RE: [fw-wiz] Defense in Depth to the Desktop

From: Chris Pugrud (
Date: 12/06/04

  • Next message: "Re: [fw-wiz] Cisco Pix 515E Configuration"
    To: Ben Nagy <>,
    Date: Mon, 6 Dec 2004 09:04:32 -0800 (PST)

    --- Ben Nagy <> wrote:
    [IPSEC Proposal]

    I have mixed feelings on inserting IPSEC into the mix directly. I do try and
    emphasize that I only feel that this is a small piece of the puzzle called
    defense in depth. I'm only trying to address the weaknesses of the network
    layer that I fell can taken care of with mostly existing hardware.
    Organizations with a Cisco core can upgrade to the firewall feature set to gain
    the stateful packet filtering required to implement the model, at least that's
    how I'm doing it in one fairly large environment.

    > You might also want to consider (ick) MS ISA Server for networks that have a
    > predominantly MS client pool (most). That will give you much better state
    > tracking for the tricksy SMB/CIFS/NetBIOS stuff, as well as user sensitive
    > rules as a side benefit. There are not many Stateful Packet Filters that can
    > do 'proper' state for ms-rpc and other nasty windows stuff which uses a lot
    > of UDP. Many (most?) just open up the UDP port for return traffic for a time
    > window. Well, at least they used to.

    The ISA server would add some small benefits, but I doubt it could handle the
    throughput on more than a modest sized network. I haven't had any issues with
    the tricky ms-rpc stuff, except the idiotic MAPI protocol, because they are
    still pretty good at being client->server(rpc), client->server(service), so the
    one way model holds fairly well. MS is also moving more to TCP, including the
    switch to SMB/TCP rather than SMB/NetBIOS/UDP/TCP. Doing things "proper" would
    have it's advantages, but at this time I continue to see more advantage in
    "keeping it simple".

    > One small flaw in your model is the "lurker worm" that sits on a server and
    > waits for a client to connect on the appropriate service. Imagine, for
    > example, a 0day LSASS worm - if the server is infected then the client pool
    > will be rapidly infected as well, because as soon as they talk to a domain
    > controller (in windowsland) the DC will helpfully send them a copy of the
    > worm for free. This doesn't invalidate the model, but it's an important
    > clarification of limitations. This is kind of similar to download.ject and
    > the recent IFRAME attacks which used an infected adserver. (so it's not an
    > alien model to h4x0rs).

    Very true. The model is only network layer, it can not defend against attacks
    that use "legitimate" protocols, such as e-mail. As a piece of the puzzle, I
    feel that servers are the best defended resources on the network. While
    nothing is truly invulnerable to a zero day, servers are the only machines that
    an organization really has control over making sure they are up to date with
    patches and AV signatures. That is why I felt it was appropriate to invert the
    usual protection model and protect the clients, and each other, from the
    servers, while exposing the servers to the risks of the clients. The clients
    are the biggest risk, but they are also the least defended. The model invites
    attackers to throw themselves at my best defences, where bright eyes and heavy
    fortifications are focused, by denying them the ability to even talk to my
    least defended assets (other than the one they've commandeered).

    > I also have some observations - you're using a LOT of vlans. How are you
    > going to manage that for large client pools? I think that tagging only gives
    > you 4096 IDs, right? Besides, tagging leaves you open for "side to side"
    > client infections for clients that are new / misconfigured / not supposed to
    > be there. I suppose you would want to use switchport based VLANs, but that
    > sounds like switch config hell.

    A slight communication error on my part. The clients all use the same vlan(s).
     MAC isolation (or private vlans in Cisco(tm) speak) block any traffic to vlan
    ports that are not designated as "community" or "public" ports. Systems on
    "private" ports in the vlan can not talk to each other in any way, they can
    only talk to "public" ports, generally the upstream security device.

    > Overall, I kinda like the model. I think your big vulnerabilities are the
    > configuration management and the VLANs (also insert "VLANs were not made to
    > enforce security barriers" rant here), and also the technical details of the
    > statefulness of your firewall with respect to lurker worms.

    VLANs are not made to enforce security barriers, but they are increasingly
    being used for this purpose and the vendors are being pushed to harden their
    implementations to address weaknesses in using VLANs as security tools.
    Physical isolation is still the best, without question, but we usually have to
    make "best" with the tools we have available.

    Lurker worms, any worm that attaches itself to the server process (think about
    logon scripts and profiles) are a huge vulnerability to any network. I'm just
    trying to close another wall in the maze and make organizations a bit more
    crunchy on the inside.

    Thank you for your excellent points,

    firewall-wizards mailing list

  • Next message: "Re: [fw-wiz] Cisco Pix 515E Configuration"

    Relevant Pages

    • Re: Closing ports-- in services or inetd.conf?
      ... |>>>I am trying to close open ports on our servers. ... though some daemons start listening only if they have ... |> *clients* as well. ... It isn't - neither for clients nor servers! ...
    • POP3 Problem
      ... I can telnet the mail servers ports 110 and 25 from the ... Exchange server and 3 out of 5 clients. ...
    • Re: [fw-wiz] Isolating internal servers behind firewalls
      ... clients behind firewalls? ... The firewall/security group argues that servers and clients should ... The very ports you have to open are usually the very ports ...
    • Re: Help with setting up Sites.
      ... Site A - respresenting physical site B ... servers is increasing by the day. ... Do you have any DCs at SiteB? ... clients servers in the relevant sites to authenticate against them. ...
    • Re: ntp server pool advice
      ... all clients are independent to each other and connected to adsl. ... six ntp servers are located in each site ... Can clients and/or servers communicate with both private and public addresses? ... Subject: ntp server pool advice ...