Re: [fw-wiz] Dark Reading: Firewalls Ready for Evolutionary Shift


"Paul Melson" <pmelson@xxxxxxxxx> wrote:

[snip]

Additionally, if you have this problem:

Then the user mistakenly checks a box that allows eMule to share its hard
drive. "That's very easy to do. Some eMule clients have that as a default,"
he says. "Now your user's entire computer has opened up your network to
share with the Internet. Anyone can execute a search and find files on your
network."

Buying a new firewall will not save you.

That all depends on how you define "save." If we're not talking
laptops [1]; you don't regard random, uncontrolled sharing w/in your
"secure" LAN a problem [2]; and the new firewall stops such things, by
default, from getting outside your "secure" LAN [3], it will indeed
"save" you.

[1] Which opens up a whole new can of worms, discussed here in
the past
[2] Where I work it's disallowed, btw.
[3] Ours do

Taking away local admin rights
from your users, however, is a good start. And there's nothing to buy.
[snip]

Sometimes, for whatever reason, that's not possible. And as anybody
who's ever herded cats can tell you: Getting engineering departments to
behave is a non-trivial exercise. Nonetheless: We do that where we
can.

So we do both. I've always called it "defense in depth."

I also train my users [4] and we "prohibit" traditionally "unsafe"
applications [5], such as IM clients, MS OutLook and MS Explorer.

[4] Contrary to what most here seem to have experienced, I've found
end-user training to be relatively effective.
[5] Why in Fluffy's name *anybody* allows ActiveTrojan and
executable attachments through their corporate firewalls is,
and always has been, completely beyond me.

Allow me to present an example of the possible effectiveness of that
last bit. Several years ago, not long after WinXP was shipping, by
default, I reluctantly gave in to my wife's wishes and bought her an MS
Windows box for Christmas. The first thing I did, upon installation,
was:

. Remove MS Outlook Express from the desktop and menu
. Remove MSN Messenger from the desktop and menu
. Turn off *all* "active" anything in MS Internet Explorer
. Used MS IE to go to mozilla.org, download and install Mozilla
. Remove MS IE from the desktop and menu
. Download and install Pegasus Mail
. "De-installed" file and printer sharing
. Configure the appropriate inbound and outbound deny rules
into the router
. Add the necessary content checks to the mailserver

Then I instructed her on (relatively) safe 'net behaviour. *Then* she
got to start playing with her Christmas present :).

At some point I installed Spybot S&D and showed her how to use and
update it.

That computer was used on the 'net regularly for a number of years
before one of her correspondents insisted my wife was sending her
infected JPEGs. I finally installed AV on it. It came up clean. To
make sure, I ran three other AV programs against the entire disk from a
TRK CD. Clean as a whistle.

It wasn't a firewall that saved her PC. (Tho perhaps my router rules
helped. And the email gateway undoubtedly helped.) It wasn't AV
software. (She had none until recently.) It was informed, responsible
behaviour and not using risky applications.

Yes, what works in one, isolated, one-on-one case, with an intelligent,
well-informed user who *can* exercise disipline, does not necessarily
an Effective Corporate Exercise make. But, as I said: I've done much
the same at work, and it's helped there, too. So far ;).

Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/contact/scform.php>.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: Service Pack 1 & 2
    ... but enable to install because of service pack 2. ... >> I recently reinstalled Windows XP home on a new hard disk because the ... >> I tried to install service pack 1 but was rejected from doing so. ... > Why you should use a computer firewall.. ...
    (microsoft.public.windowsupdate)
  • Re: Feedback solicited - best way to harden a mail/web server?
    ... Was the system protected by a properly configured firewall? ... it's not a bad "starting point" and it can generate an IPtables rule ... > nor is there a web or ftp server; aside from that I haven't tried to secure ... Before I'll install some nifty application ...
    (comp.os.linux.security)
  • Re: I THINK I HAVE A VIRUS MY ANTIVIRUS SCAN WONT EVEN RUN
    ... install some thing ells like ez antivirus or antivier both ahve free triles ... > your computer online - meaning you likely have usernames and passwords ... > Why you should use a computer firewall.. ... > The system restore feature is a new one - first appearing in Windows ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Downloading updates in advance
    ... Did you enable the firewall in XP ... internet after a fresh install and then go to Windows Updates. ... The Microsoft Windows system contains invalid registry entries and your ...
    (microsoft.public.windowsxp.security_admin)
  • The Trackers First Review Response
    ... Here are the "Malicious Hackers Best ... > hidden firewall applicationto protect their Virtual Private ... > your system for a Backdoor, Trojan Horse, Virus, or Worm until your ... Typically once a system is compromised, there is little need to install ...
    (comp.security.firewalls)