Radio 4: ISPs moving services overseas

Ken Brown k.brown at ccs.bbk.ac.uk
Mon, 12 Feb 2001 09:48:00 +0000 

Ben Laurie wrote:
> 
> Dave Howe wrote:
> >
> > > You appear to be saying that the firewall is seeking to limit what
> > > people on the inside of it can do. Why?
> > Probably because it can - standard policy for most Firewall admins is to
> > lock down everything in sight, then open just what they are requested to -
> > and I count myself on that list
> 
> And, apart from the feeling of power, what purpose does this serve?

In no particular order:

1) Most deliberate attacks on computer systems come from insiders (My
guess is > 99%  in the commercial environment I'm most used to , over
half in the academic I'm in now)

2) Loads of people have quite legitimate desires to do things that cause
system admins a headache. If we block everything on principle and only
release it when asked politely, it allows us to plan our work & cope
with unexpected events & keep services running. It can be a *real*
*bind* when you come into work one Monday morning & find that Department
X has attached a hub to the network without telling you, has its own
network on the other side of it, running operating systems & protocols
you don't know about, downloading > 500 Mbyte  files from remote sites,
running large database servers that get thousands of connections,
running another connection to the Internet that you didn't know about -
I've seen all those happen.

3) In a large organisation there can be dozens or hundreds of internal
networks, connecting to each other through routers. Setting the internal
routers up as filtering firewalls gives you a lot more ability to keep
services reliable and allows you to limit damage if (when) it occurs.  
Concepts like fuseboxes, defences  in depth, bulkheads, flotation
compartments, or literal firewalls are useful here - a real firewall,
made of bricks or stone, is internal to a building.  If you are
interested (in both senses) in security you have to plan for things
going wrong in an unplanned way.

4) Sometimes computers on the inside are used to attack computers on the
outside. This can be really embarrassing. 

5) Sometimes people probe your systems in undetectable ways & try to get
stuff passed out to them.

6) You really, really, don't want a DDOS set up on your network.
Internal firewalls & IDS make it much harder. Maybe 

7) There are tens of thousands of possible IP ports on my machine,
hundreds of protocols in use.  Of those I recognise about a dozen or so
without looking them up (probably putting me in the top 1% of Internet
users) and have some detailed knowledge of 3 or 4  (probably putting me
in the top 1% of system admins). So given a port/socket/protocol
combination, or even an actual dumped datastream, and question "might
this be a cracking attempt?" my honest answer would have to almost
always be "I don't have the faintest idea". Much safer to disallow
everything you don't know is legitimate.

8) Look how many people suffered from the "Melissa" & "I love you"
nonsense. Neither my current nor my previous employer were seriously
inconvenienced by it.  In one case because few people are using
MicroInsecure OutHouse in the other because messages were blocked
internally, and in both because system admins removed dodgy-looking
messages without notifying the recipients.

Ken