RE: Items within XP SP2 and Win2003

• Previous message: Eric McCarty: "RE: Items within XP SP2 and Win2003"
• Maybe in reply to: James Bowman: "Items within XP SP2 and Win2003"
• Next in thread: Renouf, Phil: "RE: Items within XP SP2 and Win2003"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 28 Sep 2004 11:37:41 -0400
To: Eric McCarty <eric@lawmpd.com>, larobins@bellatlantic.net, Joe Doyle <joe.doyle@promega.com>, focus-ms@securityfocus.com

You make two assumptions that may not be valid:

1) My firewall is doing NAT

2) A firewall failure will also eliminate the ability to do NAT.

Lets look at 2 more in depth. There are many ways a firewall can fail.
One is a catastophic failure that will take down the entire firewall.
As you mention this will probably take down NAT with it. What other
types of firewall failures are their? One failure would be a
configuration error. I think I am blocking a particular type of traffic
but in reality I am not. This type of firewall failure is probably the
most common. Second there may be a vulnerability in the firewall that
can be exploited to allow unwanted traffic into my interior network.
Third, a firewall vulnerability could allow a user admin access to my
firewall. With this access they could change the configuration to allow
unwanted access.

As you mention, the principal in shutting down unneeded services is to
limit additional attack vectors. The use of VLANS and segmentation also
serves to limit attack vectors. A host based firewall is another method
of reducing attack vectors. A host based firewall can be used
effectively as an additional means of defense. If you get a system with
a central configuration point, it can also serve as a rapid response
effort in the event of an attack. For example if I am under attack
through file shares, I can shut quickly block file sharing while still
allowing my web server on the same machine to function.

As far as it being a band-aid for a poor intfrastructure, how many
small/medium buisinesses do you think have the best laid out
infrastructure?

Dennis

> -----Original Message-----
> From: Eric McCarty [mailto:eric@lawmpd.com]
> Sent: Tuesday, September 28, 2004 11:10 AM
> To: Depp, Dennis M.; larobins@bellatlantic.net; Joe Doyle;
> focus-ms@securityfocus.com
> Subject: RE: Items within XP SP2 and Win2003
>
> I believe Vlans and segmentation would be the best approach
> to allowing
> only certain internal machines to access to the server. If
> the hacker is
> able to magically bypass your border router/firewall then I
> doubt he/she
> will have any trouble bypassing any host based firewalls you have in
> place.
>
> The need to shut down additional services that are not used
> on a server
> is to limit possible attack vectors, from inside or outside attackers
> and to prevent performance degradation from unused services. Assuming
> root cannot be achieved by exploiting one service, but local access is
> granted, an open yet unpatched additional service can be used for
> priviledge escalation. This is a proven practice and not my place to
> question or debate over.
>
> My contention is this, since I will assume you have a border firewall
> that is performing some sort of NAT for you, you have specified which
> machines/services are available externally, should the
> firewall fail, no
> more Nat device, no access.
>
> Assuming I shut down all my services except for the ones I
> need and have
> properly segmented and implemented Vlan's and Access Control
> Lists on my
> network devices, I have no need for a host based firewall on my server
> because I have already specified network limitations on my
> local (device
> ACL's) and external (Router/Firewall ACL's) networks.
>
> A host based firewall may be used as a band-aid for a poor
> infrastructure but realistically this is not the way I would choose to
> go.
>
> Eric McCarty
>
> -----Original Message-----
> From: Depp, Dennis M. [mailto:deppdm@ornl.gov]
> Sent: Tuesday, September 28, 2004 7:54 AM
> To: Eric McCarty; larobins@bellatlantic.net; Joe Doyle;
> focus-ms@securityfocus.com
> Subject: RE: Items within XP SP2 and Win2003
>
> What if I only want part of my internal network to be able to access
> this machine?
> What if a hacker is able to by pass my border router? How do
> I protect
> my server?
> If a hacker has to take over another machine to attack my
> server, I will
> at least slow down the attack, and at best be able to intercept the
> attack before he is able to continue.
> Using your argument, it is unnecessary to shutdown unneeded
> services on
> my machine. After all they are already blocked at the border
> firewall,
> so why bother? A border firewall is important to a good
> security plan.
> To expect firewall to never fail is unrealistic. All software has
> vulnerabilities. All firewalls involve software hence all firewalls
> have vulnerabilities. This needs to be factored into you
> security plan.
> Using a host based firewall is one method of planning for these
> vulnerabilities.
>
> I do not need to add a site to my trusted sites list to be able to
> browse that site. It just stops the annoying popup.
>
> Dennis
>
> > -----Original Message-----
> > From: Eric McCarty [mailto:eric@lawmpd.com]
> > Sent: Tuesday, September 28, 2004 10:44 AM
> > To: Depp, Dennis M.; larobins@bellatlantic.net; Joe Doyle;
> > focus-ms@securityfocus.com
> > Subject: RE: Items within XP SP2 and Win2003
> >
> > Who doesn't have a border firewall? commonly its router -
> firewall -
> > switch. So you propose to do address filtering on your host based
> > firewall ?. I suggest rethinking this strategy as IP Address range
> > blocking should be done at the border router or firewall
> long before
> > any Network Translations are done or any traffic traverses
> the local
> > network. I can imagine a plethora of ways to get around
> host based IP
> > restrictions, can't get to server1, take over another machine on
> > internal network, then get to server1 and likewise.
> >
> > Running a host based firewall will not allow an extra layer of
> > security if its doing the same thing the border router/firewall is
> > doing.
> >
> > In order to browse the internet from the server you will
> have to add a
>
> > lot of sites to the trusted sites list, and once a site is
> considered
> > trusted it's all over anyway.
> >
> > -----Original Message-----
> > From: Depp, Dennis M. [mailto:deppdm@ornl.gov]
> > Sent: Tuesday, September 28, 2004 4:18 AM
> > To: Eric McCarty; larobins@bellatlantic.net; Joe Doyle;
> > focus-ms@securityfocus.com
> > Subject: RE: Items within XP SP2 and Win2003
> >
> > Eric,
> >
> > A firewall will not only block services, but it will also
> selectively
> > allow services. For example, I might need to run a web
> server, but I
> > only want users from a buisness partner to access this site.
> > I can use
> > the firewall to limit access to a specific IP address or
> subnet. In
> > this case, a host based firewall can add another layer of
> security to
> > a system. I do agree that you should not be browsing the internet
> > from a server. However, some people will continue to browse the
> > internet from servers. The enhancements to IE6 with W2K3 will not
> > affect you or I, but they will affect many others.
> >
> > Dennis
> >
> > > -----Original Message-----
> > > From: Eric McCarty [mailto:eric@lawmpd.com]
> > > Sent: Monday, September 27, 2004 5:26 PM
> > > To: Depp, Dennis M.; larobins@bellatlantic.net; Joe Doyle;
> > > focus-ms@securityfocus.com
> > > Subject: RE: Items within XP SP2 and Win2003
> > >
> > > I think this is a contradiction. On a server, you should
> > turn off all
> > > services you have no intention of having clients connect
> > to, not setup
> >
> > > a firewall to block them. Next you should not be browsing
> > the internet
> >
> > > using your server, and if you noticed, the enhanced browser
> > security
> > > prevents this for the most part anyway.
> > >
> > > Eric
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Depp, Dennis M. [mailto:deppdm@ornl.gov]
> > > Sent: Monday, September 27, 2004 9:27 AM
> > > To: larobins@bellatlantic.net; Joe Doyle;
> focus-ms@securityfocus.com
> > > Subject: RE: Items within XP SP2 and Win2003
> > >
> > > WRT Windows firewall and IE updates.
> > >
> > > Dennis
> > >
> > > > -----Original Message-----
> > > > From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
> > > > Sent: Sunday, September 26, 2004 2:38 AM
> > > > To: 'Joe Doyle'; focus-ms@securityfocus.com
> > > > Subject: RE: Items within XP SP2 and Win2003
> > > >
> > > > In what respects?
> > > >
> > > > Laura
> > > >
> > > > > -----Original Message-----
> > > > > From: Joe Doyle [mailto:joe.doyle@promega.com]
> > > > > Sent: Wednesday, September 22, 2004 5:38 PM
> > > > > To: focus-ms@securityfocus.com
> > > > > Subject: RE: Items within XP SP2 and Win2003
> > > > >
> > > > >
> > > > > Not yet. Windows 2003 Service Pack 1 is supposed to
> > > bring it up to
> > > > > speed with Windows XP SP2.
> > > > >
> > > > > Joe
> > > > >
> > > > > -----Original Message-----
> > > > > From: James Bowman [mailto:jim@drexel.edu]
> > > > > Sent: Sunday, September 19, 2004 9:11 PM
> > > > > To: focus-ms@securityfocus.com
> > > > > Subject: Items within XP SP2 and Win2003
> > > > >
> > > > >
> > > > >
> > > > > Is their a set of hotfixes needed for 2003 that make it
> > > comprable in
> > >
> > > > > features / overall security posture to XP SP2?
> > > > >
> > > > >
> > > > >
> > > > > Although there's probably a bevy of XP SP2 items embedded
> > > in 2003, I
> > >
> > > > > would imagine there's a bunch that's not...
> > > > >
> > > > >
> > > > >
> > > > > Thanks
> > > > >
> > > > > --------------------------------------------------------------
> > > > > ----------
> > > > > ---
> > > > > --------------------------------------------------------------
> > > > > ----------
> > > > > ---
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > --------------------------------------------------------------
> > > > > -------------
> > > > > --------------------------------------------------------------
> > > > > -------------
> > > > >
> > > >
> > > >
> > > > --------------------------------------------------------------
> > > > -------------
> > > > --------------------------------------------------------------
> > > > -------------
> > > >
> > > >
> > >
> > > --------------------------------------------------------------
> > > ----------
> > > ---
> > > --------------------------------------------------------------
> > > ----------
> > > ---
> > >
> > >
> >
>

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Eric McCarty: "RE: Items within XP SP2 and Win2003"
• Maybe in reply to: James Bowman: "Items within XP SP2 and Win2003"
• Next in thread: Renouf, Phil: "RE: Items within XP SP2 and Win2003"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]