If LAN is legacy, what is the UN-legacy...?

adam.ierymenko

@Dashrender "How do you propose keeping the baddies that are trying to attack you over the web? I understand pull vectors, but what about the push ones?"

Local firewalls aren't obsolete. They're a pretty good way to limit your surface area. But personally I just like to make sure I'm not running anything I don't need. Also make sure you are up to date on patches, etc.

But the bottom line is that 90% of baddies aren't attacking you over the web anymore. They're trying to phish, scam, sneak malware, and get you to visit malicious URLs. They've moved "up the stack," abusing vectors like social media, Dropbox/Google Drive, e-mail, etc. This is partly in direct response to the firewall and partly because these types of attacks are a lot more effective.

Based on real world experience the only exception I'd give to the above is web apps. There was a case where a vulnerable php web app was attacked. But this of course was in the DMZ, so the firewall also did nothing. It was supposed to be exposed! Most people don't run php web apps on desktops and mobile devices.

I suppose you could still ask: if we got rid of firewalls tomorrow, neglecting unpatched and obsolete OSes would we again see an epidemic of remote attacks? I can't say for sure that we wouldn't but I personally doubt it. You'd see remote attacks against old vulnerable junk but newer patched systems would not fare too badly, and the exposure would probably help harden things more. Firewalls promote immune system atrophy.

Of course ZeroTier has private certificate-gated networks and that's what most people use. Those are similar to VPN endpoints in risk profile. You can still have your boundary. It's just software defined.

A bit beyond IT pragmatism, but I gave this presentation a while back about how firewalls contribute to Internet centralization, surveillance, and the monopolization of communication by closed silos like Facebook and Google: https://www.zerotier.com/misc/BorderNone2014-AdamIerymenko-DENY_ALL.pdf

The core argument I'm making there is that the firewall is a grandfathered-in hack to get around very very bad endpoint security and the fact that IP has no built-in authentication semantics. It's also a fundamentally broken security model since it uses a non-cryptographic credential (IP:port) as a security credential. Non-cryptographic credentials are worthless.

In a later presentation I distilled the "Red Queen's Race" slides to a "law of protocol bloat": any protocol allowed through the firewall accumulates features until it encapsulates or duplicates all functionality of all protocols blocked by the firewall. Examples: SSH, HTTP. In the end you just end up running an inferior version of IP encapsulated within another protocol.

stacksofplates

@adam.ierymenko said:

@Dashrender Here open this attachment!

No joke though. I really honestly think we could have just taken our firewall down and given every machine a public IP and there would have been little or no change to security posture. If anything, firewalls encourage the "soft underbelly" problem by giving people the illusion that the local network is secure. Take that old obsolete crutch away and people who do things like bind unpassworded databases to ::0 will look like dummies real fast and the problem will take care of itself over time.

It's been a while since I've seen a completely deadpan naive remote vulnerability in a consumer OS. By "naive" I mean one that can be exploited in the real world with no credentials, special knowledge, or participation from the user. OSes really have gotten better and if you turn off unnecessary services you're probably not in too terribly much danger. The danger isn't nonexistent but it's probably a lot less than, say, browsing the web with five different plugins enabled or the always popular:

curl http://note_lack_of_https.itotallytrustthissitelol.com/ | sudo bash

haha I had to fire up a container to see if that was an actual bash script lol.

Dashrender

@adam.ierymenko said:. It's also a fundamentally broken security model since it uses a non-cryptographic credential (IP:port) as a security credential. Non-cryptographic credentials are worthless.

Here Here!

In a later presentation I distilled the "Red Queen's Race" slides to a "law of protocol bloat": any protocol allowed through the firewall accumulates features until it encapsulates or duplicates all functionality of all protocols blocked by the firewall. Examples: SSH, HTTP. In the end you just end up running an inferior version of IP encapsulated within another protocol.

That is no lie - So I can't get what I want, you'll give me this little thing over here, OK I'll just create a way to get what I want through that little thing.. done.. yeah - huge problem!

Dashrender

@johnhooks said:

@adam.ierymenko said:

@Dashrender Here open this attachment!

No joke though. I really honestly think we could have just taken our firewall down and given every machine a public IP and there would have been little or no change to security posture. If anything, firewalls encourage the "soft underbelly" problem by giving people the illusion that the local network is secure. Take that old obsolete crutch away and people who do things like bind unpassworded databases to ::0 will look like dummies real fast and the problem will take care of itself over time.

It's been a while since I've seen a completely deadpan naive remote vulnerability in a consumer OS. By "naive" I mean one that can be exploited in the real world with no credentials, special knowledge, or participation from the user. OSes really have gotten better and if you turn off unnecessary services you're probably not in too terribly much danger. The danger isn't nonexistent but it's probably a lot less than, say, browsing the web with five different plugins enabled or the always popular:

curl http://note_lack_of_https.itotallytrustthissitelol.com/ | sudo bash

haha I had to fire up a container to see if that was an actual bash script lol.

though the lack of HTTPS really doesn't make you more or less protected in this example.

stacksofplates

@Dashrender said:

@johnhooks said:

@adam.ierymenko said:

@Dashrender Here open this attachment!

No joke though. I really honestly think we could have just taken our firewall down and given every machine a public IP and there would have been little or no change to security posture. If anything, firewalls encourage the "soft underbelly" problem by giving people the illusion that the local network is secure. Take that old obsolete crutch away and people who do things like bind unpassworded databases to ::0 will look like dummies real fast and the problem will take care of itself over time.

It's been a while since I've seen a completely deadpan naive remote vulnerability in a consumer OS. By "naive" I mean one that can be exploited in the real world with no credentials, special knowledge, or participation from the user. OSes really have gotten better and if you turn off unnecessary services you're probably not in too terribly much danger. The danger isn't nonexistent but it's probably a lot less than, say, browsing the web with five different plugins enabled or the always popular:

curl http://note_lack_of_https.itotallytrustthissitelol.com/ | sudo bash

haha I had to fire up a container to see if that was an actual bash script lol.

though the lack of HTTPS really doesn't make you more or less protected in this example.

The container was for if there actually was a shell script that was going to run.

adam.ierymenko

@Dashrender "That is no lie - So I can't get what I want, you'll give me this little thing over here, OK I'll just create a way to get what I want through that little thing.. done.. yeah - huge problem!"

You can't secure things by breaking them. People will find ways around your barriers because they need things to work, and the things they cobble together will probably be less secure than what you started with. You have to secure things by actually securing them.

Fundamentally the endpoint is either secure or it is not. If it's not, all someone has to do is get into something behind your firewall and they own you. Increasingly that something could be a printer, a light bulb, or a microwave oven. How often do you patch your light bulbs? If the cloud killed the firewall, then IoT will dig it up and cremate it and encase it in concrete and re-bury it.

My approach to security is: secure everything as if it will be totally exposed on the public Internet, then add firewalls and such as an afterthought if appropriate. If something is not secure enough to be exposed to the public Internet without a firewall, it's not secure enough to be connected to any network ever.

wirestyle22

@adam.ierymenko said:

@Dashrender "That is no lie - So I can't get what I want, you'll give me this little thing over here, OK I'll just create a way to get what I want through that little thing.. done.. yeah - huge problem!"

You can't secure things by breaking them. People will find ways around your barriers because they need things to work, and the things they cobble together will probably be less secure than what you started with. You have to secure things by actually securing them.

Fundamentally the endpoint is either secure or it is not. If it's not, all someone has to do is get into something behind your firewall and they own you. Increasingly that something could be a printer, a light bulb, or a microwave oven. How often do you patch your light bulbs? If the cloud killed the firewall, then IoT will dig it up and cremate it and encase it in concrete and re-bury it.

My approach to security is: secure everything as if it will be totally exposed on the public Internet, then add firewalls and such as an afterthought if appropriate. If something is not secure enough to be exposed to the public Internet without a firewall, it's not secure enough to be connected to any network ever.

So what would be an appropriate situation to use a firewall if nothing that is secure enough to be exposed to the public internet without a firewall should be connected to a network?

adam.ierymenko

@wirestyle22 I was describing a guiding principle. Obviously not everything measures up to that and firewalls are still needed for a lot of situations. I just consider them "legacy" and think that if you're designing or building something new it's best to design it to be secure in itself rather than assuming your private network is always going to stay private. Never trust the network, especially if it might have light bulbs and cloud connected printers on it.

I also think the firewall's obsolescence is a fact regardless of how I or anyone else might feel about it. IoT, BYOD, and the cloud are killing it so best plan for its death and prepare accordingly. I just happen to be in the camp that's quietly cheering for its demise because I think it's a bad ugly hack that breaks the functionality of networks and endpoint-centric security is better.

Edit: this is good too: http://etherealmind.com/why-firewalls-wont-matter-in-a-few-years/

I basically agree with all of that.

wirestyle22

@adam.ierymenko said:

@wirestyle22 I was describing a guiding principle. Obviously not everything measures up to that and firewalls are still needed for a lot of situations. I just consider them "legacy" and think that if you're designing or building something new it's best to design it to be secure in itself rather than assuming your private network is always going to stay private. Never trust the network, especially if it might have light bulbs and cloud connected printers on it.

I also think the firewall's obsolescence is a fact regardless of how I or anyone else might feel about it. IoT, BYOD, and the cloud are killing it so best plan for its death and prepare accordingly. I just happen to be in the camp that's quietly cheering for its demise because I think it's a bad ugly hack that breaks the functionality of networks and endpoint-centric security is better.

Edit: this is good too: http://etherealmind.com/why-firewalls-wont-matter-in-a-few-years/

I basically agree with all of that.

This appsec keynote is terrifying. I mean, you kind of expect your security to be somewhat low at the 25 million dollar level but these fortune 500 companies too? Man. The stuff of nightmares

Dashrender

If the goal is application security, what is the point of SDNs if not to offer a stop gap in the meantime until the apps get themselves where they need to be?

I don't understand why that article mentioned using SDNs for East - West communications, why wouldn't you just have the apps themselves be secure? Using SDNs is just another layer of the problem he speaks of.

adam.ierymenko

@Dashrender SDNs are about connectivity and manageability, not security per se -- though they can of course be secure and have lots of security related features. SDN is about being able to have mobile devices with stable addresses, fail-over without interrupting flows, control over where flows go, ability to provision new network paths without pulling cable, seamlessly link locations, fail-over across ISPs and clouds, etc.

Dashrender

OK that makes sense, but you're still relying on using IP addresses as verified endpoints, I thought one of the goals was to get away from that?

I really like your PDF.

Though I think the government will do everything in it's power to kill P2P because they can't put reasonable taps on it.

Just look at Skype. It used to be one of the best wide use P2P, but there is some pretty good evidence that the three letter agencies put pressure to make taps possible - and what do we have today - a almost completely centralized application that MS can tap right in the middle of any conversation they want.

Due to this fundamental change in the way Skype functions leads me to using it as little as possible.

stacksofplates

@Dashrender said:

OK that makes sense, but you're still relying on using IP addresses as verified endpoints, I thought one of the goals was to get away from that?

I really like your PDF.

Though I think the government will do everything in it's power to kill P2P because they can't put reasonable taps on it.

Just look at Skype. It used to be one of the best wide use P2P, but there is some pretty good evidence that the three letter agencies put pressure to make taps possible - and what do we have today - a almost completely centralized application that MS can tap right in the middle of any conversation they want.

Due to this fundamental change in the way Skype functions leads me to using it as little as possible.

Hangouts just went the other direction. If it's possible to do P2P it will.

Dashrender

While I really love the idea of decentralization, but I'm not sure how things like presence away communications can exist without it.

I'm trying to see how chat clients can work without centralized hubs that at least put two people into contact with each other - like a phonebook.

This is the old method Skype used to use, communication would start with the hub helping the endpoints find each other, then drop out of the communication and the endpoints were P2P.

scottalanmiller

@Dashrender said:

The biggest concern I see from something like ZT and Pertino is the breakdown of the protections that users get from simple routers - no even counting firewall features. i.e. ethernet packets (MAC based) traditionally can't traverse routers, therefore devices can't be attacked with these lower level MITM attacks that hear hear about on wireless networks, etc.

Am I concerned for nothing?

The concern would be the same as any LAN. Any VPN technology can bypass those "security" measures that you are envisioning and anyone on the same LAN is "wide open" to each other. So while there is a reason to be aware, if you feel it is a full concern, the only answer would be a hardware router in front of every device.

scottalanmiller

@Dashrender said:

@adam.ierymenko said:

Firewalls are dead. Thank the cloud.

huh - you're the first that I can recall ever saying that firewalls are dead. from your above post about IPV6 and killing local firewalls, I can see I think you really mean that.

https://community.spiceworks.com/topic/1409230-need-for-firewalls-on-home-networks
http://www.infoworld.com/article/2616931/firewall-software/why-you-don-t-need-a-firewall.html

scottalanmiller

@adam.ierymenko said:

No joke though. I really honestly think we could have just taken our firewall down and given every machine a public IP and there would have been little or no change to security posture. If anything, firewalls encourage the "soft underbelly" problem by giving people the illusion that the local network is secure. Take that old obsolete crutch away and people who do things like bind unpassworded databases to ::0 will look like dummies real fast and the problem will take care of itself over time.

I don't agree with the concept that hardware network edge firewalls are dead, mostly because of the layered vulnerability problem (any bug in your OS is exposed for exploit instead of only bugs in your firewall first then bugs in your OS.) But I totally agree with the problems around the illusion of security. This is why things like port changing are actually security negatives - they both give a totally false sense of security and do nothing to actually slow an attacker in the least while flagging you as having something to hide and being clueless about security all at once.

scottalanmiller

@adam.ierymenko said:

My approach to security is: secure everything as if it will be totally exposed on the public Internet, then add firewalls and such as an afterthought if appropriate. If something is not secure enough to be exposed to the public Internet without a firewall, it's not secure enough to be connected to any network ever.

Totally agree, and this is my "LANless" philosophy. The LAN is public, it is the the enemy.

You should only be "LAN-aware" insofar as knowing where the bandwidth is high versus where it is slow and/or metered.

scottalanmiller

@adam.ierymenko said:

Most people don't run php web apps on desktops and mobile devices.

Apple did for a while

scottalanmiller

@Dashrender said:

That is no lie - So I can't get what I want, you'll give me this little thing over here, OK I'll just create a way to get what I want through that little thing.. done.. yeah - huge problem!

Which is a key reason why I don't promote "over blocking" end users. Blocking things they would never want but might stumble on (malware, for example) at work is fine, if they were trying to download malware you've got other issues. But if they are trying to read their email, check on the time to pick up their kids from school or see how their buddy in the hospital is doing and we block them we become a barrier to overcome, IT becomes the silent enemy and they will find ways around that security.

It is more secure to work with end users as security partners. In it together. Once we work against the end users, they are working against us.