Security Basics mailing list archives
RE: Securing a Local Network
From: Meidinger Chris <chris.meidinger () badenit de>
Date: Mon, 19 Apr 2004 20:14:34 +0200
On re-reading, I would like to clarify what I mean by 'allow a lot of different ports on the local network.' I mean that, particularly if these are windows hosts, you will probably have to open at least 135,-7,-9 to source IP's from your local net. That will make it relatively easy for an attacker that has broken into one host to hop among the other hosts. If you have a central firewall acting as a choke point, you can at least limit the possibilities an attacker has. You can make it impossible for computers to go out over non-essential ports, as well as prevent internet hosts from opening any connections inside. When you said that your machines are behind NAT, I was thinking 'classic' NAT in that each machine has an Internet IP assigned to it on the other side of the NATting device. If you mean that your router is doing masquerading or port overloading, so that each outbound connection is statefully tracked, then the considerations I brought up are less meaningful. I assume, however, from your post that you are not. Cheers, Chris Meidinger
-----Original Message----- From: Meidinger Chris [mailto:chris.meidinger () badenit de] Sent: Monday, April 19, 2004 8:27 AM To: webmaster; roberts () tridecap com; security-basics () securityfocus com Subject: RE: Securing a Local Network Hallo Andreas, there are definitely advantages to using a proper firewall, beyond simple defense in depth. The primary one, is that you will have to allow a lot of different ports on the local network. That means that the compromise of a single misconfigured host will result in the compromise of the entire network. What about, for example, a virus or trojan? A desktop firewall will not likely protect from call-home malware that opens a connection itself to an internet host waiting for a shell. For this and other reasons, conventional wisdom dictates that a central chokepoint be created, where you can make a strong divide between the internal and external network. If you use a dedicated firewall, there is absolutely no reason not to use desktop firewalls. Simple defense in depth is an advantage, but if you can correlate logs, desktop firewalls can also turn into a sort of IDS to alert you if an internal host is scanning or exploiting machines. If you want to talk at more length or in german, feel free to mail, Cheers, Chris-----Original Message----- From: webmaster [mailto:webmaster () play-by-mail de] Sent: Thursday, April 15, 2004 11:21 AM To: roberts () tridecap com; security-basics () securityfocus com Subject: Re: Securing a Local Network Hi John, even if you have a virus protection at the gateway, youstill need iton the clients. People use usb-sticks, notebooks and thingslike that.Another problem is the fact, that gateway protection cantprotect youagainst password protected email attachments. So the best way is a combination of both. If you want to save money, give up fileserver-protection. I have got 2 other questions, regarding your issue, which might be interesting for you, too. If I do not host my own services, is there a advantage toprotect mynetwork through a packetfilter or even a statefullinspection firewallappliance? Or is it enough to use NAT in combination with personal firewalls on every desktop? If I use a firewall appliance, do I still need personalfirewalls onthe desktops? I guess I do. One benefit are internal attacks using tools like superscan. Am I right? Other benefits? Regards Andreas John Roberts wrote:I started working as a sys admin at a small company (about15 people)and they are starting to think it's time to upgrade theirnetwork.Right now it's just 20 computers, running a mix of xp and2000 on alocal network, sharing files, with almost no anti virus andthe onlyprotection from the outside world is the NAT that therouters perform.I've tried to get the to upgrade to a domain, add a fileserver forbackup, get some office wide virus protection and maybeeven take ouremail in house, but they've balked at the price to setup a legit windows domain. The main goals are access control on the local network and virus / worm protection. I'm suggesting aWindows domaincontroller to enforce access control and then an centralized anti-virus product. Is this enough, and are there other (easier, cheaper, more effective ways) to make sure that only thepeople whoneed to can access the financial records, the computer people can access the all computers when they need to, and some userdecides to download a cute little program won't destroy the whole network with a virus.Is a linux domain controller a solution, consideringeverything elsein house is windows? Is an anti-virus solution at thegateway betterthan an anti-virus solution on each desktop? Basically,what's a goodway to set up a solid base of network security, which canthen be expanded on?John Roberts--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mentionthis ad andget $545 off any course! All of our class sizes areguaranteed to be10 students or less to facilitate one-on-one interactionwith one ofour expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of theart hackinglab. Master the skills of an Ethical Hacker to betterassess the security of your organization.Visit us at:http://www.infosecinstitute.com/courses/ethical_hacking_training.html------------------------------------------------------------------------------------------------------------------------------------------ ------------- Ethical Hacking at the InfoSec Institute. Mention this adand get $545off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction withone of ourexpert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at:http://www.infosecinstitute.com/courses/ethical_hacking_training.html-------------------------------------------------------------- ---------------------------------------------------------------------------- ------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Securing a Local Network John Roberts (Apr 14)
- RE: Securing a Local Network John Lewis (Apr 14)
- Re: Securing a Local Network webmaster (Apr 15)
- <Possible follow-ups>
- RE: Securing a Local Network Henry, Christopher M. (Apr 14)
- RE: Securing a Local Network Halverson, Chris (Apr 14)
- RE: Securing a Local Network Eric Curbo (Apr 15)
- RE: Securing a Local Network Meidinger Chris (Apr 15)
- RE: Securing a Local Network Meidinger Chris (Apr 19)
- Re: Securing a Local Network Greg (Apr 20)
- RE: Securing a Local Network Meidinger Chris (Apr 19)
- RE: Securing a Local Network Steven Trewick (Apr 24)