Linked by Thom Holwerda on Thu 5th May 2011 21:07 UTC, submitted by sawboss
Games There's fail, there's epic fail, and then there's Sony. You may've thought it wasn't possible, but Sony has just outdone itself on the fail scale, forcing us to add yet another notch. During the congressional testimony this morning, Dr Gene Spafford of Purdue University revealed just how badly Sony managed its Playstation Network servers. It's... Bad.
Thread beginning with comment 472008
To read all comments associated with this story, please click here.
Firewalls
by Neolander on Fri 6th May 2011 11:03 UTC
Neolander
Member since:
2010-03-08

Can someone with a security background explain me how exactly firewalls can improve the security of a computer ?

Reply Score: 1

RE: Firewalls
by WereCatf on Fri 6th May 2011 11:33 in reply to "Firewalls"
WereCatf Member since:
2006-02-15

Can someone with a security background explain me how exactly firewalls can improve the security of a computer ?


Firewall may or may not be specifically such a great term, it depends, and may refer to firewall installed on the machine itself, or a firewall between the machine and the internal network (the latter is obviously the more secure choice). But the point is that the server had full access to the whole internal network, it was not restricted in any way or form. In a network of the size of PSN itself and especially when the server is also acting as a server to traffic from the Internet any IT admin worth his/her salt should limit the access such a machine has on the internal network. Ie. it should not be able to access everything, only the very specific machines that it needs to function, and only the kind of traffic that one should expect from it.

Giving complete, unrestricted access to the internal network the magnitude of PSN from a machine running outdated, unpatched server software is a failure of epic proportions.

Edited 2011-05-06 11:35 UTC

Reply Parent Score: 2

RE[2]: Firewalls
by Neolander on Sat 7th May 2011 06:17 in reply to "RE: Firewalls"
Neolander Member since:
2010-03-08

Thanks to everyone who replied !

So if I sum up correctly, there's more to firewall technology and its applications than the "let's close ports like crazy and break everything which might use them" side of it, which is commonly called a firewall on the desktop. (Yup, I really am a networking newbie)

The firewall term may also refer to restricting which machines in a corporate network may connect to a given other machine. Sort of like more advanced routing.

I'd spontaneously wonder how a random forum's server got physically connected to the Great PSN Database with full access to its data in the first place, but I guess for the first part it's easier to do this way and for the second part it's the security failure of epic proportions we're talking about. Unneeded security permissions are the root of all evil.

I didn't understand the part about apache's mod-security.

Reply Parent Score: 1

RE: Firewalls - improvement
by jabbotts on Fri 6th May 2011 14:22 in reply to "Firewalls"
jabbotts Member since:
2007-09-06

Considering the firewall in the general sense of network filtering on the server or infront of it on a seporate box; to access my httpd or sshd, you have to be coming from a valid remote location explicitly allowed in the firewall rules. This makes my machine more secure than one which accepts potential attack from any remote location in addition to valid ones.

Deny all, allow the minimum required.

We can also look at application level "firewalls" in the form of mod-security for apache. This sits between your webserver/website and the remote connection filtering out attempts to exploit flaws in your httpd or website code. Sony can afford to hire an admin to manage mod-security.

We could also seporate the database and web servers and have the database server only allow connections from the webserver. One must now break into the webserver before being able to start breaking into the database server. Should the first one be breached, what allowed a criminal to access the webserver's command line is not likely to be present on the database server. Monitoring of the webserver should make the breach evident; hopefully before the database server breach can be successful.

Reply Parent Score: 2

RE: Firewalls
by Soulbender on Fri 6th May 2011 15:28 in reply to "Firewalls"
Soulbender Member since:
2005-08-18

They don't, in general. It's perfectly possible to make a server secure, from the network perspective, without a firewall. In fact, if a firewall is necessary the person who installed the server didn't do his job. Almost all properly designed software has built-in features for configuring access (tcpwrappers, apache allow/deny etc) and those features should be used.
In a properly configured server the firewall is an optional layer that increases security but isn't a necessity for the secure operation of the server.

Sadly, a lot of people seem to think that a firewall is a magic bullet that will protect your server from all harm and that it is somehow essential.

Of course, application security is an entirely different ballgame.

Reply Parent Score: 2

RE[2]: Firewalls
by WereCatf on Fri 6th May 2011 15:32 in reply to "RE: Firewalls"
WereCatf Member since:
2006-02-15

They don't, in general. It's perfectly possible to make a server secure, from the network perspective, without a firewall. In fact, if a firewall is necessary the person who installed the server didn't do his job. Almost all properly designed software has built-in features for configuring access (tcpwrappers, apache allow/deny etc) and those features should be used.
In a properly configured server the firewall is an optional layer that increases security but isn't a necessity for the secure operation of the server.

Sadly, a lot of people seem to think that a firewall is a magic bullet that will protect your server from all harm and that it is somehow essential.

Of course, application security is an entirely different ballgame.


Installing a firewall is not about protecting the server per se, it's about protecting the network from the server.

Reply Parent Score: 2