RE: Patching a Firewall

brossini_at_csc.com.au
Date: 09/17/03

Next message: vivek_delhikar3_at_non.agilent.com: "RE: [bugtraq] RE: xp professional - local administrator password"

Previous message: hong li: "my pc hacked?"
Maybe in reply to: Robert Mezzone: "Patching a Firewall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Jimi Thompson <jimit@myrealbox.com>
Date: Wed, 17 Sep 2003 09:19:18 +0800

I think you're getting yourself a little confused here....

There's no point hacking the registry to disable administrative shares if
NetBIOS has been disabled, since the shares don't exist without NetBIOS.
No NetBIOS == No Shares.
Simple as that.

I don't think the process for hardening a Windows box is any more difficult
than hardening a *nix box. Sure you might have to modify the registry, but
whats so hard about that ?

In my opinion the OS used for a firewall is not really a big deal, unless
performance is your objective, and then you'd probably want to get an
appliance anyway.

In answer to the original posters question, yes, you should keep the OS up
to date, especially with critical patches. It's also true that the firewall
*should* protect itself, but that will depend entirely on your ruleset.
It's better to be safe than sorry if you ask me.......

- Ben

Comments are my own and NOT those of my employer.

|---------+--------------------------->
| | Jimi Thompson |
| | <jimit@myrealbox|
| | .com> |
| | |
| | 16/09/2003 12:14|
| | PM |
| | |
|---------+--------------------------->
>-------------------------------------------------------------------------------------------------------------------------------|
  | |
  | To: "dave kleiman" <dave@netmedic.net>, "'Robert Mezzone'" <Robert.Mezzone@PJSolomon.Com>, |
  | <security-basics@securityfocus.com> |
  | cc: |
  | Subject: RE: Patching a Firewall |
>-------------------------------------------------------------------------------------------------------------------------------|

There's way more to hardening a Windows OS than just turning off
NetBIOS and stopping the services you aren't using. For starters, you
need to hack the registry to turn off the administrative shares.
There are very large books written on this subject so I'm not even
going to try to cover it an email. I will give you the short version
by saying that my experience has been that if you aren't hand hacking
the registry, you probably aren't doing it right.

It is difficult and intricate to harden a Windows box sufficiently to
use as a firewall, especially in the case of the poster's position
(i.e. dealing with electronic funds transfers). Personally, I
wouldn't even consider it. In that kind of a position, you go for
the very best thing you can buy since it is literally the keys to the
vault. For my money that's CheckPoint running on Trusted Solaris.
You use 3 factor authentication for any log in. You should
preferably be using one-time pad passwords along with PKI key
authentication and encryption. Any changes made to the firewall
should be made by 2 or more people who's job responsibilities rotate.
That's just for starters on the firewall.

Again, because of what you are trying to secure, you must be
extremely paranoid about everything.

Jimi

At 7:03 PM -0400 9/15/03, dave kleiman wrote:
>Define "extreme difficulty" for hardening the Windows OS.
>
>You mentioned "NSA Secure Linux" which is actually Security-Enhanced Linux
>(notice the NSA does not want to claim it "Secure" just enhanced).
>There is a NSA Security Guidelines W2K at
http://www.nsa.gov/snac/index.html
>Level2 W2K Security at http://www.cisecurity.org/
>
>All of which are free.
>
>And if you want to go beyond that.
>
>http://www.securit-e-doc.com/products/securitelok.asp
>
>At under $150.00 per server and takes about 30 minutes to setup.
>
>
>You can completely disable NetBIOS on W2K as well as every other service
not
>needed.
>
>The above mentioned Guidelines and products do that.
>
>And I can think of many "reputable" shops running IAS.
>And I have several servers running IIS and E-mail that only have 7
services
>running (excluding AV and Spam Control), that have software Firewalls
>running on them.
>
>
>Dave
>
>
>
>
>
>_____________________
>Dave Kleiman
>dave@netmedic.net
>www.netmedic.net
>
>"High achievement always takes place in the framework of high
expectation."
>Jack Kinder
>
>
>
>
>
>-----Original Message-----
>From: Jimi Thompson [mailto:jimit@myrealbox.com]
>Sent: Sunday, September 14, 2003 14:05
>To: Robert Mezzone; 'security-basics@securityfocus.com'
>Subject: Re: Patching a Firewall
>
>
>Robert,
>
>Item 1 - I would never run Windows as a firewall simply because of
>the extreme difficulty in hardening the OS to prevent it from being
>exploited. I have heard of this being done, but I've never observed
>it in a reputable shop. Most places either use a device that is
>specifically a firewall or a hardened *nix OS (i.e. Solaris, Trusted
>Solaris, Trusted FreeBSD, NSA Secure Linux, Bastille, etc.). The
>reason for using a nix OS is so that services which are not needed
>can be removed from the box without causing a major disruption to the
>OS. Think of what would happen if you tried to un-install NetBIOS
>from Windows.
>
>Item 2 - If your OS on your firewall has a vulnerability, your
>firewall itself is vulnerable. If I can get your OS to cooperate and
>give me "root" or "Administrator", I can change your firewall rules,
>logging, user accounts, etc. to suit myself.
>
>Item 3 - Your firewall, for management purposes, probably accepts
>connections to itself. The question then becomes where does it
>accept connections from and, if you are a hacker, how can I spoof
>that. ANYTHING that's not physical layer can be spoofed and even
>that's not a guarantee that someone sneaky hasn't installed a device
>somewhere to trip you up.
>
>I notice from your email address that you are with an investment
>banker. That means you deal with money. Any time cash is involved,
>especially transferring cash electronically, your level of paranoia
>should be very very high (like almost ready to cart you off in the "i
>love me jacket"). Never mind the SEC regulations.....
>
>2 Cents,
>
>Jimi
>
>
>
>
>At 8:15 AM -0400 9/12/03, Robert Mezzone wrote:
>>I want to start off by saying my Firewall is fully patched. That being
>>said my question is...
>>
>>Is it a big security risk if the OS (say Windows) running the firewall
>>box, is not fully patched? My reasoning that it isn't is because the
>>firewall should be configured to drop any connections to itself. Or
>>being the firewall has to at least initially accept the packet in order
>>to inspect it, enough to exploit a vulnerability.
>>
>>Robert
>>
>>-----------------------------------------------------------------------
>>----
>>Captus Networks
>>Are you prepared for the next Sobig & Blaster?
>> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
>> - Precisely Define and Implement Network Security
>> - Automatically Control P2P, IM and Spam Traffic
>>FIND OUT NOW - FREE Vulnerability Assessment Toolkit
>>http://www.captusnetworks.com/ads/42.htm
>>
---------------------------------------------------------------------------
>-
>
>
>
---------------------------------------------------------------------------
>Captus Networks
>Are you prepared for the next Sobig & Blaster?
> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> - Precisely Define and Implement Network Security
> - Automatically Control P2P, IM and Spam Traffic
>FIND OUT NOW - FREE Vulnerability Assessment Toolkit
>http://www.captusnetworks.com/ads/42.htm
>
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Captus Networks
Are you prepared for the next Sobig & Blaster?
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Precisely Define and Implement Network Security
- Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW - FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

Next message: vivek_delhikar3_at_non.agilent.com: "RE: [bugtraq] RE: xp professional - local administrator password"

Previous message: hong li: "my pc hacked?"
Maybe in reply to: Robert Mezzone: "Patching a Firewall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Patching a Firewall
... NetBIOS and stopping the services you aren't using. ... It is difficult and intricate to harden a Windows box sufficiently to ... Any changes made to the firewall ... >>Captus Networks ...
(Security-Basics)
Re: grc.com news server down?
... etc.) were a real problem a few years ago. ... There's no doubt that implementing wide ranging and sound security ... He said there was no danger in leaving NetBIOS enabled, ... My ISP wouldn't allow a router, but they did permit a "firewall". ...
(comp.security.firewalls)
Re: Apparent NetBIOS Attack - How Dangerous?
... so it seems that IPSec's 'firewall' is working. ... I will read the NSA security configuration guides. ... NetBIOS problem seeems to be taken care of. ... > for XP and 2003 you use RestrictAnonymous and RestrictAnonymousSAM, ...
(microsoft.public.win2000.security)
Re: Patching a Firewall
... hacking a firewall was correctly identifying what the firewall product was - ... > from Windows. ... >>Captus Networks ... > FIND OUT NOW - FREE Vulnerability Assessment Toolkit ...
(Security-Basics)
Re: cannot connect two win2k computers
... > First those (NetBIOS) names are suspicious but seem to be legal. ... > ping and are on the same subnet ... > and leads us back to name resolution. ... > one that fails) is running a Firewall and has thereby ...
(microsoft.public.win2000.networking)