[isapros] FWENGMON issue for the brain trust

From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
To: <isapros@xxxxxxxxxxxxx>
Date: Wed, 5 Jul 2006 21:09:46 -0500
 Hey folks,

There was a discussion on the beta newsgroup that I thought would be
interesting to put in front of the brain trust. There's nothing NDA
here, so it's cool. My impression is that the person who was concerned
about the fwengmon /allow option is akin to the IPv6 issue -- if the
admin is incompetent, malicious or both, then of course the fwengmon
/all option can be abused. But the same incompetent and malicious admins
can hork any other kind of firewall.
        The example of the SBSer reading e-mail on the box is archetypal
for the idiot admin who goes out of his way to subvert firewall
security, so how is this different from creating an "allow all from
everyone to everywhere" which you can do on any firewall, including the
ISA firewall?
        Wondering if customers really need to get their undies in a
bunch about this or its is calling "fire" at a weenie roast?

===========================
Message 1:
In my personal opinion, the interface method which "fwengmon.exe /allow"

calls should not exist; there should be no such bypass-the-firewall
method, 
even if it is handy for troubleshooting.

If it can't be removed, then there should at least be an Event Log
message 
whenever it's invoked, and the fwengmon.exe tool should be able to
display 
whether or not there are any bypasses currently configured so that it
can be 
audited (the "/noallow" switch will turn any bypasses off, but it
doesn't 
indicate whether it did anything or what the IP addresses were in the 
cancelled bypass).

I'm sure the ISA development team uses the bypass feature constantly,
but 
that's development/debug code, and it wouldn't have to exist when the
final 
product ships.  Whenever I show others the "/allow" switch and its 
invisibility of operation, the response is always very negative.

Message 2:
Yes, but you have to get the file on the box. If I can place files on
the 
firewall without your knowledge, the game is already over, isn't it?

Message 3:
I agree it's a bit paranoid, but I think the even greater threat comes
from 
external buffer overflow attacks that call that method or malware that
does 
the same when invoked by an interactively-logged on administrator who 
browses the net or reads e-mail as admin while at the ISA box (which
will 
probably be running SBS, yet it will be ISA that gets the blame for it
when 
the vulnerability is published).  In these cases, fwengmon.exe wouldn't
even 
have to be on the local drive.  At a minimum, it would be nice if
invoking 
that method --whatever it is-- at least wrote a message to an Event Log.
(I 
also don't like how "lockdown mode" does not drop all existing
connections 
and still allows new outbound connections, but that's another story and
easy 
enough to fix with a custom panic script.)

On a purely marketing level, too, ISA has lots of prejudice to overcome,
so 
I've encountered anti-Microsoft sysadmins who jump all over this
"invisible 
hole feature" to undermine ISA as a trustworthy firewall (and then this
can 
sway the fence-sitters in the room to lean to the negative side).  I'd
still 
prefer it if this firewall-bypass functionality didn't exist at all...
======================

 
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/> 
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
MVP -- ISA Firewalls
[isapros] FWENGMON issue for the brain trust

Other related posts:
