Re: SP2/firewall
From: winged (winged_at_nofollow.com)
Date: 01/22/05
- Next message: Robsten: "Re: What about this!!!"
- Previous message: winged: "Re: What about this!!!"
- In reply to: ROBERT S AMP BA Drake: "Re: SP2/firewall"
- Next in thread: Don Kelloway: "Re: SP2/firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 22 Jan 2005 17:03:03 EST
ROBERT S AMP BA Drake wrote:
> Run a scan on your system with the MS SP2 firewall on. It has more holes
> than swiss cheese.
>
> "JOHANNA NORDMYR" <j.nordmyr@tele2.se> wrote in message
> news:7KfId.15699$Of5.10827@nntpserver.swip.net...
>
>>Iīve just recently installed the SP2 and decided to use the firewall
>>included, instead of Nortonīs. As far as I can tell it seems to be working
>>okay, but some of the icons are giving me a headache... At some websites
>>"integrety report" pops up. Why??
>>
>
>
>
You can control, very specifically, very manually all communication that
the SP2 Firewall is allowed. The control panel applet under the
exception tab allows constraint by program and port. I am not sure why
the applet portion of the system deems I need remote desktop, remote
assistance and UPNP exposed to the world (by default) nor why they
insist I expose ping replies. I have gone to some efforts just to ensure
those very services were not exposed.
If you were using (for example) SP2 Firewall, under the exceptions tab,
you could restrict the ports and the addresses your e-mail client was
allowed to view. Doing this breaks over the web viewing functionality
(this is also the "behavior" of my e-mail client (Thunderbird)) but for
me, this is not a bad thing as it also breaks many compromise scenarios
(I don't allow scripting in mail)(OK I am retentive). Additionally one
"can" control the XP Firewall via a rule file.
This is how one can manage a network of XP firewalled computers. By
regulating the firewall rules you can control the network user
permissions. This is easily managed both dynamically via SMS or similar
central management tool, or via bootup login script. The rules are
refreshed on bootup by specifically and dynamically concantinating the
rule file. For example you "can" have certain blocks (port or address)
that you wish to apply across a domain, concantinating rules that apply
to a specific user. But this finite level of control you can enforce is
somewhat of a pain to manage for a home network.
The firewall can be competent. If you use the SP2 firewall, Ensure you
check the default settings under the exceptions tab. Pretty scary.
I have found this useful for restricting the actions of say Internet
Explorer (i.e. It only talks to Microsoft and God on the Root OS).
For me on a home network, I just prefer the easier interface of Symantec
in many scenarios. The filter tools with Symantec that automatically
strip various scripting from HTML Strings. (yes I do believe layering
security on a system is good practice. I seldom work outside of a
virtual machine so one can constrain very closely how the root OS is
allowed to operate. There is a performance hit taken for operating this
way but it does allow one to constrain the exposure based on the
computer task at hand. It does require keeping each of the VM's (and
the base OS's updated) but I find the VM's suitable for testing purposes
for me, others mileage will vary.
One may have a VM configuration which uses the SP2 firewall only. Its
useful for testing. With machines these days of having lots of
horsepower and RAM there seems to be no problem switching between a
LINUX VM an XP VM and simultaniously runing multiple copies of each OS.
This also allows you to test behaviours between various configurations
fairly quickly. If you manage your VM's properly you can have a whole
network of configurations. You can layer VM's as well depending on the
level of analysis required (sometimes required to run a test web server
and test behaviours of various configurations locally before
publishing. You can run a VM stack or proxy filter effectively ahead of
the root OS stack. This is extremely useful when looking at a buffer
overflow exploit. You can run over 10 VM's simultaneously inside of 2
GB RAM. (LINUX VM's require less processing and space overhead). This
is ample for simulating most network environmental behaviours.
VM's are very good at looking at exploit behaviours. VM's are very
useful for establishing internal IDS for monitoring of machine intra
computer comunication without exposing the processes to the Internet.
By just closing and restarting the VM (without saving the VM) you can
return it to it's pristine state, without the time factor involved in
rebuilding or reconfiguring the system.
This relates to some people high concern with privacy as if one does not
save the VM session all data which was saved inside of the VM is
destroyed. For the truly paranoid I suppose one could rewrite the cache
on the base system but guess I am not paranoid enough. One can
compromise a VM and examine the compromise behaviours within an isolated
environment. One can save data from some VM's to the base OS. Shucks,
thought everyone did this :-P
But yes, depending on implementation, the XP firewall can meet
requirements especially if one is layering communication filters and
using IDS. I find the IDS and general use of Symantec easy, but I am
well aware all user requirements are not the same.
It ALL depends on ones requirements, DOOM 3 does not work real well
inside of a VM, but I don't play games that require that level of
performance often. Everyones mileage and requirements vary.
Winged
- Next message: Robsten: "Re: What about this!!!"
- Previous message: winged: "Re: What about this!!!"
- In reply to: ROBERT S AMP BA Drake: "Re: SP2/firewall"
- Next in thread: Don Kelloway: "Re: SP2/firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
