Re: Firewall for laptops, corporation with 1,000 laptops
From: Karl Levinson [x y] mvp (jamescagney90210@excite.com)
Date: 11/01/02
- Next message: Tom: "Windows Update & Security Settings"
- Previous message: Karl Levinson [x y] mvp: "Re: Port usage and associated process"
- In reply to: Lanwench [MVP - Exchange]: "Re: Firewall for laptops, corporation with 1,000 laptops"
- Next in thread: Marlon Brown: "Re: Firewall for laptops, corporation with 1,000 laptops"
- Reply: Marlon Brown: "Re: Firewall for laptops, corporation with 1,000 laptops"
- Reply: Lanwench [MVP - Exchange]: "Re: Firewall for laptops, corporation with 1,000 laptops"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] mvp" <jamescagney90210@excite.com> Date: Fri, 1 Nov 2002 11:12:03 -0500
I disagree completely that all you need is a PIX to protect your network,
laptops and remote users. That's exactly how Microsoft was hacked last year
and source code stolen. First, PIX does nothing to protect you from VPN
users using RAS. [Yes, I know you could use RAS filters on a Windows 2000
RAS server, but it's not a full featured firewall, and I think logging and
alerting, which are essential to a firewall solution, are lacking.]
Second, the PIX firewall does nothing to protect a roaming laptop from
becoming infected and leaking documents, passwords, or otherwise being
abused or getting DoS-ed while on a business trip to Japan.
Third, the PIX firewall doesn't protect you when your trojaned / compromised
laptop comes back from Japan and compromises your web server and other
internal hosts. This is the lesson we learned from Nimda and Code Red. I
happen to know that a scenario like this happened to one of the top 10
largest banks in the US and caused huge loss of money and man-hours. The
firewall doesn't protect internal hosts from other internal hosts.
Fourth, if the trojan software on the laptop uses a permitted port to
communicate, such as TCP 80 or ICMP, the PIX firewall won't even tell you
that the laptop is compromised, let alone block it. A thousand hackers
monitoring a certain IRC group suddenly have remote control of a computer on
your internal network. I bet most PIX firewalls out there are set up so
that they aren't going to alarm when trojan software on an internal laptop
tries to communicate out.
I also bet that most of the VPNs out there aren't configured to do any port
blocking. In other words, a trojaned computer completely bypasses the
firewall and has full, unlogged access to the internal network over any
port.
Fifth, a PIX has no idea what executable is using a certain port. Only a
personal firewall will know that. The PIX only knows port number and IP
address.
Last, you want defense in depth. You want to avoid relying on just one
firewall from just one manufacturer.
A software firewall is a fine idea for laptops and also home users usuing
remote access, IMHO. We used them and I was happy with the way it worked
out. It does take some work and can introduce networking problems, but
that's always the cost of increased security.
Then again, if you're a small shop with a low budget and lax security needs,
running a software firewall might not be cost effective. However, such a
company would not be likely to be running a PIX firewall with thousands of
laptops.
Just my two cents.
> > "Lanwench [MVP - Exchange]"
> > <lanwench@heybuddy.donotsendme.unsolicitedmail.yahoo.com> wrote in
message
> > news:uDmdJxOgCHA.1720@tkmsftngp11...
> > > The point is, PIX is a firewall, not just a mechanism for getting VPN.
> > >
> > > I would not put a local firewall app on any networked computer. Tell
> users
> > > that if they want to use VPN from home, they need to invest in a small
> > > firewall device. These are cheap, and broadband users should have them
> > > anyway.
> > >
> > >
> > > "Marlon Brown" <marlon_brownj@hotmail.com> wrote in message
> > > news:ONmafWJgCHA.2284@tkmsftngp11...
> > > > What do I need to read on PIX ?
> > > > If users take laptops from work and bring home, without any type of
> VPN
> > > > connection, what the PIX at work has to do with that ?
> > > >
> > > >
> > > >
> > > > "msnews" <ef_hutton@hotmail.com> wrote in message
> > > > news:#5#0IQJgCHA.1736@tkmsftngp11...
> > > > > Sounds like you need to read up on PIX
> > > > >
> > > > >
> > > > > "Marlon Brown" <marlon_brownj@hotmail.com> wrote in message
> > > > > news:eZWMnuIgCHA.2392@tkmsftngp08...
> > > > > > Firewalls for laptops.
> > > > > > I do have PIX already for desktops.
> > > > > >
> > > > > >
> > > > > >
> > > > > > "Lanwench [MVP - Exchange]"
> > > > > > <lanwench@heybuddy.donotsendme.unsolicitedmail.yahoo.com> wrote
in
> > > > message
> > > > > > news:#5aWOnHgCHA.2256@tkmsftngp12...
> > > > > > > Cisco PIX to protect your network. Why would you want local
> > software
> > > > > > > firewalls?
> > > > > > >
> > > > > > > "Marlon Brown" <marlon_brown@hotmail.com> wrote in message
> > > > > > > news:uakG3PGgCHA.2400@tkmsftngp11...
> > > > > > > > Do you recommend any firewall that I can deploy on the
network
> ?
> > > > About
> > > > > > > 1,000
> > > > > > > > Win2K/WinXP machines.
> > > > > > > >
> > > > > > > > How is Mcafee firewall ?
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Tom: "Windows Update & Security Settings"
- Previous message: Karl Levinson [x y] mvp: "Re: Port usage and associated process"
- In reply to: Lanwench [MVP - Exchange]: "Re: Firewall for laptops, corporation with 1,000 laptops"
- Next in thread: Marlon Brown: "Re: Firewall for laptops, corporation with 1,000 laptops"
- Reply: Marlon Brown: "Re: Firewall for laptops, corporation with 1,000 laptops"
- Reply: Lanwench [MVP - Exchange]: "Re: Firewall for laptops, corporation with 1,000 laptops"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
