Re: Patching a Firewall

[Jimi Thompson <jimit () myrealbox com>]

Robert,

Item 1 - I would never run Windows as a firewall simply because of 
the extreme difficulty in hardening the OS to prevent it from being 
exploited.  I have heard of this being done, but I've never observed 
it in a reputable shop.  Most places either use a device that is 
specifically a firewall or a hardened *nix OS (i.e. Solaris, Trusted 
Solaris, Trusted FreeBSD, NSA Secure Linux, Bastille, etc.).  The 
reason for using a nix OS is so that services which are not needed 
can be removed from the box without causing a major disruption to the 
OS.  Think of what would happen if you tried to un-install NetBIOS 
from Windows.

Item 2 - If your OS on your firewall has a vulnerability, your 
firewall itself is vulnerable.  If I can get your OS to cooperate and 
give me "root" or "Administrator", I can change your firewall rules, 
logging, user accounts, etc. to suit myself.

Item 3 - Your firewall, for management purposes, probably accepts 
connections to itself.  The question then becomes where does it 
accept connections from and, if you are a hacker, how can I spoof 
that.  ANYTHING that's not physical layer can be spoofed and even 
that's not a guarantee that someone sneaky hasn't installed a device 
somewhere to trip you up.

I notice from your email address that you are with an investment 
banker.  That means you deal with money.  Any time cash is involved, 
especially transferring cash electronically, your level of paranoia 
should be very very high (like almost ready to cart you off in the "i 
love me jacket").  Never mind the SEC regulations.....

2 Cents,

Jimi




At 8:15 AM -0400 9/12/03, Robert Mezzone wrote:
> I want to start off by saying my Firewall is fully patched. That being said
> my question is...
>
> Is it a big security risk if the OS (say Windows) running the firewall box,
> is not fully patched? My reasoning that it isn't is because the firewall
> should be configured to drop any connections to itself. Or being the
> firewall has to at least initially accept the packet in order to inspect it,
> enough to exploit a vulnerability.
>
> Robert
>
> ---------------------------------------------------------------------------
> Captus Networks
> Are you prepared for the next Sobig & Blaster?
>  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
>  - Precisely Define and Implement Network Security
>  - Automatically Control P2P, IM and Spam Traffic
> FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
> http://www.captusnetworks.com/ads/42.htm
> ----------------------------------------------------------------------------


---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
- Precisely Define and Implement Network Security 
- Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------