Zen Haiku: Usability, General Topics & A Bit of Poetry by Chad Lundgren

Why I Hate Firewalls

To me, it's clear that the weakest point of any security system has always been the people. Social engineering, bad passwords, software that allows buffers to overflow (see the next page for more on that)

Firewalls use a militaristic metaphor that does not accurately capture the way the operate. A better metaphor would be black holes: your data goes in, dies silently, and is never heard from again. As a general rule, you can only guess at a firewall's existence. Or, if you want a more human metaphor, the silent treatment. You just never hear anything back.

Currently at my work, there are multiple firewalls running around. I cannot FTP to our web server at a usable speed when behind the firewall. The web server is, of course, outside the firewall.

So I finally managed to get a connection outside the firewall. Great. Well, not really. Not only do I have ZoneAlarm (another firewall) nagging me all the time, but there are some systems that can *only* be accessed from inside the firewall.

So I'm playing musical cables, switching stuff around.

But wait, there's more. I have to remember which way things go. Say I want to copy a file from one computer to another. I cannot copy from an outside computer into an inside computer. I have to go log into the inside computer, and then tell it to copy from the outside computer. There is no easy way to remember which is an inside and which is an outside.

And today, I've discovered a site that is outside the firewall (it's a web server) and cannot be FTP-ed to from the connection outside the firewall. It must be, you guessed it, another firewall.

It's like the formerly two-way Internet has a bunch of one-way streets.

Buffer overflow- Executive summary for non-programmer types: programs are written in a way that allows a malicious user to input more information than will fit in an alloted space. This data then "overflows" into parts of the program it shouldn't. Usually, this just crashes the program. But sometimes this lets that user run commands they shouldn't.

This is how most web servers are broken into these days. And it only has to be figured out once: then the method is spread far and wide using the Internet.

This is sin both Microsoft and UNIX operating systems are guilty of, though perhaps not in the same amount. The real sin is that a number of programming languages have been around for over 20 years, where you cannot create (or compile) a program that can buffer overflow. It just won't let you. But programmers continue to use software that makes it easy to write sloppy programs that are easy to overflow. I get the feeling that an "Unsafe at Any Speed" book is going to come along and knock the software industry for a loop.

Posted by Chad Lundgren on Tuesday, May 14, 2002 (Link)