Educause Security Discussion mailing list archives
Re: When is a firewall not a firewall?
From: Matthew Keller <kellermg () POTSDAM EDU>
Date: Fri, 5 Sep 2003 16:30:51 -0400
There is still a nasty gap during which a hammering attack can exploit system vulnerabilities. There is no solution for Microsoft Windows to close that gap because the OS loads networking components before it allows other services to come on-line. On Fri, 2003-09-05 at 15:57, Hahn, Jacob wrote:
IP Security policies that are built in to the local and group policies may provide what you are looking for. The real beauty of the group policy based IP Security policies is that can be centrally managed via active directory. Jacob Hahn MCSE Windows 2000, MCP, CCA Information Technology Center Montana State University - Bozeman Web: http://www.montana.edu/wwwitc/ -----Original Message----- From: Gary Dobbins [mailto:dobbins () ND EDU] Sent: Friday, September 05, 2003 12:28 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] When is a firewall not a firewall? Wondering if anyone out there has seen this characteristic of XP's built-in 'firewall', and/or if it's widely known: Some folks have asked recently how it's seemed possible for someone's XP machine to have contracted one of the recent RPC/DCOM worms even though they had the XP firewall enabled. Maybe they hadn't had a chance to install the patch yet, but knew the firewall would hold off the probes by worms seeking victims. They were right, except... Just don't reboot. During the period of time during Windows startup, between the IP stack coming up and the firewall service starting, Windows is fully exposed to the net. On one test I just ran, XP dutifully responded to probes for at least 10 seconds, while it was busy preparing the "welcome screen" for login. Same syndrome seen using Kerio v2 and McAfee v8. The XP firewall operates as a "service", which means it can start running even after other parts of the system have become ready (like the DCOM server processes). Messing with inter-service dependencies is tempting, but may bear no fruit as the XPFW may not hook network drivers low enough to hold them off during startup, and/or it may depend on other services, creating a Catch-22 sort of problem. Needless to say, we'll be looking at other firewall products to see if any are constructed in a way that lets them "fail closed" where they intercept the network at a low enough layer to deny everything until they're ready to permit, versus the other way 'round. -- ------------------------------------------------------------ Gary Dobbins, CISSP -- dobbins () nd edu Director, Information Security University of Notre Dame, Office of Information Technologies Voice: 574.631.5554 ------------------------------------------------------------ ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
-- Matthew Keller Enterprise Systems Analyst Computing & Technology Services State University of New York @ Potsdam Potsdam, NY USA http://mattwork.potsdam.edu/ ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- When is a firewall not a firewall? Gary Dobbins (Sep 05)
- <Possible follow-ups>
- Re: When is a firewall not a firewall? Hahn, Jacob (Sep 05)
- Re: When is a firewall not a firewall? Jere Retzer (Sep 05)
- Re: When is a firewall not a firewall? Matthew Keller (Sep 05)
- Re: When is a firewall not a firewall? Gary Flynn (Sep 05)
- Re: When is a firewall not a firewall? Omar Herrera (Sep 05)