Re: Client End Firewalls

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2004-10-08 GuidoZ wrote:
> While I certainly agree with your points about admin rights/access
> only, that's more difficult to do on Win98 boxes. =) (They have a
> handful of them plus some XP Pro and Home.)

With Windows 98 you're doomed since you have to rely on the users not
making mistakes :(

Even XP Home is better than Windows 98 although it has drawbacks of its
own, e.g. the missing security settings in the files' and folders'
properties. Removing that tab was really a brilliant idea of Microsoft.
Not. Which home user is going to use (x)cacls or subinacl? However,
there are means to work around them to a point [1,2]. What's really
annoying with XP Home is that you don't have policies and can't
integrate it into a domain. I'm not aware of ways to work around that
besides replacing it with XP Pro.

> > You're adding more code and more complexity to the system. This
> > approach has already been proved wrong by the Witty worm.
>
> Thsi I agree with to a point, however I disagree with the idea you
> raised. Yes, it certainly would add more code and complexity to the
> system - but since when does adding ANY layer of security not do that?

Removing the services you don't need does.

> =) Security and ease of use have never gone hand in hand and I doubt
> they ever will.

Of course. But that was not my point. I was referring to the technical
complexity of the system, not complexity regarding ease of use. The less
code runs on the system, the less configuration needs to be done, the
less configuration issues and (exploitable) bugs are to be expected.

> The Witty worm is a poor example in this case, IMHO. It was a very
> advanced worm and designed to attack a specific vulnerability on a
> specific product.

It attacked a vulnerability that wouldn't even have existed, if the
systems hadn't been "protected" by additional software. That's the very
point of this.

> (Again I point to my "padlock and the prepared attacker" scenario.) If
> someone is out to get past minor deterrents, OR, is after attacking a
> specific, known vulnerability, then beyond stopping that exact exploit
> you're going to be out of luck. It doesn't apply in this case.

Services that don't run can't be exploited and thus don't need to be
protected by a PFW. Services that need to be available can't be
protected by a PFW.

[...]
> > Maybe, but I consider it a lot easier to keep AV definitions up to
> > date than getting the client firewall properly configured. YMMV.
>
> Aye, me too. Again, it's just another layer that I prefer to add. As
> you said ealier, it depends on the POV and situation. Just because AV
> defs are up to date, if they disable their AV, what good does it do
> you? I like having the added layer.

They should not be able to disable the AV, otherwise you have to rely on
their well-behaving which is simply not acceptable from a security point
of view. Plus AV software and PFWs address different issues.

> > Since blocking outbound traffic can't work reliably, I consider PFWs to
> > be more like a host-based IDS on this behalf. However, I think a real
> > NIDS (or IPS) will be much more reliable because the malware cannot
> > tamper with it.
>
> Totally agree. However, try explaining to a small business that has
> enough problems purchasing a few Windows XP licenses that they should
> go shell out a few grand for a nice firewall. ;)

Well, you don't always have to have a Checkpoint or Cisco. A small
packet-filtering router (or a Linux|*BSD box) may very well suffice and
are a lot cheaper.

> > The licenses may be cheaper, but are they still cheaper after adding
> > the additional costs for configuration and configuration-changes?
>
> To them, yes. In the long run, most likely not. Unfortunately some
> people don't look to see what the traffic is doing ahead so they can
> prepare - they just watch the brake lights in front of them and adjust
> accordingly.

*sigh*

True. Which is why they eventually crash.

[1] http://www.luckie-online.de/programme/UserManager/index.shtml
[2] http://www.fajo.de/portal/index.php?option=content&task=view&id=6

Regards
Ansgar Wiechers
-- 
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin