Security Basics mailing list archives
Re: Client End Firewalls
From: GuidoZ <uberguidoz () gmail com>
Date: Fri, 1 Oct 2004 19:56:09 -0700
Forgive the length of this email. I had a number of points to make. ;)
Maybe it would, maybe it wouldn't. It will never be able to do this reliably, since Windows provides far too many ways to work around it. Once the box gets compromised it's simply not yours anymore and malware may very well fool or disable the client-side firewall (more or less easy, depending on the firewall's configuration).
A very good point. I guess I was going along the lines of "it's better then nothing". Even if a client side firewall was to block just one piece of malware from causing a problem, but get duped by the 2nd, it was worth it. (Maybe depending on what that malware was, like say Gator compared to a trojan. Then I could see the argument of "more trouble then it was worth".) In my experience however, client side firewalls have been a positive thing, saving the day more then once. Still, a very good point about malware being able to disable/fool the firewall or Windows. The configuration is a big key. I won't discuss centralized management right now, however I have a point to make about individuals holding their own. Using a firewall with password protection is a must. Otherwise, you are leaving it open for anything to modify configuration settings or shut it down. Granted, that isn't a "solve all" solution, however it's a step in the right direction. When possible (smaller networks), a team or a single person can still be responsible for the settings. See my example a bit below.
I don't see much sense in client-side firewalling, especially in an enterprise environment. You can't control outbound connections in a reliable manner, and you don't need it to control inbound connections.
You shouldn't need to control inbound connections, no. However, once again, in most cases it doesn't hurt to have an extra layer of protection. Configuration is the key. Again, more on this in a second.
Shut down the services you don't need, set up an IDS/IPS, and you're fine.
Definitely something to do, though I would argue that you're fine just because you have locked down the box a bit. After all, email viruses/malware don't depend on forgotten services. However, even if your AV definitions aren't up to date, a properly configured client side firewall will stop the attack dead in it's tracks.
Client-side firewalling doesn't qualify as defense-in-depth, since there are more reliable ways to achieve the same goal. IMHO.
No, it certainly isn't defense-in-depth, but it's not pocket change either. =) Even Microsoft finally recognized the need for a client side firewall and included one in SP2. (Of course how much of a firewall it is should be topic for debate; but not now.) Please share what other reliable ways to achieve the same goal you know of. I'm not saying there isn't, although I'm curious what you're referring to. A client-side firewall's main point is to protect that client alone, aside from other defenses. When combined with a proper antivirus solution and a enterprise level firewall (if necessary in the situation), it becomes another useful piece of the security puzzle.
If you really must have client-side firewalling (for whatever reason), you want at least central configuration of the rules. You definitely do *not* want your users to be able to allow or disallow connections.
This is certainly preferred, though not always possible. Frequently applications like this can be rather costly. Individual licenses for the different systems is usually cheaper, depending on the size of the organization. Allow me to give an example... I do consulting work for a somewhat small medical supply company. I'm basically their network admin and IT staff all in one. They only have maybe 15 Windows boxes and a few WYSE terms, logged into a unix database. I certainly wouldn't consider them enterprise size, although I still value enterprise level security. The data they hold behind their perimeter firewall is quite important (customer records, pricing, vendors, etc) and has been the target of a number of attacks. They do not have a large budget for IT spending, so I had to make do with what I could. This included a client side firewall, NOD32 antivirus, and a SOHO hardware firewall with VPN support. It worked pretty well for them. While I was away on other business, a ethernet cable failed (was accidentally cut inside the wall by a falling pallet). All they knew was that they were offline. The one who knew the most about networking (who just barely knows enough to get into trouble) ran a new cable directly to their sDSL router from the 16 port switch. This allowed them to get back online of course, although it completely bypassed the firewall and VPN I have setup. Luckily they all had Sygate Professional firewall installed and running. (I also had the log files turned on for my own benefit, allowing me to see what applications were trying to get out and what was blocked.) I had setup the configurations individually (and passworded them) so that they would be correct AND be tamper resistant. During the 3 days that they were wide open to the world (besides the protection Sygate provided), I logged a combined 26 intrusion attempts to the Windows boxes (not including the script-kiddie port scans, usual ICMP requests, etc). The UNIX system with the dumb terminals wasn't connected to the same network, so it was safe. Had the client-side firewalls not been in place, I would of had a royal mess on my hands when I returned. (Not to mention sensitive data may have been exposed, causing a royal problem to their business.) In another case (unrelated to the above example, but makes a good point), Sygate has blocked numerous spyware from releasing possible sensitive information from one user in particular who has a fetish with screensavers. Someone else had disabled their automated AV scanning "because it was slowing down copying files" and let Dumaru (mass-mailing worm with a trojan dropper) get through. Sygate was able to block network access to the trojan, possibly saving sensitive information from getting out. I could give more examples, but this email is getting long winded. =) The moral of the story: The actual required level of protection, the means of protection, and the use of protection depends on the situation. Client side firewalls will not be the answer for everyone, without a doubt. However, in cases where there could be a breach of the perimeter, it's by far better then leaving them sitting there alone (or just with the Windows firewall). I welcome comments or discussion! Thanks. -- Peace. ~G On Fri, 1 Oct 2004 01:12:11 +0200, Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net> wrote:
On 2004-09-29 GuidoZ wrote:Personally, I believe a client side solution is a MUST. That includes a personal firewall and an antivirus suite of some kind. There are ways past perimeter security, without a doubt. I was just discussing this very thing with someone concerning the GDI/JPEG exploit. There are ways around content filtering and such. You should have an all-encompassing solution.I agree on the AV part, but have to disagree on the client-side firewall part.After all, say something gets through your perimeter AV solution and firewall (maybe through an SSL session, for example). If a trojan executes or is downloaded to the client system, wouldn't you want an AV solution (centrally managed for ease of use and updates) to be there to double check it? Giving the same scenario, wouldn't you want a personal firewall to be there to stop any connect back attempts? The GDI/JPEG exploit is a perfect example. It's possible you COULD of been exploited before your AV knew a thing about it. A client side firewall would stop the outgoing connection request.Maybe it would, maybe it wouldn't. It will never be able to do this reliably, since Windows provides far too many ways to work around it. Once the box gets compromised it's simply not yours anymore and malware may very well fool or disable the client-side firewall (more or less easy, depending on the firewall's configuration). I don't see much sense in client-side firewalling, especially in an enterprise environment. You can't control outbound connections in a reliable manner, and you don't need it to control inbound connections. Shut down the services you don't need, set up an IDS/IPS, and you're fine. Client-side firewalling doesn't qualify as defense-in-depth, since there are more reliable ways to achieve the same goal. IMHO.All this completely depends, of course, on client side education. =) If they just allow all to pass through the firewall because they don't know any better, then you shouldn't waste your time in allowing it.If you really must have client-side firewalling (for whatever reason), you want at least central configuration of the rules. You definitely do *not* want your users to be able to allow or disallow connections. Regards Ansgar Wiechers -- "Those who would give up liberty for a little temporary safety deserve neither liberty nor safety, and will lose both." --Benjamin Franklin
Current thread:
- RE: Client End Firewalls David Gillett (Sep 30)
- <Possible follow-ups>
- Re: Client End Firewalls Ansgar -59cobalt- Wiechers (Oct 01)
- Re: Client End Firewalls GuidoZ (Oct 04)
- Re: Client End Firewalls Ansgar -59cobalt- Wiechers (Oct 08)
- Re: Client End Firewalls GuidoZ (Oct 12)
- Re: Client End Firewalls Ansgar -59cobalt- Wiechers (Oct 18)
- Re: Client End Firewalls GuidoZ (Oct 19)
- Re: Client End Firewalls Ansgar -59cobalt- Wiechers (Oct 20)
- Re: Client End Firewalls GuidoZ (Oct 28)
- RE: Client End Firewalls Jef Feltman (Oct 30)
- Re: Client End Firewalls GuidoZ (Oct 04)
- Re: Client End Firewalls GuidoZ (Oct 05)
- Re: Client End Firewalls xyberpix (Oct 07)