Carolyn P. Meinel Hall of Shame
Technical Wonder: Firewalls

[This was a great thread. Carolyn starts off by saying that TCP Wrappers
 were firewalls. Then she changed her mind to say they were good elements
 of firewalls. So after her and Krystalia mail, I whip up a quick post
 about them. In the first mail, the > material is Krys' original reply.]

Date: Mon, 16 Feb 1998 13:45:14 -0700 (MST)
From: Carolyn P. Meinel 
To: krys 
Subject: Re: Happy Hacker Digest Feb. 11, 1998

You have an uphill battle to convince people TCP Wrappers have nothing to do
with firewalls.  Also, I have never heard of anyone being hurt by using TCP
Wrappers.  In fact, everyone I have encountered who uses them believe they
are a great component of a competent firewall.

>TCP Wrappers have nothing to do with firewalls. They're a completely 
>separate issue. Firewalls have two main functions - to act as a packet 
>filter, and/or a proxy server. The most common use for firewalls is 
>to filter the packets trying to pass through according to the ruleset you 
>specify, according to the source and/ or destination address(es), and/or 
>port(s), among other things. This is sometimes combined with a proxy 
>server configuration, which allows a computer to communicate with another 
>network or the internet on behalf of your network, allowing a 
>single connection to be shared by any number of machines simultaneously.
>Some of the better ones are Raptor, Gauntlet, and tisToolkit, though from 
>what I've heard, I'd stay away from FW-1 (sorry, m0d :). TCP Wrappers 
>protect individual ports with verbose logging, among other things. As you 
>can see, these two things are not closely related. As usual, Carolyn, you 
>know not of what you speak. Stop it, before someone gets hurt.



[While checking my own reference material as well as the book she quotes,
 I find that the book is wrong in a few areas so I CC the publisher 
 as well.]

From: jericho@dimensional.com
To: Carolyn Meinel 
Cc: DC-Stuff , programming_mgr@sams.mcp.com
Date: Mon, 16 Feb 1998 17:55:18 -0700 (MST)
Reply-To: 303@303.org
Subject: [303] tcpwrappers vs firewalls (or _Maximum Security_ and Carolyn are wrong)


Although I do not install and build firewalls, I would like to give some
input regarding the following inaccurate statements. 

[The following material quoted from CM comes from several different
 sources, not just one piece of mail.]

---------- Forwarded message ----------
Date: Mon, 16 Feb 1998 13:45:14 -0700 (MST)
From: Carolyn P. Meinel 
Subject: Re: Happy Hacker Digest Feb. 11, 1998

> You have an uphill battle to convince people TCP Wrappers have nothing
> to do with firewalls.  Also, I have never heard of anyone being hurt by
> using TCP Wrappers.  In fact, everyone I have encountered who uses them
> believe they are a great component of a competent firewall.

>> [Carolyn -- Depends on what you use it for. An ISP needs a different
>> one from a big company. TCP wrappers with secure sockets layer is good
>> for an ISP, with Kerberos and no rhosts stuff for the internal LAN. But 
>> that's just my opinion.]

Technically an ISP is probably better off without a firewall. The nature
of the service they are required to provide for customer use negates the
effective use of a firewall. Applying bastion host security to each ISP
machine is the better way to go. Above you almost touch on that by
mentioning Kerberos and no rhosts, but you use it in the wrong context of
your firewall statement.

>> [Carolyn: Funny, lots of other people think TCP Wrappers are an
>> essential element of a good firewall.  For example, see the book
>> "Maximum Security" published by Sams.net and available in Barnes and
>> Noble bookstores or at  their Web site.  This book includes a CD-ROM
>> with scanners and exploits -- perfect for the intermediate hacker.

Maximum Security, page 183. "[tcp wrappers] replaces inetd as a daemon,
and has strong logging optoins". Ugh.. that is completely wrong Carolyn.
The book is wrong on this issue. The tcp_wrappers package does not
replace the inetd daemon. The package instead has inetd call each service
and run its own program that checks the configuration files to see if the
connect is allowed or not. Page 449 "The program works by replacing system
daemons and recording all connection requests...". Once again the book
mistakenly says that it replaces these daemons, when it does not. Page
643, it says the same thing verbatim. In the Index, these are the only
pages listed under "TCP_Wrappers (packet filtering utility". Bad book to
quote. This book is not perfect for anyone, especially an intermediate
hacker. Anyone who agrees with this book is also wrong.

> 	To be more specific, TCP Wrappers can keep logs of the goings on between
> your computer and the outside world, but do not halt access to attackers
> like a firewall.  Some sort of logging utility such as TCP wrappers should
> be a part of any firewall. Look at TCP wrappers as a burglar alarm.

SunScreen is a firewall. Does it run Venema's package? No.

"As noted, the tcpwrapper only works for servers run via inetd" -
Firewalls and Internet Security by Cheswick/Bellovin. Since Windows NT
doesn't run inetd, and you say tcpwrappers "are a great component of a
competent firewall". Does that mean that ALL NT based firewalls are not
competant?

"The TCP Wrapper is a freely available access control software for Unix
systems. It is not a program that is run on a firewall. Rather it is used
to protect the systems in the public network outside the firewall."
	- Internet Firewalls and Network Security (New Riders)

According to _Firewalls and Internet Security_ by Cheswick/Bellovin,
there are three major styles of firewalls, and remember, a firewall is a
concept more than anything.

packet filtering : packet filters work by dropping packets based on their
source or destination addresses or ports.

circuit gateways : relay TCP connections

application gateways : relay specific applications via proxy

Each of the above achieve their security via different methods. Consider
this example. A SunScreen is Sun Microsystem's firewall. Like all
firewalls, it bases its security off a ruleset for allowing traffic
through it. It does not run tcp_wrappers (written by Wietse Venema).
It does the same idea as tcp_wrappers in that it filters traffic based off
connections vs whats allowed in the ruleset. It does NOT wrap the services
on that machine specifically though.