Re: Hardware Firewall Recommendation

From: Micheal Robert Zium (mrozium_at_XSPAMX-yahoo.com)
Date: 06/19/04 

Date: 19 Jun 2004 00:19:57 -0500

Leythos wrote:

>For those that did select it, they would not have had a problem - we
>don't allow .exe or other types through the HTTP proxy service in the
>firewall.

Hmmm...I'm not so sure I'd feel safe running non-firewall programs
like a HTTP proxy on my firewall. I feel more comfortable using Squid
or ISA behind the firewall on a separate device.

>We've not had to update the firewalls, the rules, once in place, are
>something that covers all of the problems that already come up. If you
>block .EXE you never have to go back and update the firewall to keep
>users from downloading and running .EXE over HTTP/HTTPS or SMTP.

I see. That would never work in any environment I've seen, as all the
companies and government entities I provide security for *must* be
able to download files, including executables. Especially for M$
updates. Users are only allowed to run approved programs, but that
rarely ever stops today's worms/viruses. Of course, that's one reason
why it's so important to employ a good anti-virus solution.

Also, I'm surprised you don't update your firewalls (patches, not
rules). I'd sleep better knowing my firewalls and the computers
behind them were up-to-date.

>One more thing that we do is set "Auto block sites that attempt to
>connect to this service" and we set rules for ports 135, 139, and 445
>for these auto-block sites. Just another way to make sure that infected
>machines don't get past the firewall.

I'm with you there, 100%, but I go way past that. Time and rule wise.
Almost any kind of hostile activity will immediately ban that IP
address for roughly 3 days.

Relevant Pages

  • Re: Hardware Firewall Recommendation
    ... >Hmmm...I'm not so sure I'd feel safe running non-firewall programs ... >like a HTTP proxy on my firewall. ... >or ISA behind the firewall on a separate device. ...
    (comp.security.firewalls)
  • Re: Orange SPV M1000
    ... You might want to try the Movian VPN client from certicom ... On the .exe front, generally if you have a .exe its to be delivered to the ... > create a VPN to my works firewall. ... > there is nothing I can do, cant ping cant map a drive to a local sub ...
    (microsoft.public.pocketpc.phone_edition)
  • Re: Trojan Horses Popular To The Malicious Hackers
    ... >> right past a software firewall without a hiccup. ... bung a keypress into the 'let this exe connect?' ... additional ndis protocol drivers are added. ... possible) that could replace the occasional IP packet that the fwall has ...
    (comp.security.misc)
  • Re: Trojan Horses Popular To The Malicious Hackers
    ... >> right past a software firewall without a hiccup. ... bung a keypress into the 'let this exe connect?' ... additional ndis protocol drivers are added. ... possible) that could replace the occasional IP packet that the fwall has ...
    (comp.security.firewalls)
  • Re: Two users being blocked access to a program
    ... "Claus" wrote: ... See if that fixes the issue. ... The application is an insurance agency program exe file. ... It looks like the firewall ...
    (microsoft.public.windows.server.sbs)