[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [RRG] Renumbering... ACL alternatives?



On Sat, 16 Aug 2008, Tony Li wrote:
|Exactly, I fully agree.  The next question is whether the practice of
|configuring remote addresses in filtering devices is common.  I hope
|it's not.  Does anyone on this list have experience or data on this?

Unfortunately, the practice of putting remote addresses into firewall ACLs
is all too common.  Of course, there's a name we have for sites that do
this: pwned.

That said, this is such a colossaly bad practice, that I would have no
trouble supporting architectures that forced people to rethink this.

The alternative(s) being...?

This practise stems from various needs and requirements, some of which seem legitimate to me. If we deny them as "bad practise", we'll likely end up with a solution that doesn't meet real-world requirements.

My take on some of the variables here:

 - an application running between 2..N sites over the Internet
 - using a) a fixed port, b) pretty much random ports
 - host system can be trusted (strongly secured, and/or has
   reliable host firewall) or not trusted
 - defence in depth required vs not required

In some cases, opening port 80 or all ports to the whole Internet in a border firewall is frowned upon. So you want to filter based on addresses or prefixes of the sites who may legitimately use the service, and require some other form of authentication on the system itself (e.g. user auth or certificates).

Alternatives?
 - Deploying the application using certificates and TLS.  But then if
   you would open the service to the whole world, you would be open to
   basic-level exploits (e.g. in TLS processing) and DoS attacks from
   everywhere.  Some accept this risk, some others don't.
 - Opening IPsec+IKE to the whole world also opens an attack surface
   for those protocols.  Further, it's also heavyweight solution.
   Most operating systems in question also don't natively support
   IPsec-protected sessions and/or tunnels and deploying separate
   boxes would increase complexity and cost.

--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg