Great Circle Associates Firewalls
(February 1994)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: FTP and Telnet
From: Marcus J Ranum <mjr @ tis . com>
Date: Fri, 25 Feb 94 09:35:51 EST
To: firewalls @ GreatCircle . COM, sdeb @ callisto . eci-esyst . com
Cc: admin @ callisto . eci-esyst . com

>We are presently putting together an internal "Internet Access Policy"
>and have run into some bickering (suprising, huh). We block incoming
>telnet and ftp activity, and everyone generally agrees that this is
>important, but, what about outgoing ftp and telnet?

	We don't block outgoing FTP and telnet because our corporate
policy is "we trust our users"and because of the awareness that a
malicious user can export data in a wide variety of ways, some of
which a firewall cannot protect against.

	Perimeter security policies need to be consistent and
realistic. For example, if the policy is to block outgoing telnet
and FTP for fear of losing proprietary data, then email should
also be blocked or at least scanned, since someone could uuencode
(or binhex or shar or...) something proprietary and simply email
it out. Indeed, briefcase checks at facility entry/exit points
would also be consistent with such a policy -- the bandwidth of
a briefcase of DATs is very large.

	Basically, what you're getting at is the "can we trust
our users?" problem. In the military community, this problem is
attacked by background checks and the entire clearance process.
Recent and past events show us that that process isn't totally
infallible, either. If you don't trust your users to some degree
you have a major problem that a firewall can't begin to solve.

	Firewalls, as a small component of a perimeter defense,
can provide a degree of control and audit over internet traffic.
They cannot, however, implement a complete perimeter security
policy, nor should they be expected to.

>Has anyone really ever ftp'ed anything with a worm or virus into a
>site from the Internet? If yes, are there virus and/or worm protection
>software/procedures that will help alleviate this threat?

	Worms and virii are a nasty problem. There's an entire
class of "data-driven" bugs and virii/trojans that a firewall
can't protect you against. The reason is the same reason why
we still have PC viruii: it's impossible to know in advance
how the next virus will work and what it will look like. The
creativity of the virus-writers seems to know no bounds. This
situation I call "the arms race" -- where you're constantly
struggling to recognize and defend against each new attack as
fast as the bad guys think them up. It's an awful spot to be
in. The problem is that there are so *many* ways a virus or a
trojan can be encoded as it passes through a firewall. It could
be in a uuencoded SPARC executable. Or a pkzip archive with
MSDOS binaries. Or a MIME message. Or a message to an ignorant
user reading, "please type the following..."(*)

	A firewall can't protect or scan against those because
of the arms race problem, and even if it could, it doesn't
prevent a user from bringing the virus in on a floppy disk
in a briefcase. The perimeter needs to be consistent.


(* Yes, something that stupid works. In fact, it works surprisingly

Indexed By Date Previous: FTP and Telnet
From: sdeb @ callisto . eci-esyst . com (Steve Eason)
Next: FTP and Telnet
From: tdn @ tdn . xyplex . com (Thomas D. Nadeau)
Indexed By Thread Previous: Re: FTP and Telnet
From: Tom Fitzgerald <fitz @ wang . com>
Next: Re: FTP and Telnet
From: Brent Chapman <brent @ mycroft . GreatCircle . COM>

Search Internet Search