Avira's firewall
in [Firewalls]
|
From: gufus on 12 Apr 2010 20:17 Hello, schtebo! You wrote on Thu, 8 Apr 2010 04:50:02 -0700 (PDT): s> I think default Firewall from Microsoft should do it for us all. After setting up a few off-the-shelf firewalls, and getting frustrated with everything, I'm back to using Win NT stock firewall, everything is back working again. Good advice. :) -- With best regards, gufus. E-mail: stop.nospam.gbbsg(a)shaw.ca
From: Grant Taylor on 12 Apr 2010 20:33 Ansgar -59cobalt- Wiechers wrote: > I guess it'll have to. Fair enough. ;-) > http://en.wikipedia.org/wiki/Witty_(computer_worm) Interesting. I will have to do some follow up reading on that. > If you have to do that, you have a server placement issue. Boxes that > shouldn't be able to access what the server is providing, should not > be located in the same network segment. I think we mis-understand each other. Let me give an example. Suppose that a hosting company has multiple IIS web servers behind an edge ingress filtering firewall that only allows traffic to TCP ports 80 and 443 through. With in the network the servers also allow SNMP and / or RPC for remote computer management. What prevents a web site on one of these hosts from becoming compromised and running a local program that starts attacking the other systems in the local subnet. This local program would have unfettered access to SNMP and / or RPC to the other servers that are behind the edge ingress filtering firewall. Conversely if the web servers were running a software based firewall, they could easily filter SNMP and / or RPC traffic so that only the management station(s) could access them. There by protecting them from the program running locally on the compromised server. These types of side attacks (if you will) are what I'm saying that a software based firewall will help prevent. > This is the exact type of thing, that firewall can't protect you from > (unless you're using a sanitizing reverse proxy or something). I'm not sure that I understand what you are trying to say. The closest that I can come up with is that the edge firewall is doing egress filtering. > Again: any service that should be accessible, cannot be protected by > a packet filter. Any service that shouldn't be accessible, should not > be running (or at least not be listening on the external interface) > in the first place. It really is as simple as that. What if you modify my above example of the server farm where one interface is public and another interface is private (think DMZ / management network) and the local program starts attacking the internal network. Again, I believe that the software based firewall would help protect other servers from the attack. A perfect example of a service would be to not run SSH on the external interface, yet run it on the internal interface for remote management. > They can't afford using the tools that come with the operating > system, but can afford to buy a centrally manageable host-based > firewall solution? You have to be kidding me. I believe you mis-understand what I'm getting at. I'm not aware of any utility included in either 2k3 or 2k8 that allows changes to multiple IIS web servers at one time. I.e. do not process requests from the w.x.y/24 network. > "sc /?" tells you why you're wrong. You are correct that there are ways to administer the operational state of a service in such as is it started / stopped / etc. That does little to prevent a service from talking to a given subnet. > A quite substantiated opinion, no less. I'm sure it is. ;-) Grant. . . .
From: Ansgar -59cobalt- Wiechers on 13 Apr 2010 02:49 gufus <stop.nospam.gbbsg(a)shaw.ca> wrote: > 12 Apr 10, Ansgar -59cobalt- Wiechers writes to Gypsy BBS: >> You missed the point again. Even the best employees are > > I beg to differ. Sir. > > Employees /need/ to understand the system, True, but besides the point. Repeating myself: even the best employees are still human and *will* make mistakes here and there. Unnecessarily raising the complexity of a system will only increase the chances of this happening. cu 59cobalt -- "If a software developer ever believes a rootkit is a necessary part of their architecture they should go back and re-architect their solution." --Mark Russinovich
From: gufus on 13 Apr 2010 09:36 Hi Ansgar, 13 Apr 10, Ansgar -59cobalt- Wiechers writes to Gypsy BBS: > From: usenet-2010(a)planetcobalt.net >> Employees /need/ to understand the system, > True, but besides the point. Repeating myself: even the best > employees are still human and *will* make mistakes here and Agreed... and you don't have to repeat your self, there will always be human error in life. Thats life. gufus -- K Klement Enhance your marketing at http://www.gypsy-designs.com mailto:info(a)gypsy-designs.com Gypsy Designs Fax: (403) 242-3221 .... Dr. Scott!" " Janet!" " Brad!" "Rocky!" "Uhhh!
From: gufus on 13 Apr 2010 09:31
Hi Grant, 12 Apr 10, Grant Taylor writes to All: > Conversely if the web servers were running a software based > firewall, they could easily filter SNMP and / or RPC traffic > so that only the management station(s) could access them. > There by protecting them from the program running locally on > the compromised server. > These types of side attacks (if you will) are what I'm > saying that a software based firewall will help prevent. I still think your way is more secure. IMHO. gufus -- K Klement Enhance your marketing at http://www.gypsy-designs.com mailto:info(a)gypsy-designs.com Gypsy Designs Fax: (403) 242-3221 .... Up your accumulator. |