| Author |
Message |
J. Clarke
Guest
|
 Posted:
Thu Apr 21, 2005 4:20 pm Post subject:
Re: Ethernet Switch With a PC at Core |
|
|
Will wrote:
| Quote: | "J. Clarke" <jclarke.usenet@snet.net.invalid> wrote in message
news:d479eh02tfr@news1.newsguy.com...
Uh, you should be able to detect this using any network analyzer
including the one that comes with Windows Server.
If you are using a switch, your sniffer won't see all of the traffic.
|
If it's broadcasts then all machines will see it. If it's going to the
Internet then the bastion host will see it. If it's not detectable by
either of those means then it's not producing the vast amount of traffic
that you claim.
| Quote: | If
you configure your switch to duplicate all traffic to the sniffer port,
now
you create collisions that affect performance.
|
No, you do not. You may create contention but if you create collisions then
you misconfigured something.
| Quote: | The whole point of using a
switch was to optimize traffic flow and avoid collisions.
Do you want to leave your sniffer running 24 hours a day?
|
Yes. Why not? You might want to look at snort by the way.
| Quote: | And what if
the
machine in question is spoofing its IP? Now you need to go look at MAC
addresses and look at your internal documentation about what host that
might
be.
|
And this is a problem how?
| Quote: | And what happens if it is an unknown Mac address? Now you have to
go tear apart your facility looking for the device, which could be almost
anywhere.
|
What happens if it's an unknown IP address? Same problem. In point of
fact, your switch should tell you what port is talking to that MAC address
and from there you should be able to trace out the cable to the offending
machine.
| Quote: | If you have each host on its own dedicated firewall port, now any rogue
device can be immediately located to a specific geography by virtue of the
interface on which it enters the firewall.
|
All that tells you is what port it's on, which any managed switch will tell
you.
| Quote: | You don't need individual firewall ports to do this. All that you have
to do is block packets which come from machines that do not have a
specific
matching of MAC and IP addresses. Has this been a problem on your
system?
So now you want me to in effect configure firewall-like rules on every
target host? Why is it better to configure 40 hosts instead of
configuring one firewall? You sound like you just like the status quo a
whole lot more than you like saving your time.
|
No, I want you to configure firewall like rules on your firewall. As for
configuring firewall-like rules on every target host, configuring 40
firewalls is configuring 40 firewalls--it doesn't matter if they are all in
one box or are on 40 separate machines.
| Quote: | I understand fully well that I can invest every hour of my life making
every
computer on my network a fortress.
|
If every computer on your network needs to be a fortress then you've got a
personnel problem, not a network security problem. In any case, if you'd
rather invest every hour of your life trying to use a frankenfirewall to
close security holes that should be closed at the OS level, you're not
really making wise use of your time.
| Quote: | That to me sounds a lot like
configuring 40 firewalls instead of investing time into configuring one.
(a) The method that Microsoft uses they copied from Novell and Novell
copied
it from Banyan and Banyan pretty much copied it from mainframes. It's
time
tested and properly administered works fine for most situations.
I guess time tested explains why on the last four corporate networks of
really large corporations, when we plugged our notebooksto their internal
networks to give presentations we were immediately attacked by dozens of
viruses on many different machines.
|
Were you able to identify which "viruses" were "attacking you"? What was
the nature of the attack? Could you identify the machines? How did you
know that they were "attacking" you? Did you inform the IT manager of this
and provide copies of your logs?
| Quote: | No one inside the companies noticed
and no one cared.
|
Perhaps there's a reason for that.
| Quote: | It's easy to compromise a default-configured Windows
box.
|
So what? It's easy to compromise a default-configured Cisco firewall as
well. For that matter read Feynman's tale of the safes at Los Alamos. If
the person responsible for security doesn't do his job and change the
configuration to one appropriate to his needs, then any system, including
your frankenfirewall is easily compromised.
| Quote: | That's why 60% of all home machines are virus infested by some
estimates.
|
I thought we were talking about machines in your business, not "typical home
machines".
| Quote: | You can use all of the Microsoft tricks like security
profiles, but when you turn up security all the way, now all of the
default Microsoft services stop working and you end up having to debug
which resources they need access to.
|
Yes, you do. So what? You do this once, you deploy network-wide, you're
done until the next problem comes along.
| Quote: | Why is this time-tested formula better than simply securing access by a
firewall, which offers a much more robust methodology, which is guaranteed
to offer many levels of protection even when the machine in question is in
an insecure configuration.
|
Because managing 100 firewall ports each with a separate configuration is
not any easier than getting the security on the machines right, if you
don't do it right then it breaks a bunch of services, and since most
malware gets into the system via the diskette drives of machines with lax
security, which your proposal does _nothing_ to address, it's really
tacklin the wrong end of the problem.
| Quote: | (b) If a key password is compromised your security is down the toilet
regardless. What happens in your proposed system when the password for
your frankenfirewall is compromised?
No, you have missed the point completely. If you design access to secure
machines to only come from certain physically secured hosts, then anyone
who steals a userid and password won't be able to login to secured hosts
from non-secured workstations because those non-secured workstations are
blocked
through a firewall.
|
You don't need a frankenfirewall to do that. Windows security on the host
is quite capable of allowing a userid to be used only on specific machines
or classes of machine.
| Quote: | Having a stolen account when you don't have
physical access to a machine that can login to the resources you want
doesn't do you
any good. Firewalls provide an additional layer of security above and
beyond what Microsoft's security layer provides. Each has its place, and
each complements the other if designed well.
|
You are correct on this point. But putting a separate firewall on each
machine is overkill for almost all situations.
| Quote: | Obviously if your firewall is compromised you are hosed. That's why you
physically secure a firewall, and if you are careful you only use separate
local accounts on the firewall to authenticate to it. Ideally you use
crypto devices to provide a physical token together with a known password,
so that a stolen account still cannot compromise that box.
|
So it sounds like you're willing to put a lot of effort into securing your
frankenfirewall. Why not put that effort into your security policies
instead?
| Quote: | Why, do you have specific problems? It sounds to me like you haven't
really
mastered Windows security and you're looking for some kind of shortcut.
I've read every 200 page security manifesto that Microsoft has written.
|
Reading "200 page security manifestos" doesn't teach you how to use the
system. The O'Reilly book on Active Directory is 752 pages and it's just
getting you started. Have you gone through it yourself and experimented
with it finding how the pieces interact? Have you tried to figure out how
to make it deal with the situations you fear?
| Quote: | It takes me more time to secure a single Windows box and then debug
permissions that applications need to work than it does to set up a
firewall
for an entire network.
|
Well, you've done that. If you kept notes you should be able to set
policies systemwide that implement that same configuration on all your
Windows boxen.
| Quote: | I just want to save time and get results. If
you think you can get better results by working with Microsoft's software,
it is a free world after all and I won't try to stop you.
|
If you are going to work as a security administrator in a Microsoft shop,
you are going to get the best results by mastering the Microsoft security
system before you go off trying to invent a frankenfirewall. Once you've
mastered Microsoft's security, if you _then_ find it inadequate, it's time
to add additional protection. But the things you're complaining about just
aren't that hard to do using Microsoft's security.
Start thinking "system". Ask yourself "if I want to set the security on
this workstation to do this, what security policies do I have to set in
Active Directory". Once you've gotten your mind around doing things using
security policies instead of sitting down at the individual workstation and
twiddling I think your life will get a lot easier. But the security
policies are a complex topic which can't be covered in a few USENET posts.
--
--John
to email, dial "usenet" and validate
(was jclarke at eye bee em dot net) |
|
| Back to top |
|
 |
Will
Guest
|
| Posted:
Thu Apr 21, 2005 10:30 pm Post subject:
Re: Ethernet Switch With a PC at Core |
|
|
Without digressing into point by point responses, let me give a
few examples of why I am more comfortable with firewalls than
using Microsoft security policies to secure an internal network.
One user had a virus that immediately started sending out
thousands of pieces of SMTP mail. A virus can penetrate the
machine and change its security policies. It can sit there in
the background for months testing slowly to see where weaknesses
are. I don't get any visibility on that, and if my security
policies are hacked the way I find out about this problem is when
other sites shut off receiving e-mail from our entire company
because of spam. Now sure you can use policies to secure ports
on machines and local firewall applications to set complex
traffic flow policies on machines, and intrusion detection
software to see abnormal traffic patterns, etc etc. That's all
a lot of work, and for every protection you put up a new virus
finds a loophole and you just end up doing more work.
With a firewall within 30 seconds of the first piece of spam
originating from the infected host, I have a piece of e-mail.
Two minutes later I am in a firewall log that clearly identifies
a cubicle where the traffic originates. Three minutes later I
have that machine locked down and the breach isolated. I don't
need to worry about infection spreading at that point because the
machine is physically isolated from every other machine. For
the rest of the company it is business as usual and I haven't
broken a sweat.
I've done things the other way, using group policies, and careful
design of traffic flows, and intrusion detection. The same
scenario would cost me hours or days of time without the
firewall. Other machines would likely be infected. Been
there and done that, and I feel like that is the road to hell.
Even when you are very careful with your design, and implement it
well, it is quite difficult to contain such outbreaks. What is
very frustrating to me about posts like yours is that you
apparently don't get outside to other companies very often.
Because I am here to tell you that most of corporate America is
filled with Microsoft administrators who brag about how great
their networks are, and whose networks are a complete and total
insecure mess. It's not worth arguing about why that is. It
is sufficient to say that it is very very very difficult to keep
an open network where every machine can contact every other
machine on any port secure.
I just want to save time and be effective. I think a firewall
helps me to do that.
--
Will
Internet: westes at earthbroadcast.com
"J. Clarke" <jclarke.usenet@snet.net.invalid> wrote in message
news:d489390o6f@news4.newsguy.com...
| Quote: | Why is this time-tested formula better than simply securing
access by a
firewall, which offers a much more robust methodology, which
is guaranteed
to offer many levels of protection even when the machine in
question is in
an insecure configuration.
Because managing 100 firewall ports each with a separate
configuration is
not any easier than getting the security on the machines right,
if you
don't do it right then it breaks a bunch of services, and since
most
malware gets into the system via the diskette drives of
machines with lax
security, which your proposal does _nothing_ to address, it's
really
tacklin the wrong end of the problem.
(b) If a key password is compromised your security is down
the toilet
regardless. What happens in your proposed system when the
password for
your frankenfirewall is compromised?
No, you have missed the point completely. If you design
access to secure
machines to only come from certain physically secured hosts,
then anyone
who steals a userid and password won't be able to login to
secured hosts
from non-secured workstations because those non-secured
workstations are
blocked
through a firewall.
You don't need a frankenfirewall to do that. Windows security
on the host
is quite capable of allowing a userid to be used only on
specific machines
or classes of machine. |
|
|
| Back to top |
|
|
J. Clarke
Guest
|
| Posted:
Fri Apr 22, 2005 6:48 am Post subject:
Re: Ethernet Switch With a PC at Core |
|
|
Will wrote:
| Quote: | Without digressing into point by point responses, let me give a
few examples of why I am more comfortable with firewalls than
using Microsoft security policies to secure an internal network.
One user had a virus that immediately started sending out
thousands of pieces of SMTP mail. A virus can penetrate the
machine and change its security policies. It can sit there in
the background for months testing slowly to see where weaknesses
are. I don't get any visibility on that, and if my security
policies are hacked the way I find out about this problem is when
other sites shut off receiving e-mail from our entire company
because of spam.
|
(a) was it _immediately_ sending the mail or did it sit there in the
background for months? You can't have it both ways.
(b) To whom was it sending this mail?
(c) Why were your users sending mail directly from there machines at all?
(d) What virus was this?
(e) A virus can pick away at your frankenfirewall just as easily, or do you
labor under the misconception that because you're calling it a "firewall"
it somehow becomes invulnerable.
(f) How did the virus get on the machine to begin with? Why does the user
account have the authority to write to executable files?
| Quote: | Now sure you can use policies to secure ports
on machines and local firewall applications to set complex
traffic flow policies on machines, and intrusion detection
software to see abnormal traffic patterns, etc etc. That's all
a lot of work, and for every protection you put up a new virus
finds a loophole and you just end up doing more work.
|
If you have viruses getting on your system with regularity you have a
problem that is not addressable by firewalls.
| Quote: | With a firewall within 30 seconds of the first piece of spam
originating from the infected host, I have a piece of e-mail.
|
So? Why does the firewall have to be attached to a specific machine? How
does it distinguish spam from valid mail? Why can't the firewall on your
Internet connection make this same detection? Sorry, you're not making a
case for firewalling every machine in your facility.
| Quote: | Two minutes later I am in a firewall log that clearly identifies
a cubicle where the traffic originates. Three minutes later I
have that machine locked down and the breach isolated. I don't
need to worry about infection spreading at that point because the
machine is physically isolated from every other machine. For
the rest of the company it is business as usual and I haven't
broken a sweat.
|
If the machine is physically isolated to that extent then how does the user
communicate with other users on your system? Computers exist to do work,
not to be secure.
| Quote: | I've done things the other way, using group policies, and careful
design of traffic flows, and intrusion detection. The same
scenario would cost me hours or days of time without the
firewall.
|
You still have not explained how having each individual machine connected to
its own firewall will be more effective at this than having a single
firewall.
| Quote: | Other machines would likely be infected.
|
How? Why do they have mail clients that peers can send to? What is the
mechanism by which the virus is spread?
| Quote: | Been
there and done that, and I feel like that is the road to hell.
Even when you are very careful with your design, and implement it
well, it is quite difficult to contain such outbreaks.
|
Difficult for _you_ maybe.
| Quote: | What is
very frustrating to me about posts like yours is that you
apparently don't get outside to other companies very often.
Because I am here to tell you that most of corporate America is
filled with Microsoft administrators who brag about how great
their networks are, and whose networks are a complete and total
insecure mess.
|
Are they working well enough to meet the company's objectives? If so then
their security is adequate for their purpose. They may not meet your
standards, but I doubt that a DOE Secure Site would meet your standards.
| Quote: | It's not worth arguing about why that is. It
is sufficient to say that it is very very very difficult to keep
an open network where every machine can contact every other
machine on any port secure.
|
So why do you leave a bunch of ports open on every machine?
| Quote: | I just want to save time and be effective. I think a firewall
helps me to do that.
|
A firewall does. A separate firewall for each machine just costs lots of
money for little gain.
--
--John
to email, dial "usenet" and validate
(was jclarke at eye bee em dot net) |
|
| Back to top |
|
|
Will
Guest
|
| Posted:
Fri Apr 22, 2005 8:20 am Post subject:
Re: Ethernet Switch With a PC at Core |
|
|
| Quote: | (a) was it _immediately_ sending the mail or did it sit there in the
background for months? You can't have it both ways.
|
It doesn't matter, because on the first day it would attempt to do anything
that security policy prohibited, I would know about it immediately and take
action.
| Quote: | (b) To whom was it sending this mail?
|
Not that I counted, but I'm told by the Internet sites that track and
measure these things that it sent in excess of 10,000 pieces of mail to
users all over the Internet.
| Quote: | (c) Why were your users sending mail directly from there machines at all?
|
They aren't any more.
| Quote: | (d) What virus was this?
|
That detail was handled by one of my admins, and I couldn't find
documentation right now. It was a while ago.
| Quote: | (e) A virus can pick away at your frankenfirewall just as easily, or do
you
labor under the misconception that because you're calling it a "firewall"
it somehow becomes invulnerable.
|
That depends on what the firewall notifies you about. A virus is going
to probe, and if you have the host behind a dedicated firewall port with
appropriate rules, you are going to get notified as soon as the first
probing begins.
| Quote: | (f) How did the virus get on the machine to begin with? Why does the user
account have the authority to write to executable files?
|
We are still struggling with how that particular machine got infected, and
we don't have good forensics for it. Your point on write privileges is
very well taken, and mea culpa. I am slowly learning what a good
Windows user installation needs to look like, and undoing the legacy of
older machines that have inappropriate installations is hard. People build
up configurations they depend on and don't want to start from scratch. So
I migrate them as time allows.
| Quote: | With a firewall within 30 seconds of the first piece of spam
originating from the infected host, I have a piece of e-mail.
So? Why does the firewall have to be attached to a specific machine? How
does it distinguish spam from valid mail? Why can't the firewall on your
Internet connection make this same detection? Sorry, you're not making a
case for firewalling every machine in your facility.
|
Without giving away specifics in a public forum, a user's machine would send
outgoing mail by a very specific path that 99.9% of all viruses would not
follow. So with a firewall we can trap all SMTP connection attempts that
don't follow that path.
The firewall on the Internet cannot see into the internal network which is
behind a separate proxy.
The best case I can make for an intranet firewall the isolates each internal
machine is that
1) It lets you impose a security policy on an unsecured box, or one that was
secured incorrectly.
2) It gives you instant visibility when some user or program does anything
that violates the security policy.
--
Will
"J. Clarke" <jclarke.usenet@snet.net.invalid> wrote in message
news:d49qab02fmb@news1.newsguy.com...
| Quote: |
It's not worth arguing about why that is. It
is sufficient to say that it is very very very difficult to keep
an open network where every machine can contact every other
machine on any port secure.
So why do you leave a bunch of ports open on every machine?
I just want to save time and be effective. I think a firewall
helps me to do that.
A firewall does. A separate firewall for each machine just costs lots of
money for little gain.
--
--John
to email, dial "usenet" and validate
(was jclarke at eye bee em dot net) |
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in