all too common.  Of course, there's a name we have for sites that do
this: pwned.

That said, this is such a colossaly bad practice, that I would have no
trouble supporting architectures that forced people to rethink this.


The alternative(s) being...?

This practise stems from various needs and requirements, some of whichseem legitimate to me. If we deny them as "bad practise", we'lllikely end up with a solution that doesn't meet real-worldrequirements.


My take on some of the variables here:

 - an application running between 2..N sites over the Internet
 - using a) a fixed port, b) pretty much random ports
 - host system can be trusted (strongly secured, and/or has
   reliable host firewall) or not trusted
 - defence in depth required vs not required

In some cases, opening port 80 or all ports to the whole Internet in aborder firewall is frowned upon. So you want to filter based onaddresses or prefixes of the sites who may legitimately use theservice, and require some other form of authentication on the systemitself (e.g. user auth or certificates).


Alternatives?
 - Deploying the application using certificates and TLS.  But then if
   you would open the service to the whole world, you would be open to
   basic-level exploits (e.g. in TLS processing) and DoS attacks from
   everywhere.  Some accept this risk, some others don't.
 - Opening IPsec+IKE to the whole world also opens an attack surface
   for those protocols.  Further, it's also heavyweight solution.
   Most operating systems in question also don't natively support
   IPsec-protected sessions and/or tunnels and deploying separate
   boxes would increase complexity and cost.

--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg

References:
- Re: [RRG] Renumbering...
  - From: jnc@mercury.lcs.mit.edu (Noel Chiappa)
- Re: [RRG] Renumbering...
  - From: Christian Vogt <christian.vogt@nomadiclab.com>
- RE: [RRG] Renumbering...
  - From: "Tony Li" <tony.li@tony.li>

Prev by Date: RE: [RRG] Renumbering... ACLs etc.
Next by Date: Re: [RRG] Renumbering... ACLs etc.
Previous by thread: Re: [RRG] Renumbering... ACLs etc.
Next by thread: Re: [RRG] Renumbering...
Index(es):
- Date
- Thread