Security Basics mailing list archives
Re: Client End Firewalls
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Sun, 17 Oct 2004 20:12:37 +0200
On 2004-10-08 GuidoZ wrote:
While I certainly agree with your points about admin rights/access only, that's more difficult to do on Win98 boxes. =) (They have a handful of them plus some XP Pro and Home.)
With Windows 98 you're doomed since you have to rely on the users not making mistakes :( Even XP Home is better than Windows 98 although it has drawbacks of its own, e.g. the missing security settings in the files' and folders' properties. Removing that tab was really a brilliant idea of Microsoft. Not. Which home user is going to use (x)cacls or subinacl? However, there are means to work around them to a point [1,2]. What's really annoying with XP Home is that you don't have policies and can't integrate it into a domain. I'm not aware of ways to work around that besides replacing it with XP Pro.
You're adding more code and more complexity to the system. This approach has already been proved wrong by the Witty worm.Thsi I agree with to a point, however I disagree with the idea you raised. Yes, it certainly would add more code and complexity to the system - but since when does adding ANY layer of security not do that?
Removing the services you don't need does.
=) Security and ease of use have never gone hand in hand and I doubt they ever will.
Of course. But that was not my point. I was referring to the technical complexity of the system, not complexity regarding ease of use. The less code runs on the system, the less configuration needs to be done, the less configuration issues and (exploitable) bugs are to be expected.
The Witty worm is a poor example in this case, IMHO. It was a very advanced worm and designed to attack a specific vulnerability on a specific product.
It attacked a vulnerability that wouldn't even have existed, if the systems hadn't been "protected" by additional software. That's the very point of this.
(Again I point to my "padlock and the prepared attacker" scenario.) If someone is out to get past minor deterrents, OR, is after attacking a specific, known vulnerability, then beyond stopping that exact exploit you're going to be out of luck. It doesn't apply in this case.
Services that don't run can't be exploited and thus don't need to be protected by a PFW. Services that need to be available can't be protected by a PFW. [...]
Maybe, but I consider it a lot easier to keep AV definitions up to date than getting the client firewall properly configured. YMMV.Aye, me too. Again, it's just another layer that I prefer to add. As you said ealier, it depends on the POV and situation. Just because AV defs are up to date, if they disable their AV, what good does it do you? I like having the added layer.
They should not be able to disable the AV, otherwise you have to rely on their well-behaving which is simply not acceptable from a security point of view. Plus AV software and PFWs address different issues.
Since blocking outbound traffic can't work reliably, I consider PFWs to be more like a host-based IDS on this behalf. However, I think a real NIDS (or IPS) will be much more reliable because the malware cannot tamper with it.Totally agree. However, try explaining to a small business that has enough problems purchasing a few Windows XP licenses that they should go shell out a few grand for a nice firewall. ;)
Well, you don't always have to have a Checkpoint or Cisco. A small packet-filtering router (or a Linux|*BSD box) may very well suffice and are a lot cheaper.
The licenses may be cheaper, but are they still cheaper after adding the additional costs for configuration and configuration-changes?To them, yes. In the long run, most likely not. Unfortunately some people don't look to see what the traffic is doing ahead so they can prepare - they just watch the brake lights in front of them and adjust accordingly.
*sigh* True. Which is why they eventually crash. [1] http://www.luckie-online.de/programme/UserManager/index.shtml [2] http://www.fajo.de/portal/index.php?option=content&task=view&id=6 Regards Ansgar Wiechers -- "Those who would give up liberty for a little temporary safety deserve neither liberty nor safety, and will lose both." --Benjamin Franklin
Current thread:
- RE: Client End Firewalls David Gillett (Sep 30)
- <Possible follow-ups>
- Re: Client End Firewalls Ansgar -59cobalt- Wiechers (Oct 01)
- Re: Client End Firewalls GuidoZ (Oct 04)
- Re: Client End Firewalls Ansgar -59cobalt- Wiechers (Oct 08)
- Re: Client End Firewalls GuidoZ (Oct 12)
- Re: Client End Firewalls Ansgar -59cobalt- Wiechers (Oct 18)
- Re: Client End Firewalls GuidoZ (Oct 19)
- Re: Client End Firewalls Ansgar -59cobalt- Wiechers (Oct 20)
- Re: Client End Firewalls GuidoZ (Oct 28)
- RE: Client End Firewalls Jef Feltman (Oct 30)
- Re: Client End Firewalls GuidoZ (Oct 04)
- Re: Client End Firewalls GuidoZ (Oct 05)
- Re: Client End Firewalls xyberpix (Oct 07)
- Re: Client End Firewalls Ken S (Oct 07)
- Re: Client End Firewalls GuidoZ (Oct 08)