Re: Firewall security: Re: Problems with simple Samba file share

From: Tony Lawrence (foo_at_pcunix.com)
Date: 05/10/05 

Date: Tue, 10 May 2005 06:27:20 -0400

Peter T. Breuer wrote:
> Tony Lawrence <foo@pcunix.com> wrote:
>
>>Peter T. Breuer wrote:
>>
>>>Tony Lawrence <foo@pcunix.com> wrote:
>>>
>>>
>>>>Right. One should never bet long odds with high loss, and yet that is
>>>>exactly what you insist we should do with regard to not using the firewall.
>>>
>>>
>>>It isn't the same situation - it's not a one off at all. Your use of
>>>the firewall is predicated on a continuous background of "experiments"
>>>dedicated at breaking in hence the laws of statistics apply, rotundly.
>
>
>>Nonsense. You are the one who insists this is a negligible risk - :near
>>0" I believe you said.
>
>
> It is a neglible risk - by the laws of statistics, because they apply
> here. It is the number of _experiments_ that makes it not a candidate
> for the "always bet on long odds with large gains" rule of thumb,
> because another part of that rule (which I hope I stated often enough!)
> is "don't do it often, or the laws of statistics will get ya".

Right. We don't do it often. We do it once. The firewall is deployed
once. It protects against an unknown number of events, but it is
deployed once. There's one "bet".

>
>
>
>>But the likelihood of the damage doesn't matter: one attack or three
>>million doesn't change my action of deploying a firewall ONCE.
>
>
> It doesn't help you. Ssh is not vulnerable to attacks from china. If
> you think it is, it must be because you think somebody there has your
> secret private key. Ask yourself how they got it.

I keep answering this, but you ignore it. They keys can be obtained
from a backup tape or a usb key fedexed anywhere in the world. They can
be emailed carelessly. And as has also been noted time and time again,
the ssh configuration could be accidentally changed, or a bug in ssh
could cause it to ignore the config and default to password
authentication. The firewall adds protection for any of these
circumstances. You keep ignoring that and throwing up strawmen. Shame
on you.

>
> What I suspect is that you think a special attack will be developed
> against a version and/or compile of ssh that always succeeds after a
> couple of dozen (maybe thousand) tries, and that the whle world will be
> out there trying it out against everybody else.

Another Peter strawman. You have no reason at all to guess about what
I'm thinking: it's been spelled out in plain language time and time
again. Yet you pretend it has not. What am I to think? You can't
read, or you have a really bad memory, or you are pretending that I
never said these things because you know you can't win your argument?

>>>>In this case, even if I agree with you as to how long the odds are
>>>>against the firewall providing value, the loss is high if we don't
>>>>deploy it.
>>>
>>>
>>>No, the expected additional loss is zero - it does not stop attacks,
>>>because attacks are aimed at generically open services like ftp, nfs
>>>(locally), rpc, domain, smtp, pop, etc.. They have to be, or the
>>>attacks would never become worth considering - you can't catch a
>>>disease if nobody else has it.

You can't have it both ways, Peter. You already agreed that there was a
potential here - why else would we be discussing probability and betting
theory? That's another of your typical tactics, you know: pretend a
point already granted has not been. Not pretty..

>
>
>>Again, you have forgotten that we posited two different situation here.
>>One where ssh is restricted to certain ip's, and the second where a
>>service not expected to be running has been fat-fingered on or
>>misconfigured. In both of these cases, the firewall helps protect us.
>
>
> There is no vulerability: if there were one that had achieved any
> epidemic proportions, you would hear about it and upgrade, or it would
> happen for you when you pressed the "update latest games" button. Hence
> you have no vulnerability, by reductio ad absurdum.

Again, that's nonsense. There are zero day attacks and there are
unreported attacks. Wave your hands all you want: they exist, and the
firewall helps protect against them.

>
> And if you thought a f/w protected you, you would be wrong - a portable
> can be compromised elsewhere and brought in locally. Somebody can log
> in to your "safe" IPs and run the attack from there - why not? Isn't it
> certain that it will happen, according to you, since the person at the
> safe IP will not update his server before he is attacked?

You seem to be getting desperate. We aren't talking about 100%
security. The existence of situations we can't protect against does not
change the fact that the firewall does protect us from some things.
This is a very bright red herring, Peter.

>
> But anyway, I repeat, there is no successful attack out there that
> attacks a port that is not generically open - it would never achieve
> epidemic proportions, so it would always be negligible. Perhaps you
> don't understand the numbers involved ... not propagating means that
> there is ONE (1) copy of the malware out there that is aimed at your
> nonstandard port. Thus you get a 1:100000000 chance of being targeted
> by it (counting one hundred million internet nodes). And that's only if
> it ISN'T active! If it were active, it would be noticed, defended
> against, and you would develop immunity. So I would guess that maybe
> only one attack every two weeks is feasible, without detection, and
> maybe ten times, so you get a 2:100000000 chance per YEAR of being
> targeted by it. Even assuming it exists, which you have to evaluate on
> your own: say there is a 1/100 chance of it existing (a viable, untried
> attack code aimed at your exposed nonstandard port). Multiply.

My goodness: you are like a fish out of water flopping here and there!
First it's zero, then it's negigible, then zero again, and now we are
back to negligible again. Which brings us back to the long odds rule
which you agreed to: we make one small "bet" (deploying the firewall)
which can protect us against a disastrous payoff.

>
> Worry rather about your disk going up in smoke and you losing all your
> work. That's about a 15% chance per year. 50% per three years.

We do worry about those things. More red herrings.

>
>
>>>>Therefore, we should deplay it and you know it: "one should
>>>>ALWAYS bet long odds with high gain".
>>>
>>>
>>>ONCE. Do it consistently and you lose. The idea is to pull off a
>>>once-only. Keep betting and the law of averages will have you lose.
>
>
>>The deployment is a one off event.
>
>
> Unfortunately your scenario posits thusands of attacks raining in from
> every quarter of the globe, daily. The laws of statistics then apply,
> in spades, and you can accurately calculate the distributions.

My scenario doesn't posit any such thing. But it doesn't matter whether
there is one such attack or five billion: the "payoff" has nothing to do
with that, but is simply the loss to me if there is an attack that could
succeed. The small "bet" of the firewall gives me a very large
potential payoff.

I'm beginning to think that the illustrious professor doesn't understand
what he's talking about at all..

>

>>We've already been down that road. In fact, you were the one who argued
>>that keys can be stolen and that passphrases might be blank or easy to
>>guess. And has been already said, keys can be stolen by other means:
>>usb devices, backups, careless emails and so one.
>
>
> Sure. Stealing them is the way to go, rather than these mythical
> "attacks" raining in at avery hour on your poor unprotected head!
> Stealing them only requires social engineering - borrowing your laptop
> for a moment, or similar. One of the easiest things to do is listen to
> your bluetooth keyboard (depending on model).

If the keys are stolen, they can be used from another ip. The firwewall
protects against that. And it also helps protect against accidental
configuration changes or a bug that ignores the configuration.
.

>
>
>
>>It's quite tiresome to keep repeating this to you Peter: do you have
>>memory problems?
>
>
> I've pointed out to you that your f/w defense is against people in china
> who have STOLEN YOUR PRIVATE KEY! That you don't get it after letting
> that sink in is the (possible) problem. There is no generic attack
> against ssh, and if there were, you wuld have it fixed like a snap.

I think the real problem is that you are too stubborn to admit that you
are wrong. That you keep mistating the circumstances being discussed
and flip-flopping on supposed odds is disturbing enough. That you drag
unrelated material in to try to confuse and obfuscate is annoying, and
your continued erection of strawmen is quite tiresome.

We have a service, in this case ssh. It is configured only to allow PK
logins for specific users. We add a firewall or firewalls which
restrict the entrance of any but the ip's that are supposed to be
attached to those users. The firewall(s) add additional protection against:

   - misconfiguration
   - bug or exploit that causes the configuration to be ignored
   - theft of the keys and attempted use from another location.

If breached because of any of these circumstances, the cost to us is
high. The cost of deploying the firewall is low, therefore this is a
good "bet". It doesn't matter whether there are millions of attacks
meeting these criteria or one: our deployment is still worthwhile
because it saved us considerable expense. 

-- 
Tony Lawrence
Unix/Linux/Mac OS X  resources: http://aplawrence.com