Tuesday, July 18, 2006

Most firewalls help no-one

TCP/IP supports the notion of ports in order that a server can run multiple “services” and clients can connect to that service at a particular port. In this world we are really talking about application service such as FTP, HTTP, RPC etc. Most services have “standard” ports.

90% of firewalls on corporate networks automatically block traffic on all but outbound port 80 – this is left open to allow users (web-browsers) to browse websites. This is with the naïve assumption that this will allow the IT group to control traffic and prevent use of unauthorised or unsecure services (such as chat applications or external, or external email that may not be virus scanned).

So software application developers can now only rely on outbound port 80: anything more than this is likely to require users to seek “permission” from IT groups to open ports in the firewall. This will normally be a very slow process and most likely the request will be denied. I believe this is because there is a perception of each open port as a “hole in the wall” – i.e. it weakens the defences.

Since the developers can only rely on port 80 there is now a tendency to squeeze all kinds of traffic through it:

  • HTTP file uploads as an alternative to FTP
  • Various custom HTTP based protocols for modern IRC apps like Windows messenger
  • HTTP based mail protocols like hotmail; and in other cases basic webmail
  • Web services – RPC (and hence any computing you like) via HTTP

So IT groups (through poor policy and process) have not plugged any security “holes” in the network, they have just moved the problem on. Now it requires more “advanced” firewalls to attempt to control the traffic going through port 80. Which will cause developers to find some other way to “wrap” different forms of traffic and make it look like the “widely accepted” one.

This cycle will never stop. We all suffer because each iteration causes more processing power to be required in the software (to unpack all the layers), and more processing is required in the firewall to detect “naughty” traffic masquerading as “normal” traffic.

No comments: