Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common? 348
An anonymous reader writes: I do some contract work on the side, and am helping a client set up a new point-of-sale system. For the time being, it's pretty simple: selling products, keeping track of employee time, managing inventory and the like. However, it requires a small network because there are two clients, and one of the clients feeds off of a small SQL Express database from the first. During the setup, the vendor disabled the local firewall, and in a number of emails back and forth since (with me getting more and more aggravated) they went from suggesting that there's no need for a firewall, to outright telling me that's just how they do it and the contract dictates that's how we need to run it. This isn't a tremendous deal today, but with how things are going, odds are there will be e-Commerce worked into it, and probably credit card transactions... which worries the bejesus out of me.
So my question to the Slashdot masses: is this common? In my admittedly limited networking experience, it's been drilled into my head fairly well that not running a firewall is lazy (if not simply negligent), and to open the appropriate ports and call it a day. However, I've seen forum posts here and there with people admitting they run their clients without firewalls, believing that the firewall on their incoming internet connection is good enough, and that their client security will pick up the pieces. I'm curious how many real professionals do this, or if the forum posts I'm seeing (along with the vendor in question) are just a bunch of clowns.
So my question to the Slashdot masses: is this common? In my admittedly limited networking experience, it's been drilled into my head fairly well that not running a firewall is lazy (if not simply negligent), and to open the appropriate ports and call it a day. However, I've seen forum posts here and there with people admitting they run their clients without firewalls, believing that the firewall on their incoming internet connection is good enough, and that their client security will pick up the pieces. I'm curious how many real professionals do this, or if the forum posts I'm seeing (along with the vendor in question) are just a bunch of clowns.
Common? (Score:5, Insightful)
In my experience, the stupid people tend to get fired eventually. But the mess they leave behind can be tremendous.
Every stupid idea is common (Score:5, Insightful)
Not just because plenty of things are run by stupid people, but also because otherwise smart people can have pretty damned important blind spots. And other IT people have been talked out of it by their clients just like you're letting happen.
Whether it's common or not has no bearing on whether it's a good idea.
The only question you need to ask them is weather they're willing to accept the quantified risks from having exposed systems.
Re:Its Fine. (Score:4, Insightful)
I think Target may disagree. Firewalls on database servers may not have kept their data safe but their experience proved that it is unwise to assume that all internal network traffic is trustworthy.
Fire(wall) and forget (Score:5, Insightful)
It sounds a little like you're trying to just fling a firewall at the system and improve some sort of objective security metric.
What threats are you risks to mitigate with the firewall? What threats will it help guard against?
They don't come for free, and configuring them don't come for free.
Run only services you need (Score:3, Insightful)
The key is to only ever run the services that are absolutely needed, carefully configure these and keep them up to date. If you follow that advice a firewall is an added level of security but not necessarily needed.
Picking battles... (Score:5, Insightful)
The problem with this battle is that you're a contract worker. So if reasoning/persuasion doesn't work, then you're only options are to end the contract, or fulfill your obligation.
Keep documentation that shows that you brought up the problem, and were rejected. Bake in language on subsequent contracts that give you an out under these types of scenarios, and move on.
If someone is unwilling to listen to reason, is in a position of power, and there's no laws that they are breaking, then that pretty much gives you all of the information you need to know about your options! Just learn to stop worrying and love the bomb.
Re:Apparently... (Score:5, Insightful)
Or bandwidth. Or visitors. Or intern-connections. There's a lot of room for serious damage from a lack of security, and not all of it is data theft.
People using your server as a spambot is bad.
People infecting your sites visitors with malware is bad.
People jumping to a different, more secure system from your server is bad.
We tend to notice the data theft issues most these days, because a lot of companies keep a lot of sensitive data, so a Target credit card hijack is tremendously bad and newsworthy.
But that doesn't mean other classes of security risk don't exist.
Re:Fire(wall) and forget (Score:5, Insightful)
It sounds like you're some bureaucrat trying to justify the costs of standard security practices.
The objective of any firewall is to prevent traffic on all unused ports in order to limit potential attack vectors. This is a given and no specific threat needs to be stated.
Put the firewall up FIRST, and open essential ports as necessary. This is network security 101.
Re:Fire(wall) and forget (Score:4, Insightful)
But again. What IS the threat of network traffic to a port no one is listening on? None. What your firewall is you protecting from is NOT bad stuff from the outside. It's protecting you from the inside danger that some service suddenly opens a port which is reachable from the outside. (Hate to dig out the old Win vs. *nix, but the usual suspects for this are usually Windows servers you need to lock down first, as they're usually asuming that they're in a friendly network. On *nix machines you usually need to manually add those services one by one, as you would open the ports on your firewall)
Risk Assessment!! (Score:4, Insightful)
There are lots of different risks that must be considered when securing a network or system. In my many years of securiy architecture, I've found it make the most sense to create a risk assessment.
Threat x Vulnerability x Impact = Risk
Once you have defined the risks, you can define the best protection method to reduce each risk.
Application firewalls may not be the best protection method depending on the rest of your network security controls. If you have strong network firewalls and every device that connects to the network must be authenticated (and scanned for viruses) before its given an IP address, an application firewall may not reduce much risk. If it doesn't reduce much risk, it may not be necessary.
In business, security is like insurance. You have to justify how much to spend, based on how it will protect us if something bad happens. Further, you have to make sure that whatever the security control is, it doesn't interfere with what the business needs to function. If the database cannot function with a firewall, a firewall is not the best protection method and other options should be considered (Network Intrusion Prevention systems, Data Protection [encryption/tokenization/hashing], Anti-Virus, File Integrity Monitoring, etc). There are many tools available to security professionals today. A firewall is a good tool, but not the only tool... depending on the situation, it may not even be the right tool.
Re:Fire(wall) and forget (Score:5, Insightful)
But again. What IS the threat of network traffic to a port no one is listening on? None. What your firewall is you protecting from is NOT bad stuff from the outside. It's protecting you from the inside danger that some service suddenly opens a port which is reachable from the outside. (Hate to dig out the old Win vs. *nix, but the usual suspects for this are usually Windows servers you need to lock down first, as they're usually asuming that they're in a friendly network. On *nix machines you usually need to manually add those services one by one, as you would open the ports on your firewall)
The firewall provides defense in depth. Yes, if nothing else goes wrong, the Firewall is unnecessary. On the other hand, if something else does go wrong, the firewall become another obstacle for the attacker.
Re:Fire(wall) and forget (Score:4, Insightful)
Unless someone figures out how to glean information from your system, or exploit something you don't know about in the operating system. If I can figure out what ports you have stuff listening on, I can work on exploiting the things that I can determine are listening.
Without a firewall, you're allowing external entities to map the system, when they shouldn't even be able to reach the system.
if you're going to try for security, assume nothing, trust nothing, and act as if it was really important stuff.
If you're not going to try for security, well, the Ostrich Algorithm is a strategy, but one whose consequences you might need to live with.
I'm more of the school that says packet requests from sources you don't trust should simply be dropped, and not provide them with any more information than necessary.
Re:It Depends (Score:4, Insightful)
Until someone install something else on the network segment. Like a wireless access point. Or until malware takes over one of the trusted hosts.
Security vulnerabilities always involve violations of some assumptions you make, e.g. that anything coming from a certain set of hosts is benign, or that if a process on a server opens up an IP port it's *supposed* to do that. You want the security of a system to depend on as few assumptions as possible. If it does no harm in day to day operations and offers protection when your assumptions fail, why *not* run a software firewall?
Re:Apparently... (Score:5, Insightful)
Exactly. Too many people (both businesses and home users) say "Well, I don't have anything that 'those hackers' would want so why bother with protections?" The thing is, though, you DO have something they want. At the very least, a home user has bandwidth. If a malware author hijacks a computer, he can use it to pump out tons of spam. The user might notice an annoying slowdown but otherwise wouldn't know what was up. In the case of businesses, infecting your customers with malware (due to being hacked) or your site slowing down to a crawl (because it is a spam bot and is spending precious resources spamming people) is a sure method to lose customers. I'd wager that the money "gained" by not doing a proper firewall network is more than lost by the "lost sales" of customers fleeing after the servers have been hacked.
No Excuse really these days. (Score:4, Insightful)
How about this: If you find yourself needing a firewall, your system design has already failed. Every single system should assume actively hostile environment.
I can only repeat your original subject.
Re:Its Fine. - not (Score:5, Insightful)
Application support always says to turn off everything that might possibly interfere with their precious application. They would have you shut down the operating system if they didn't need it. Application support lives in a fairy land where the only thing they have to worry about is their application. They don't have to fix anything if the application isn't broken. They have no interest in anything else. A good vendor will program their application to work with the system standards. Most ISVs are not good vendors.
As a system or network admin, you have to protect the application from the rest of the network and protect the rest of the network from the application and protect everything from the users and the Internet. Part of doing that is firewalling the crap out of your core network, and if you can't do that you should be looking at adding more VLANs and controlling traffic that way.