RE: [fw-wiz] Personal/Host-based Firewalls
From: Ames, Neil (NAmes@anteon.com)
Date: 09/26/02
- Next message: Steffen Kluge: "RE: [fw-wiz] NTLM authentication from DMZ"
- Previous message: Paul D. Robertson: "Re: [fw-wiz] Personal/Host-based Firewalls"
- Maybe in reply to: Ames, Neil: "[fw-wiz] Personal/Host-based Firewalls"
- Next in thread: Gautier . Rich: "RE: [fw-wiz] Personal/Host-based Firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Ames, Neil" <NAmes@anteon.com> To: "Firewall-Wizards (E-mail)" <firewall-wizards@honor.icsalabs.com> Date: Thu Sep 26 12:10:02 2002
Juergen,
I have, in addition to Rich's excellent point, two reasons for
running a host-based firewall:
1) I am running Windows 2000 Server and IIS: When I get patches I can end
up with things that were removed, disabled, or off being reinstalled,
enabled and/or turned on. (I have started using FCheck for integrity checks
and am stunned at the numbers of files that are changed with patches--too
much for any configuration manager to understand.) I have limited access to
the systems so I can't re-harden or re-evaluate the systems every time there
is a new patch. Running a separate layer of protection mitigates those
vulnerabilities.
2) Defense in Depth: The security layer I introduce between my
applications and the network the is an additional protection against
mis-configuration and unknown vulnerabilities.
The stuff is relatively cheap to buy--though the political and
administrative costs can be high. The finger of the troubleshooter always
points to "that damned security product" as the reason that the Quake server
doesn't work ;). When someone finds that disabling the firewall, rather
than changing a setting, makes a real problem go away then you lose
credibility and you have a rash of sudden firewall death syndrome (SFDS).
(They're willing to go into the registry to kill it.) It is a significant
hidden cost, in my environment, to be able to manage remote firewall
configurations. It is not, however, as significant as being shut down
permanently for losing control of the systems by other means--if you know
what I mean.
Thank you,
Fritz
-----Original Message-----
From: Gautier . Rich [mailto:RGautier@drc.com]
Sent: Thursday, September 26, 2002 8:57 AM
To: 'Nieveler, Juergen'; 'Ames, Neil'; Firewall-Wizards (E-mail)
Subject: RE: [fw-wiz] Personal/Host-based Firewalls
There could be numerous reasons - for example - we have a single machine
that is fairly sensitive on our internal network. It has a personal
firewall that lets group X do NETBIOS sessions and group Y do SQL
connections, but X is not permitted to do what Y does. In this case, I
don't want everyone to be able to connect/attack the SQL server due to
the sensitivity of the data. However, creating a network segment for
just one machine makes no sense when a single-host firewall will do the
trick.
Rich Gautier
Dynamics Research Corp
Personal Website - http://rgautier.tripod.com
Attachment is Public Key for the sender: rgautier@drc.com
-----Original Message-----
From: Nieveler, Juergen [mailto:Juergen.Nieveler@akzonobeldeco.de]
Sent: Thursday, September 26, 2002 3:28 AM
To: 'Ames, Neil'; Firewall-Wizards (E-mail)
Subject: RE: [fw-wiz] Personal/Host-based Firewalls
> I have begun investigating personal/host-based firewalls for
Windows
> 2K *Server*, with the hope of finding a solid, reliable, fast product
> that I can easily manage in an environment of distributed remote
> offices (in which I have limited access to the systems, or
administration
> through someone else's eyes and ears).
What do you want to achieve with such a "firewall"? If people are
supposed
to use the server, you have to open those ports that they need to use.
As for ports that they DON'T need to use - why install something on a
server
that isn't used anyway?
-- Mit freundlichen Grüßen / Yours sincerely Juergen Nieveler eMail: Juergen.Nieveler@AkzoNobelDeco.de Disclaimer: Views are mine, not my employers' -- -------------> IMPORTANT <---------------- This message, including attachments, is confidential and may be privileged. If you are not an intended recipient, please notify the sender then delete and destroy the original message and all copies. You should not copy, forward and/or disclose this message, in whole or in part, without permission of the sender. Diese Nachricht, einschliesslich anhaengender Dateien, ist persoenlich und kann vertraulich sein. Wenn Sie diese Nachricht irrtuemlich erhalten, benachrichtigen Sie bitte den Absender und loeschen Sie bitte die Originalnachricht und alle Kopien. Sie sollten die Nachricht ohne die Zustimmung des Absenders weder ganz noch teilweise kopieren, weiterleiten oder sonstwie weiterverbreiten. _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Next message: Steffen Kluge: "RE: [fw-wiz] NTLM authentication from DMZ"
- Previous message: Paul D. Robertson: "Re: [fw-wiz] Personal/Host-based Firewalls"
- Maybe in reply to: Ames, Neil: "[fw-wiz] Personal/Host-based Firewalls"
- Next in thread: Gautier . Rich: "RE: [fw-wiz] Personal/Host-based Firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
