Re: Items within XP SP2 and Win2003
From: Nigel Stepp (stepp_at_atistar.net)
Date: 09/29/04
- Previous message: Depp, Dennis M.: "RE: Items within XP SP2 and Win2003"
- In reply to: Thor: "Re: Items within XP SP2 and Win2003"
- Next in thread: James Riden: "Re: Items within XP SP2 and Win2003"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 28 Sep 2004 19:23:35 -0400 To: Thor <thor@hammerofgod.com>
Thor wrote:
>
> It is absolutely fine to employ host-based firewall measures, even in
> the presence of border restrictions and minimum service configurations
> at the server. It does indeed provide extra security, even if the
> border router is doing the same thing, particularly if the border router
> stops doing it or if an attacker gains access another way
> (modem/wireless/etc.)
[ snip ]
> It's security in depth, and a Good Thing.
I think this is an important point worth highlighting. That is, it is
not only fine to employ these measures, but a very good idea.
If protection stops at the border, then if any machine inside is
compromised, through whatever means, the attacker has free reign over
everything else on the network.
I've seen this happen before, especially to smallish corporate networks
where things inside are left completely open to facilitate business
operation (not a good idea, but happens). Some machines are not patched
quickly because "the firewall will stop any attacks". Then a web server
compromise leads to client and corporate data exposure. Not good.
> t
>
>
>
>
> ----- Original Message ----- From: "Eric McCarty" <eric@lawmpd.com>
> To: "Depp, Dennis M." <deppdm@ornl.gov>; <larobins@bellatlantic.net>;
> "Joe Doyle" <joe.doyle@promega.com>; <focus-ms@securityfocus.com>
> Sent: Tuesday, September 28, 2004 7:44 AM
> Subject: RE: Items within XP SP2 and Win2003
>
>
> Who doesn't have a border firewall? commonly its router - firewall -
> switch. So you propose to do address filtering on your host based
> firewall ?. I suggest rethinking this strategy as IP Address range
> blocking should be done at the border router or firewall long before any
> Network Translations are done or any traffic traverses the local
> network. I can imagine a plethora of ways to get around host based IP
> restrictions, can't get to server1, take over another machine on
> internal network, then get to server1 and likewise.
>
> Running a host based firewall will not allow an extra layer of security
> if its doing the same thing the border router/firewall is doing.
>
> In order to browse the internet from the server you will have to add a
> lot of sites to the trusted sites list, and once a site is considered
> trusted it's all over anyway.
>
> -----Original Message-----
> From: Depp, Dennis M. [mailto:deppdm@ornl.gov]
> Sent: Tuesday, September 28, 2004 4:18 AM
> To: Eric McCarty; larobins@bellatlantic.net; Joe Doyle;
> focus-ms@securityfocus.com
> Subject: RE: Items within XP SP2 and Win2003
>
> Eric,
>
> A firewall will not only block services, but it will also selectively
> allow services. For example, I might need to run a web server, but I
> only want users from a buisness partner to access this site. I can use
> the firewall to limit access to a specific IP address or subnet. In
> this case, a host based firewall can add another layer of security to a
> system. I do agree that you should not be browsing the internet from a
> server. However, some people will continue to browse the internet from
> servers. The enhancements to IE6 with W2K3 will not affect you or I,
> but they will affect many others.
>
> Dennis
>
>> -----Original Message-----
>> From: Eric McCarty [mailto:eric@lawmpd.com]
>> Sent: Monday, September 27, 2004 5:26 PM
>> To: Depp, Dennis M.; larobins@bellatlantic.net; Joe Doyle;
>> focus-ms@securityfocus.com
>> Subject: RE: Items within XP SP2 and Win2003
>>
>> I think this is a contradiction. On a server, you should turn off all
>> services you have no intention of having clients connect to, not setup
>
>
>> a firewall to block them. Next you should not be browsing the internet
>
>
>> using your server, and if you noticed, the enhanced browser security
>> prevents this for the most part anyway.
>>
>> Eric
>>
>>
>>
>> -----Original Message-----
>> From: Depp, Dennis M. [mailto:deppdm@ornl.gov]
>> Sent: Monday, September 27, 2004 9:27 AM
>> To: larobins@bellatlantic.net; Joe Doyle; focus-ms@securityfocus.com
>> Subject: RE: Items within XP SP2 and Win2003
>>
>> WRT Windows firewall and IE updates.
>>
>> Dennis
>>
>> > -----Original Message-----
>> > From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
>> > Sent: Sunday, September 26, 2004 2:38 AM
>> > To: 'Joe Doyle'; focus-ms@securityfocus.com
>> > Subject: RE: Items within XP SP2 and Win2003
>> >
>> > In what respects?
>> >
>> > Laura
>> >
>> > > -----Original Message-----
>> > > From: Joe Doyle [mailto:joe.doyle@promega.com]
>> > > Sent: Wednesday, September 22, 2004 5:38 PM
>> > > To: focus-ms@securityfocus.com
>> > > Subject: RE: Items within XP SP2 and Win2003
>> > >
>> > >
>> > > Not yet. Windows 2003 Service Pack 1 is supposed to
>> bring it up to
>> > > speed with Windows XP SP2.
>> > >
>> > > Joe
>> > >
>> > > -----Original Message-----
>> > > From: James Bowman [mailto:jim@drexel.edu]
>> > > Sent: Sunday, September 19, 2004 9:11 PM
>> > > To: focus-ms@securityfocus.com
>> > > Subject: Items within XP SP2 and Win2003
>> > >
>> > >
>> > >
>> > > Is their a set of hotfixes needed for 2003 that make it
>> comprable in
>>
>> > > features / overall security posture to XP SP2?
>> > >
>> > >
>> > >
>> > > Although there's probably a bevy of XP SP2 items embedded
>> in 2003, I
>>
>> > > would imagine there's a bunch that's not...
>> > >
>> > >
>> > >
>> > > Thanks
>> > >
>> > > --------------------------------------------------------------
>> > > ----------
>> > > ---
>> > > --------------------------------------------------------------
>> > > ----------
>> > > ---
>> > >
>> > >
>> > >
>> > >
>> > > --------------------------------------------------------------
>> > > -------------
>> > > --------------------------------------------------------------
>> > > -------------
>> > >
>> >
>> >
>> > --------------------------------------------------------------
>> > -------------
>> > --------------------------------------------------------------
>> > -------------
>> >
>> >
>>
>> --------------------------------------------------------------
>> ----------
>> ---
>> --------------------------------------------------------------
>> ----------
>> ---
>>
>>
>
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------
>
>
>
>
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------
>
-- :wq --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Depp, Dennis M.: "RE: Items within XP SP2 and Win2003"
- In reply to: Thor: "Re: Items within XP SP2 and Win2003"
- Next in thread: James Riden: "Re: Items within XP SP2 and Win2003"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
