Friday, April 21, 2006

Does Ease of Use Make for Bad Security?

Something I've been wondering for a while, has the proliferation of web-based and GUI firewall or security appliance interfaces over the past few years been helpful as far as enabling network security administrators? Take as examples Check Point's policy editor, Fwbuilder, or m0n0wall. All make administering firewalls pretty easy at this point. But do they really help administrators learn their craft? Is it too easy to administer a firewall or security appliance these days? While that sounds like an odd question (easy is good, right?), what if the ease of these products enables a false sense of security in their less experienced users? To put it another way, does the "security black box" that many of these appliances have become contribute to security blunders?

This may be just another variant of the "I walked uphill to school in two-feet of snow every day when I was a kid...", but I learned firewall administration and networking by digging into low-level stuff. Hand-editing firewall rulesets (Linux ipfwadm back then), dissecting pcap traces and syslog output, sometimes staring at driver code to figure out what an obscure error meant, and generally fixing problems by trial-and-error. Through this process, I learned a lot about how the security mechanisms I was using worked under the hood. This has helped me quite a bit over the years when confronted with an odd problem hidden by a convenient interface. Other people I know had the same experiences fiddling with router ACL's, but the result was the same, their low-level experiences helped them be a better administrator. This reminds me of the Joel on Software article on The Perils of Java Schools, where he says that Java is not a "hard" enough programming language to distinguish great and mediocre programmers. Similarly, perhaps experience with the latest black-box appliance is not a good indicator of skill in security administration.

Does this matter anymore? Can you take someone fresh out of a CS program and plop them in front of a Check Point firewall, with a CD of PDF manuals, and expect them to create a coherent and effective security policy? I don't think so. Good security is still too hard - some of the most egregious security mistakes I've seen come from inexperienced admins using tools meant to make security "easy". If anything, these tools encourage the hiring of inexperienced security staff. While true that everyone makes mistakes, I think it's just a matter of degree in this case.

One example I've seen plenty of over the years in various forms is allowing bi-directional traffic flow between hosts or networks, when only one direction is needed. This usually is evident in rules like "Allow all TCP traffic on ports 1025-65535 to and from these two hosts", or "We have to allow the replies from our ISP's DNS server, so open up all traffic into our network with a source port of UDP 53". This stems from a lack of understanding of how stateful firewalls track connections, and only a basic understanding of how the underlying protocols work. But it opens up avenues of attack that would not have otherwise been present.

Technorati Tags: , ,

No comments: