From: gufus on 11 Apr 2010 20:02 Hello, Ansgar! You wrote on 11 Apr 2010 20:52:39 GMT: | Personal firewalls do not increase the security of a server. They | increase the attack surface (larger codebase, thus most likely more So.. a firewall belongs in between what you protect, and what you protect it from. -- With best regards, gufus. E-mail: stop.nospam.gbbsg(a)shaw.ca
From: Grant Taylor on 11 Apr 2010 21:37 Ansgar -59cobalt- Wiechers wrote: > Oh *please*, spare me that "layers" bullshit. *chuckle* I want my opinion to stand, so I have to allow yours to stand. Even if I disagree with it. Thus, we will agree to disagree. Does that work for you? > Personal firewalls do not increase the security of a server. They > increase the attack surface (larger codebase, thus most likely more > vulnerabilities) and the overall complexity of the system, and thus > actually *lower* your security. That is a different point. One that no one has brought up before. Do you have any examples to show? > That's what you already filter at the network boundary. No need to > filter yet again on the server. I'm not so much filtering the same thing that the edge firewall is filtering. Rather, I'm filtering other things that other servers behind the edge firewall could attack. I'm sure that the edge firewall is filtering NetBIOS ports, but what happens if another system in the network gets infected with something / web site gets breached and starts attacking your other servers? This is the type of thing that I think the host based firewall is meant for. > And managing firewalls centrally instead of managing services centrally > is more appropriate, how? I'm not saying that centrally managing services is not appropriate. I know of multiple smaller shops that can't afford centrally managed services, yet they are running a network based AV scanner with firewall that they can centrally mange. Thus, they can centrally manage the firewall but not the services. > They don't. Period. That's your opinion. Grant. . . .
From: Ansgar -59cobalt- Wiechers on 12 Apr 2010 06:32 Grant Taylor <gtaylor(a)riverviewtech.net> wrote: > Ansgar -59cobalt- Wiechers wrote: >> Oh *please*, spare me that "layers" bullshit. > > *chuckle* > > I want my opinion to stand, so I have to allow yours to stand. Even > if I disagree with it. Thus, we will agree to disagree. Does that > work for you? I guess it'll have to. >> Personal firewalls do not increase the security of a server. They >> increase the attack surface (larger codebase, thus most likely more >> vulnerabilities) and the overall complexity of the system, and thus >> actually *lower* your security. > > That is a different point. One that no one has brought up before. Do > you have any examples to show? http://en.wikipedia.org/wiki/Witty_(computer_worm) >> That's what you already filter at the network boundary. No need to >> filter yet again on the server. > > I'm not so much filtering the same thing that the edge firewall is > filtering. Rather, I'm filtering other things that other servers > behind the edge firewall could attack. If you have to do that, you have a server placement issue. Boxes that shouldn't be able to access what the server is providing, should not be located in the same network segment. > I'm sure that the edge firewall is filtering NetBIOS ports, but what > happens if another system in the network gets infected with something > / web site gets breached and starts attacking your other servers? This > is the type of thing that I think the host based firewall is meant > for. This is the exact type of thing, that firewall can't protect you from (unless you're using a sanitizing reverse proxy or something). Again: any service that should be accessible, cannot be protected by a packet filter. Any service that shouldn't be accessible, should not be running (or at least not be listening on the external interface) in the first place. It really is as simple as that. >> And managing firewalls centrally instead of managing services centrally >> is more appropriate, how? > > I'm not saying that centrally managing services is not appropriate. I > know of multiple smaller shops that can't afford centrally managed > services, yet they are running a network based AV scanner with firewall > that they can centrally mange. They can't afford using the tools that come with the operating system, but can afford to buy a centrally manageable host-based firewall solution? You have to be kidding me. > Thus, they can centrally manage the firewall but not the services. "sc /?" tells you why you're wrong. >> They don't. Period. > > That's your opinion. A quite substantiated opinion, no less. cu 59cobalt -- "If a software developer ever believes a rootkit is a necessary part of their architecture they should go back and re-architect their solution." --Mark Russinovich
From: gufus on 12 Apr 2010 09:44 Hi Grant, Sunday April 11 2010, Grant Taylor writes to All: > I'm not so much filtering the same thing that the edge > firewall is filtering. Rather, I'm filtering other things > that other servers behind the edge firewall could attack. With only /basic/ networking experience, I can't /see/ anything wrong with this theory, It can only increase security, what if a employee infects via a CD. .... IMHO (In my humble opinion) AKA: gufus -- K Klement Enhance your marketing at http://www.gypsy-designs.com mailto:info(a)gypsy-designs.com Gypsy Designs Fax: (403) 242-3221 .... Get off my back, I can't swim either!
From: Ansgar -59cobalt- Wiechers on 12 Apr 2010 16:01
gufus <stop.nospam.gbbsg(a)shaw.ca> wrote: > Sunday April 11 2010, Grant Taylor writes to All: >> I'm not so much filtering the same thing that the edge firewall is >> filtering. Rather, I'm filtering other things that other servers >> behind the edge firewall could attack. > > With only /basic/ networking experience, I can't /see/ anything wrong > with this theory, It can only increase security, Wrong. Running an additional firewall means running additional code that can contain additional exploitable vulnerabilities. This already has happened ITW. Additional software also means additional complexity, that may lead to misconfiguration, which in turn may inadvertently open attack vectors. > what if a employee infects via a CD. What if? That employee's computer still needs to be able to access the server, meaning the server's ports still need to be open, meaning that the personal firewall won't help anything at all. Besides, how is the employee's box going to get infected in the first place? Disabling autoplay is one of the most basic countermeasures available in the toolbox. Not granting your employees administrative privileges is another one. cu 59cobalt -- "If a software developer ever believes a rootkit is a necessary part of their architecture they should go back and re-architect their solution." --Mark Russinovich |