| Author |
Message |
Leythos
Guest
|
 Posted:
Sat Jan 15, 2005 9:19 am Post subject:
Re: NT 4 server firewall? |
|
|
In article <41e8896f$0$6222$e4fe514c@news.xs4all.nl>, bas.keur@dmrt.net
says...
| Quote: | Software firewalls do not give security.
Oh really ?
Ever seen a CP-FW1 running on Trusted solaris ?
|
Sure I have, but have you ever seen FW-1 running on a production server
running NT 4 with all the production apps on it?
Not if it was setup according to CP specifications - the Firewall is
suppose to be a stand alone server with limited access.
Short of getting bridging firewall (same IP on both sides) there is
little the OP is going to do to protect the system (if the OP has
already followed the MS recommendations.)
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me) |
|
| Back to top |
|
 |
Michael J. Pelletier
Guest
|
| Posted:
Sat Jan 15, 2005 9:45 am Post subject:
Re: NT 4 server firewall? |
|
|
zn wrote:
| Quote: | Lars M. Hansen <badnews@hansenonline.net> wrote in
news:i80hu0dl8iekorufpjvei44sd1ncepm13d@4ax.com:
On Fri, 14 Jan 2005 19:28:23 -0600, zn spoketh
This isn't a home network that we're talking about. There is an
institution with a hardware firewall, routers, and switches between
the Internet and this server. I'm looking for a software firewall as
just another way to protect the server and protect against network
security misconfigurations and internal threats.
Yes, and Wolfgang's answer still applies.
* Disable the services that are not necessary to the operation of the
server to reduce avenues of attack.
* Restrict access to the server on existing routers/firewalls.
You cannot attack what isn't there.
You cannot hide what needs to be visible.
Don't try to fix what isn't broken.
And what happens when another Microsoft worm breaks out and starts
exploiting some bug in the OS. How many times has that happened during
the last several years? There is always a window where the virus is
breaking out but new definitions either haven't been prepared or haven't
made it to the clients yet. A software firewall would help protect
against this.
There are no software you can put on a SQL server that will protected
it more than it already should be by employing the "best practices"
available for securing said server.
There's nothing worse than upper management second-guessing the
security measures put in place by competent administrators. If you
really don't trust the administrator, then have someone come in to
audit the server and the firewall/routers.
You guys have an inferiority complex. Just because you are competent sure
doesn't mean that every network administrator is.
Have you ever dealt with large campus, multiprotocol networking hardware?
Problems happen -- ports get left open accidentally, firmware may not get
updated quickly, leaving potential exploits.
Just because your senior management read an interesting article in
some magazine about "software firewalls" in some know-it-all business
magazine doesn't mean that it'll do anything for you...
That's just a silly comment. There is no problem running packet filtering
software on Unix and it's very commonplace. All that I asked about was
software for doing the same on Windows. Software firewalls are just
another level of security.
|
Nicely said... |
|
| Back to top |
|
|
Wolfgang Kueter
Guest
|
| Posted:
Sat Jan 15, 2005 3:07 pm Post subject:
Re: NT 4 server firewall? |
|
|
zn wrote:
| Quote: | Lars M. Hansen <badnews@hansenonline.net> wrote in
news:i80hu0dl8iekorufpjvei44sd1ncepm13d@4ax.com:
On Fri, 14 Jan 2005 19:28:23 -0600, zn spoketh
This isn't a home network that we're talking about. There is an
institution with a hardware firewall, routers, and switches between
the Internet and this server. I'm looking for a software firewall as
just another way to protect the server and protect against network
security misconfigurations and internal threats.
Yes, and Wolfgang's answer still applies.
* Disable the services that are not necessary to the operation of the
server to reduce avenues of attack.
* Restrict access to the server on existing routers/firewalls.
You cannot attack what isn't there. [...]
You cannot hide what needs to be visible.
Don't try to fix what isn't broken.
And what happens when another Microsoft worm breaks out and starts
exploiting some bug in the OS.
|
If you can't trust the OS (any longer) change it.
| Quote: | How many times has that happened during
the last several years? There is always a window where the virus is
breaking out but new definitions either haven't been prepared or haven't
made it to the clients yet. A software firewall would help protect
against this.
|
No, software firewalls add code to the whole system resulting in more
complexity and more attack posibilities and other problems. So:
- Lock down the box, delete software on it instead of installing more.
- get an up-to-date OS version
Wolfgang
--
news.shlink.de |
|
| Back to top |
|
|
Greg Hennessy
Guest
|
| Posted:
Sat Jan 15, 2005 5:03 pm Post subject:
Re: NT 4 server firewall? |
|
|
On Fri, 14 Jan 2005 20:58:22 -0600, zn <zn@zn122.edu.invalid> wrote:
| Quote: |
That's just a silly comment. There is no problem running packet filtering
software on Unix and it's very commonplace. All that I asked about was
software for doing the same on Windows. Software firewalls are just
another level of security.
|
I would tend to agree, especially after watching BID gracefully handle both
code red and nimda in a day zero manner on <insert large UK online banking
joint venture> IIS farm.
BID's heuristics figured out something wasnt quite kosher with the
requested traffic patterns despite *not* having explicit signatures for
either.
Defence in depth is a key part of any meaningful design.
Host based IDS/IPS are a critical ingredient in that mix.
greg
--
Yeah - straight from the top of my dome
As I rock, rock, rock, rock, rock the microphone |
|
| Back to top |
|
|
Lars M. Hansen
Guest
|
| Posted:
Sat Jan 15, 2005 5:54 pm Post subject:
Re: NT 4 server firewall? |
|
|
On Sat, 15 Jan 2005 04:09:50 +0100, Bas Keur spoketh
| Quote: | Software firewalls do not give security.
Oh really ?
Ever seen a CP-FW1 running on Trusted solaris ?
|
A "software firewall" is often defined as a piece of software sitting on
a computer, protecting only that computer.
Checkpoint FW is a network firewall not a host firewall.
| Quote: |
But i guess you are talking about appliances here ?
(Little secret, these things run software as well)
|
So does elevators, what's your point?
Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address) |
|
| Back to top |
|
|
Lars M. Hansen
Guest
|
| Posted:
Sat Jan 15, 2005 5:54 pm Post subject:
Re: NT 4 server firewall? |
|
|
On Fri, 14 Jan 2005 20:58:22 -0600, zn spoketh
| Quote: |
And what happens when another Microsoft worm breaks out and starts
exploiting some bug in the OS. How many times has that happened during
the last several years? There is always a window where the virus is
breaking out but new definitions either haven't been prepared or haven't
made it to the clients yet. A software firewall would help protect
against this.
: |
But the firewall doesn't protect you from this. Since you need to keep
the ports for "normal" windows operation open anyways due to domain
traffic, the firewall cannot block these ports, so if the worm hits
(from the inside, because your network firewall protects you from
outside attacks), then you are out of luck anyways.
| Quote: |
There are no software you can put on a SQL server that will protected
it more than it already should be by employing the "best practices"
available for securing said server.
There's nothing worse than upper management second-guessing the
security measures put in place by competent administrators. If you
really don't trust the administrator, then have someone come in to
audit the server and the firewall/routers.
You guys have an inferiority complex. Just because you are competent sure
doesn't mean that every network administrator is.
Have you ever dealt with large campus, multiprotocol networking hardware?
Problems happen -- ports get left open accidentally, firmware may not get
updated quickly, leaving potential exploits.
|
Then do as I suggested: Hire in a Computer/Network security firm to
audit your setup. If you really think that your network admin is
incompetent, then have someone audit his work as well, then fire him if
he's truly clueless.
| Quote: |
Just because your senior management read an interesting article in
some magazine about "software firewalls" in some know-it-all business
magazine doesn't mean that it'll do anything for you...
That's just a silly comment. There is no problem running packet filtering
software on Unix and it's very commonplace. All that I asked about was
software for doing the same on Windows. Software firewalls are just
another level of security.
|
No, it is not. Software firewalls are mostly a waste of system
resources. They cannot protect you from the things you think you need
protection from. A software firewall on a SQL server would NOT in any
way, shape or form have protected it from the SQLSlammer worm because
the firewall would have leave port 1433 and 1434 open so that people can
actually use the SQL server.
Windows NT server comes with built-in packet filtering, but that's not
going to do you much good anyways. See, out of the 130000+ ports (UDP
and TCP combined), only a few are open. On a Windows NT server, that
would normally be 135, 137, 138 and 139, plus whatever ports the Oracle
database leaves open (sorry, too lazy to look it up). The rest are all
closed. Adding a packet filter on the machine itself to further "close"
that which is already closed does not add another level of security, it
just adds more complexity. And, you can't close the ports that are
listening, because that would kill your database server...
As for packet filter software on Unix/Linux, it's just as useless as
well, unless you are actually using it as a firewall. There's no point
in having IPtables block port 4567 if there's nothing there in the first
place...
I don't know your setup, but it sounds like you have some good stuff
between the internet and the server, and if you are really in the need
for a packet filter on the server in question, that can just as easily
be implemented on the switch the computer is connected to, or on a
router the separates your valuable servers from the rest of your LAN.
Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address) |
|
| Back to top |
|
|
Al Dykes
Guest
|
| Posted:
Sat Jan 15, 2005 6:10 pm Post subject:
Re: NT 4 server firewall? |
|
|
In article <MPG.1c5264bcc46d9390989f24@news-server.columbus.rr.com>,
Leythos <void@nowhere.lan> wrote:
| Quote: | In article <41e8896f$0$6222$e4fe514c@news.xs4all.nl>, bas.keur@dmrt.net
says...
Software firewalls do not give security.
Oh really ?
Ever seen a CP-FW1 running on Trusted solaris ?
Sure I have, but have you ever seen FW-1 running on a production server
running NT 4 with all the production apps on it?
Not if it was setup according to CP specifications - the Firewall is
suppose to be a stand alone server with limited access.
Short of getting bridging firewall (same IP on both sides) there is
little the OP is going to do to protect the system (if the OP has
already followed the MS recommendations.)
|
sysadmin magazine, a month or so ago, had a good article on building a
bridged firewall on free Unix box.
http://sysadminmag.com/
--
a d y k e s @ p a n i x . c o m
Don't blame me. I voted for Gore. |
|
| Back to top |
|
|
Leythos
Guest
|
| Posted:
Sat Jan 15, 2005 6:42 pm Post subject:
Re: NT 4 server firewall? |
|
|
In article <csb4oj$ifo$1@panix5.panix.com>, adykes@panix.com says...
| Quote: | In article <MPG.1c5264bcc46d9390989f24@news-server.columbus.rr.com>,
Leythos <void@nowhere.lan> wrote:
In article <41e8896f$0$6222$e4fe514c@news.xs4all.nl>, bas.keur@dmrt.net
says...
Software firewalls do not give security.
Oh really ?
Ever seen a CP-FW1 running on Trusted solaris ?
Sure I have, but have you ever seen FW-1 running on a production server
running NT 4 with all the production apps on it?
Not if it was setup according to CP specifications - the Firewall is
suppose to be a stand alone server with limited access.
Short of getting bridging firewall (same IP on both sides) there is
little the OP is going to do to protect the system (if the OP has
already followed the MS recommendations.)
sysadmin magazine, a month or so ago, had a good article on building a
bridged firewall on free Unix box.
http://sysadminmag.com/
|
Yea, but if he doesn't trust the administrator to manage the server and
it's security, what makes you think he'll trust him to manage a Linux
box either. Most admins what access/control over any PC installed. A
firewall appliance might be a little easier to handle.
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me) |
|
| Back to top |
|
|
Al Dykes
Guest
|
| Posted:
Sat Jan 15, 2005 6:51 pm Post subject:
Re: NT 4 server firewall? |
|
|
In article <md1Gd.201$Nu.4@fed1read04>,
Michael J. Pelletier <mjpelletier@mjpelletier.com> wrote:
| Quote: | zn wrote:
Lars M. Hansen <badnews@hansenonline.net> wrote in
news:i80hu0dl8iekorufpjvei44sd1ncepm13d@4ax.com:
On Fri, 14 Jan 2005 19:28:23 -0600, zn spoketh
This isn't a home network that we're talking about. There is an
institution with a hardware firewall, routers, and switches between
the Internet and this server. I'm looking for a software firewall as
just another way to protect the server and protect against network
security misconfigurations and internal threats.
Yes, and Wolfgang's answer still applies.
* Disable the services that are not necessary to the operation of the
server to reduce avenues of attack.
* Restrict access to the server on existing routers/firewalls.
You cannot attack what isn't there.
You cannot hide what needs to be visible.
Don't try to fix what isn't broken.
And what happens when another Microsoft worm breaks out and starts
exploiting some bug in the OS. How many times has that happened during
the last several years? There is always a window where the virus is
breaking out but new definitions either haven't been prepared or haven't
made it to the clients yet. A software firewall would help protect
against this.
There are no software you can put on a SQL server that will protected
it more than it already should be by employing the "best practices"
available for securing said server.
There's nothing worse than upper management second-guessing the
security measures put in place by competent administrators. If you
really don't trust the administrator, then have someone come in to
audit the server and the firewall/routers.
You guys have an inferiority complex. Just because you are competent sure
doesn't mean that every network administrator is.
Have you ever dealt with large campus, multiprotocol networking hardware?
Problems happen -- ports get left open accidentally, firmware may not get
updated quickly, leaving potential exploits.
Just because your senior management read an interesting article in
some magazine about "software firewalls" in some know-it-all business
magazine doesn't mean that it'll do anything for you...
That's just a silly comment. There is no problem running packet filtering
software on Unix and it's very commonplace. All that I asked about was
software for doing the same on Windows. Software firewalls are just
another level of security.
Nicely said...
|
The problem is that the software firewall on an application machine
has to be tightly tied to the version of the OS it's protecting, and
nobody's making a software firewall for NT. That's one of the downsides
of running old apps.
There are lots of small harware appliance firewalls around.
--
a d y k e s @ p a n i x . c o m
Don't blame me. I voted for Gore. |
|
| Back to top |
|
|
zn
Guest
|
| Posted:
Sat Jan 15, 2005 7:42 pm Post subject:
Re: NT 4 server firewall? |
|
|
Wolfgang Kueter <wolfgang@shconnect.de> wrote in news:csapvl$qf8$1
@news.shlink.de:
| Quote: | zn wrote:
How many times has that happened during
the last several years? There is always a window where the virus is
breaking out but new definitions either haven't been prepared or haven't
made it to the clients yet. A software firewall would help protect
against this.
No, software firewalls add code to the whole system resulting in more
complexity and more attack posibilities and other problems. So:
|
A firewall makes a computer less secure????? That's news to me and everyone
else out there. |
|
| Back to top |
|
|
Wolfgang Kueter
Guest
|
| Posted:
Sat Jan 15, 2005 7:49 pm Post subject:
Re: NT 4 server firewall? |
|
|
zn wrote:
| Quote: | A firewall makes a computer less secure?????
|
That referes to the firewall placebo.
OK.
| Quote: | and everyone else out there.
|
No.
Wolfgang |
|
| Back to top |
|
|
zn
Guest
|
| Posted:
Sat Jan 15, 2005 8:04 pm Post subject:
Re: NT 4 server firewall? |
|
|
Greg Hennessy <me@privacy.net> wrote in
news:41vhu0dgojqua1e5l9epv7ng1ivh47ofvg@4ax.com:
| Quote: | On Fri, 14 Jan 2005 20:58:22 -0600, zn <zn@zn122.edu.invalid> wrote:
That's just a silly comment. There is no problem running packet
filtering software on Unix and it's very commonplace. All that I asked
about was software for doing the same on Windows. Software firewalls
are just another level of security.
I would tend to agree, especially after watching BID gracefully handle
both code red and nimda in a day zero manner on <insert large UK
online banking joint venture> IIS farm.
BID's heuristics figured out something wasnt quite kosher with the
requested traffic patterns despite *not* having explicit signatures
for either.
|
ISS BlackIce Defender server firewall
http://www.digitalriver.com/dr/v2/ec_MAIN.Entry10?V1=313036&PN=1&SP=10023
&xid=26412&CID=0&DSP=&CUR=840&PGRP=0&CACHE_ID=0 |
|
| Back to top |
|
|
Greg Hennessy
Guest
|
| Posted:
Sat Jan 15, 2005 8:54 pm Post subject:
Re: NT 4 server firewall? |
|
|
On Sat, 15 Jan 2005 09:04:50 -0600, zn <zn@zn122.edu.invalid> wrote:
Thats the one.
Greg
--
Yeah - straight from the top of my dome
As I rock, rock, rock, rock, rock the microphone |
|
| Back to top |
|
|
Bas Keur
Guest
|
| Posted:
Sun Jan 16, 2005 12:09 am Post subject:
Re: NT 4 server firewall? |
|
|
| Quote: | Software firewalls do not give security.
Oh really ?
Ever seen a CP-FW1 running on Trusted solaris ?
Sure I have, but have you ever seen FW-1 running on a production server
running NT 4 with all the production apps on it?
|
No, (Thank god) BUT... thats another story since i merly replied on
"Software firewalls do not give security."
:)
| Quote: | Not if it was setup according to CP specifications - the Firewall is
suppose to be a stand alone server with limited access.
|
I agree.
] Bas Keur
] `Energizer Bunny arrested, charged with battery` |
|
| Back to top |
|
|
Bas Keur
Guest
|
| Posted:
Sun Jan 16, 2005 12:28 am Post subject:
Re: NT 4 server firewall? |
|
|
| Quote: | Yea, but if he doesn't trust the administrator to manage the server and
it's security, what makes you think he'll trust him to manage a Linux
box either. Most admins what access/control over any PC installed. A
firewall appliance might be a little easier to handle.
|
Well, the sweat breaks on my back when i'm send out to `investigate`
a problem on those `appliance` boxes in most cases :)
(Note: Symantec SGS5400/Raptor, Nokia & FW1 boxes)
While people seem to be scared of *BSD in general, it's `REALLY`
simple when you need a firewall. Take my fav. OpenBSD's PF
http://www.openbsd.org/faq/pf/
http://www.google.com/bsd?q=pf.conf
What i like most in PF is it's flexability to at variables for anything you
whould want to `group`. What whould have been a ruleset of 12
pages suddely takes 1 page. Ahh the harmony.
But again, this is prob. just a case of personal flavor :)
--
] Bas Keur
] `Energizer Bunny arrested, charged with battery` |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in