Sunday, July 19, 2009

Public vs. Private Firewalls

Got a bit distracted getting our Microsoft Surface devices up and going. While initially ambivalent about Windows Presentation Format (and its quirky XAML), I am starting to warm up to it. More on that later.

On a very cool note, we recently got our paper on public versus private firewalls accepted into NPSec 2009, a workshop at ICNP. We had a very near miss at HotSec which was a bummer but very good feedback / discussion with the chairs which helped on our shorter submission to NPSec.

In short, the paper tries to debunk the myth that private firewalls are better. The fact that this security through obscurity of private firewall rules has long been a pet peeve of mine but I have not had the math skills to do a reasonable argument beyond random, flailing hyperbole. Enter my graduate student Qi who was willing to try to prove the ramblings of his advisor. With his wife, they constructed a very nice game theory concept showing how private firewalls are lose, lose, lose across the board.

Think of the debate of public versus private in the following manner. Private firewalls back in the day could be argued to provide a reasonable defense. Inference of private rules would take time and would create a glowing, red beacon that one's network would soon be under attack. Beyond exposing oneself or small number of compromised machines, it was not easy back in the day to conduct said inference.

Contrast that with the scenario of today. Botnets are out there and are dirt cheap with massive volumes of machines. Scanning now can be done quite discretely with "disposable" hosts for folks that are more than likely extremely patient enough to wait a few hours or days for the rule inference.

Hence, what do you get from private firewall rules? You get distributed applications being a pain to debug due to how firewalls are typically configured as black holes. Moreover, distributed applications are not going away nor is the next distributed pattern likely to be easy to predict. Thus, one is paying valuable employee or system administration time tracking the problem back to the firewall. Is it your firewall? Is it my firewall?

Certainly, there are a slew vendors that would help you with that task. But why do we even need to go through that? Unless the scanner (bad guy) has some sort of ADD and can't wait just a little bit for a result (perhaps for terrorism / cyber-warfare with state-vested interests might be an exception), there is absolutely no gain to be had with the private firewall rule setup.

The paper has some nice explanations via game theory why this is the case. Moreover, while not listed in this paper, they also derived results that show if you can selectively lie, it can be used as an insurance to actually improve the overall system which is very cool. The partial truth / untruth could be used as an enhanced honey that draws attackers into a honeypot or other system.

Reactions from pitching this to various folks has been an interesting illustration in and of itself. Folks that work in security tend to instinctively flinch while folks that work in systems tend to be intrigued by it. Then again, I would add the caveat that I think that NATs are probably one of the most important security technologies :)