| Author |
Message |
Alinator
Guest
|
 Posted:
Thu Jan 20, 2005 8:31 am Post subject:
Re: NT 4 server firewall? |
|
|
"Lars M. Hansen" <badnews@hansenonline.net> wrote in message
news:mnstu0tuup7bj4ht15krv6c6c2hvi6q0te@4ax.com...
| Quote: | On Wed, 19 Jan 2005 21:49:09 GMT, Alinator spoketh
snip
But does it actually protect something?
Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
|
Yes, No, Maybe. But completely irrelevent to the original question.
Although, I don't disagree with any of the obsevations on BOPs for setting
up production servers either. I look at SWF like locks on your house or car
(or BOPs for that matter). They're there to keep your friends and the
curious out (as well as offer a little defense against "pilot error").
Alinator |
|
| Back to top |
|
 |
Lars M. Hansen
Guest
|
| Posted:
Thu Jan 20, 2005 4:47 pm Post subject:
Re: NT 4 server firewall? |
|
|
On Wed, 19 Jan 2005 20:52:49 -0600, zn spoketh
| Quote: | Lars M. Hansen <badnews@hansenonline.net> wrote in
news:mnstu0tuup7bj4ht15krv6c6c2hvi6q0te@4ax.com:
On Wed, 19 Jan 2005 21:49:09 GMT, Alinator spoketh
on. Don't seem to have much trouble with it.
But does it actually protect something?
Are you people dense? How can having an installed software firewall not
provide another layor of protection beyond network hardware-based
security???????
|
Because software firewalls "protect" computers by closing ports. Since
the thing you seek to protect needs to have the vulnerable ports open,
the firewall adds no protection to these ports at all, thus leaving the
system as vulnerable as it was before the firewall was added.
Lets see. A Windows NT4 server running Oracle will most likely have the
following ports in a listening state:
135/TCP (RPC)
137/UDP (NetBIOS NameService)
138/UDP (NetBIOS Datagram Service)
139/TCP (NetBIOS Session Service)
139/UDP (NetBIOS Session Service)
1521/TCP (Oracle Database server)
Now, these are the ports that needs to be open (listening) in order for
the server to be a part of a domain and also serve as an Oracle database
server. All the other ports are by default in a closed (non-listening
state). There might be more ports for the Oracle server as well,
depending on product and version. For illustration, this should be
enough.
Now, let's install the software firewall and see what happens.
We still need those same ports in a listening state, so we'll configure
the software firewall to allow that.
Tell me, which ports are the software firewall now protecting? It is
protecting ALL THE OTHER PORTS THAT WERE ALREADY CLOSED! There's no door
analogy here. It's not the same as putting another lock on a door. A
closed port is a closed port, and it cannot be connected to or
exploited, with or without a firewall.
So, instead of actually adding security to your server, you have only
accomplished to add complexity and potentially insecurity. You have
added another program that may either a) have new exploitable
vulnerabilities or b) instability, which may cause additional downtime
(best scenario) or fatal data loss (worst case scenario).
Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address) |
|
| Back to top |
|
|
Lars M. Hansen
Guest
|
| Posted:
Thu Jan 20, 2005 4:52 pm Post subject:
Re: NT 4 server firewall? |
|
|
On Thu, 20 Jan 2005 04:27:01 GMT, Alinator spoketh
| Quote: |
Yes, No, Maybe. But completely irrelevent to the original question.
Although, I don't disagree with any of the obsevations on BOPs for setting
up production servers either. I look at SWF like locks on your house or car
(or BOPs for that matter). They're there to keep your friends and the
curious out (as well as offer a little defense against "pilot error").
Alinator
|
Let's start with your last statement. Yes, software firewalls may help
against "pilot error". Since many of these solutions offers outbound
protection both on a port and application level, it may indeed prevent
malware that has either intentionally or unintentionally been installed
from getting to the Internet.
But, that is irrelevant in a server setting. The server should not be
used to browse the internet, and when it is done, only very specific
sites needs to be visited to get patches and updates.
As for "locks on your house", I'll refer to the other post I made just a
couple of minutes ago.
Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address) |
|
| Back to top |
|
|
Greg R
Guest
|
| Posted:
Thu Jan 20, 2005 6:31 pm Post subject:
Re: NT 4 server firewall? |
|
|
On Thu, 20 Jan 2005 06:52:18 -0500, Lars M. Hansen
<badnews@hansenonline.net> wrote:
| Quote: | But, that is irrelevant in a server setting. The server should not be
used to browse the internet, and when it is done, only very specific
sites needs to be visited to get patches and updates.
|
I may not understand how servers work. Yes, they do need internet
access. I know my insurance agent uses a server to hook up four
computers and uses it for internet access and to access the insurance
headquarters customer files.
Greg R |
|
| Back to top |
|
|
Alinator
Guest
|
| Posted:
Thu Jan 20, 2005 9:07 pm Post subject:
Re: NT 4 server firewall? |
|
|
"Lars M. Hansen" <badnews@hansenonline.net> wrote in message
news:ui6vu0d61pgc6gdvl6iclic155pa69oivg@4ax.com...
| Quote: | On Thu, 20 Jan 2005 04:27:01 GMT, Alinator spoketh
snip
Let's start with your last statement. Yes, software firewalls may help
against "pilot error". Since many of these solutions offers outbound
protection both on a port and application level, it may indeed prevent
malware that has either intentionally or unintentionally been installed
from getting to the Internet.
But, that is irrelevant in a server setting. The server should not be
used to browse the internet, and when it is done, only very specific
sites needs to be visited to get patches and updates.
As for "locks on your house", I'll refer to the other post I made just a
couple of minutes ago.
Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
|
Absolutely, as I said I don't disagree with any of the BOPs that have been
suggested here, and agree a SWF adds little extra security to a
professionally managed server over them. However, in this day and age where
the marketing hype implies you don't need a pro to manage your sensitive
assests, and bean counters take that to mean you can cut loose your
"expensive" IT pros (how a hardware weenie such as myself ended up a "quasi"
NetAdm) SWFs make a easy low imact AEW I need to take a closer look at
something.
Your comment about browsing from a server is right on the mark. I would
hazard to guess that might be one of the single biggest reasons for
"mysterious" server meltdowns going. ;-)
Alinator |
|
| Back to top |
|
|
Lars M. Hansen
Guest
|
| Posted:
Fri Jan 21, 2005 6:46 am Post subject:
Re: NT 4 server firewall? |
|
|
On Thu, 20 Jan 2005 08:31:05 -0500, Greg R spoketh
| Quote: | On Thu, 20 Jan 2005 06:52:18 -0500, Lars M. Hansen
badnews@hansenonline.net> wrote:
But, that is irrelevant in a server setting. The server should not be
used to browse the internet, and when it is done, only very specific
sites needs to be visited to get patches and updates.
I may not understand how servers work. Yes, they do need internet
access. I know my insurance agent uses a server to hook up four
computers and uses it for internet access and to access the insurance
headquarters customer files.
Greg R
|
I would dare to assume that your insurance agent uses Windows SBS with
ISA server installed. He's not technically using the server to browse,
only passing traffic through it. That is a significant difference, as
traffic passing through a proxy server doesn't get the opportunity to
execute itself like it can on the host computer (ie ActiveX components,
javascripts etc. etc.).
Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address) |
|
| Back to top |
|
|
Don Kelloway
Guest
|
| Posted:
Fri Jan 21, 2005 8:18 am Post subject:
Re: NT 4 server firewall? |
|
|
"Lars M. Hansen" <badnews@hansenonline.net> wrote in message
news:ih5vu0171al4g41dl36m3fskja0vuu81as@4ax.com...
| Quote: | On Wed, 19 Jan 2005 20:52:49 -0600, zn spoketh
Lars M. Hansen <badnews@hansenonline.net> wrote in
news:mnstu0tuup7bj4ht15krv6c6c2hvi6q0te@4ax.com:
On Wed, 19 Jan 2005 21:49:09 GMT, Alinator spoketh
on. Don't seem to have much trouble with it.
But does it actually protect something?
Are you people dense? How can having an installed software firewall not
provide another layor of protection beyond network hardware-based
security???????
Because software firewalls "protect" computers by closing ports. Since
the thing you seek to protect needs to have the vulnerable ports open,
the firewall adds no protection to these ports at all, thus leaving the
system as vulnerable as it was before the firewall was added.
|
Here's something to ponder...
Take the existing NT4 system which has a single NIC, add an MS Loopback
Adapter and assign it an IP address within the same subnet as the existing
NIC, install/configure the installed application(s) to bind/use the IP
address associated with the Loopback Adapter, install a software based SMLI
firewall solution, configure the firewall to allow only the protocols/ports
for what is required inbound to the Loopback Adapter (AKA the firewall's
protected side) and voila! You've now got yourself an extremely secure NT4
system with protection from external threats.
--
Best regards, from Don Kelloway of Commodon Communications
Visit http://www.commodon.com to learn about the "Threats to Your Security
on the Internet". |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in