Re: Firewall for laptops, corporation with 1,000 laptops
From: Lanwench [MVP - Exchange] (lanwench@heybuddy.donotsendme.unsolicitedmail.yahoo.com)
Date: 11/01/02
- Next message: Karl Levinson [x y] mvp: "Re: Useless File protection?"
- Previous message: Gary Flynn: "Re: Windows Update & Security Settings"
- In reply to: Karl Levinson [x y] mvp: "Re: Firewall for laptops, corporation with 1,000 laptops"
- Next in thread: Eric Chamberlain: "Re: Firewall for laptops, corporation with 1,000 laptops"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Lanwench [MVP - Exchange]" <lanwench@heybuddy.donotsendme.unsolicitedmail.yahoo.com> Date: Fri, 1 Nov 2002 13:49:12 -0500
Excellent points. Thanks.
"Karl Levinson [x y] mvp" <jamescagney90210@excite.com> wrote in message
news:eFg9ZDcgCHA.392@tkmsftngp09...
> I disagree completely that all you need is a PIX to protect your network,
> laptops and remote users. That's exactly how Microsoft was hacked last
year
> and source code stolen. First, PIX does nothing to protect you from VPN
> users using RAS. [Yes, I know you could use RAS filters on a Windows 2000
> RAS server, but it's not a full featured firewall, and I think logging and
> alerting, which are essential to a firewall solution, are lacking.]
>
> Second, the PIX firewall does nothing to protect a roaming laptop from
> becoming infected and leaking documents, passwords, or otherwise being
> abused or getting DoS-ed while on a business trip to Japan.
>
> Third, the PIX firewall doesn't protect you when your trojaned /
compromised
> laptop comes back from Japan and compromises your web server and other
> internal hosts. This is the lesson we learned from Nimda and Code Red. I
> happen to know that a scenario like this happened to one of the top 10
> largest banks in the US and caused huge loss of money and man-hours. The
> firewall doesn't protect internal hosts from other internal hosts.
>
> Fourth, if the trojan software on the laptop uses a permitted port to
> communicate, such as TCP 80 or ICMP, the PIX firewall won't even tell you
> that the laptop is compromised, let alone block it. A thousand hackers
> monitoring a certain IRC group suddenly have remote control of a computer
on
> your internal network. I bet most PIX firewalls out there are set up so
> that they aren't going to alarm when trojan software on an internal laptop
> tries to communicate out.
>
> I also bet that most of the VPNs out there aren't configured to do any
port
> blocking. In other words, a trojaned computer completely bypasses the
> firewall and has full, unlogged access to the internal network over any
> port.
>
> Fifth, a PIX has no idea what executable is using a certain port. Only a
> personal firewall will know that. The PIX only knows port number and IP
> address.
>
> Last, you want defense in depth. You want to avoid relying on just one
> firewall from just one manufacturer.
>
> A software firewall is a fine idea for laptops and also home users usuing
> remote access, IMHO. We used them and I was happy with the way it worked
> out. It does take some work and can introduce networking problems, but
> that's always the cost of increased security.
>
> Then again, if you're a small shop with a low budget and lax security
needs,
> running a software firewall might not be cost effective. However, such a
> company would not be likely to be running a PIX firewall with thousands of
> laptops.
>
> Just my two cents.
>
>
> > > "Lanwench [MVP - Exchange]"
> > > <lanwench@heybuddy.donotsendme.unsolicitedmail.yahoo.com> wrote in
> message
> > > news:uDmdJxOgCHA.1720@tkmsftngp11...
> > > > The point is, PIX is a firewall, not just a mechanism for getting
VPN.
> > > >
> > > > I would not put a local firewall app on any networked computer. Tell
> > users
> > > > that if they want to use VPN from home, they need to invest in a
small
> > > > firewall device. These are cheap, and broadband users should have
them
> > > > anyway.
> > > >
> > > >
> > > > "Marlon Brown" <marlon_brownj@hotmail.com> wrote in message
> > > > news:ONmafWJgCHA.2284@tkmsftngp11...
> > > > > What do I need to read on PIX ?
> > > > > If users take laptops from work and bring home, without any type
of
> > VPN
> > > > > connection, what the PIX at work has to do with that ?
> > > > >
> > > > >
> > > > >
> > > > > "msnews" <ef_hutton@hotmail.com> wrote in message
> > > > > news:#5#0IQJgCHA.1736@tkmsftngp11...
> > > > > > Sounds like you need to read up on PIX
> > > > > >
> > > > > >
> > > > > > "Marlon Brown" <marlon_brownj@hotmail.com> wrote in message
> > > > > > news:eZWMnuIgCHA.2392@tkmsftngp08...
> > > > > > > Firewalls for laptops.
> > > > > > > I do have PIX already for desktops.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > "Lanwench [MVP - Exchange]"
> > > > > > > <lanwench@heybuddy.donotsendme.unsolicitedmail.yahoo.com>
wrote
> in
> > > > > message
> > > > > > > news:#5aWOnHgCHA.2256@tkmsftngp12...
> > > > > > > > Cisco PIX to protect your network. Why would you want local
> > > software
> > > > > > > > firewalls?
> > > > > > > >
> > > > > > > > "Marlon Brown" <marlon_brown@hotmail.com> wrote in message
> > > > > > > > news:uakG3PGgCHA.2400@tkmsftngp11...
> > > > > > > > > Do you recommend any firewall that I can deploy on the
> network
> > ?
> > > > > About
> > > > > > > > 1,000
> > > > > > > > > Win2K/WinXP machines.
> > > > > > > > >
> > > > > > > > > How is Mcafee firewall ?
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Karl Levinson [x y] mvp: "Re: Useless File protection?"
- Previous message: Gary Flynn: "Re: Windows Update & Security Settings"
- In reply to: Karl Levinson [x y] mvp: "Re: Firewall for laptops, corporation with 1,000 laptops"
- Next in thread: Eric Chamberlain: "Re: Firewall for laptops, corporation with 1,000 laptops"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
