Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Host-Base Firewall

From: Adriel Desautels <adriel () netragard com>
Date: Fri, 30 May 2008 13:18:11 -0400
Why not? ;)
I'd actually suggest using something like OSSEC (Host ID/PS) to control the security of host based systems in combination with the standard windows based firewall. OSSEC is a cheaper alternative to Cisco's Security Agent and can be pretty restrictive if you configure it properly.
I do not think that using a windows firewall, or any firewall alone will provide you with the solution that you are looking for. Especially if your end user gets hit with a browser based exploit, or some other client-side exploit.
The security boundary isn't just creating a shell around the yolk these days, its also about hardening the yolk as much as you reasonably can without crippling yourself. 

How's that?

Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

        Join the Netragard, LLC. Linked In Group:
        http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn


Shawn A. Corrello wrote:
So...why not suggest a suitable host based firewall for the thread creator so he can utilize a component of security; instead of continuing to take this further and further off topic. 

-SC

On Fri, 30 May 2008, Adriel Desautels wrote:
Incorrect, but firewalls do not equal security. They equal a component of security that provides you with a reasonable demarcation point between one network and another. Good and strong security is a process that includes well written policies, procedures, training, technology, etc. Technology is near useless if the people that are using it are not trained properly and are unaware of what threat they are trying to defend against.
Fancy door licks, card/biometric authentication, and mantraps can all be circumvented, especially if well trained people are not present.
I remember once we were testing a facility that had a mantrap with biometric hand scanners. I watched one of the employees let me into the server area and took note of his pin code as he typed it into the hand scanner. Later on during the test I managed to take his card from his desk, stick my hand in the scanner, and type in the code and the door opened! As it turns out the so called biometric scanner only measured the size of my hand which was nearly the same size as his (pretty weak).
So, not all scanners, door locks, etc are effective. IMHO, most biometric scanners, not all, are good for show and thats about it. There are other more obvious ways to bypass such technologies, but I won't go into those unless people want to hear it.
Had the security guard been well trained and not let me see his pin, not left his card on his desk in his open office, then I would have had to use a different technique to get in. Had the policies and procedures that were written been followed, I would not have been able to get in.
Technology is far from useless, but it can become ineffective when the people supporting it don't know how to do their jobs, or just become lazy. 

Regards,
    Adriel T. Desautels
    Chief Technology Officer
    Netragard, LLC.
    Office : 617-934-0269
    Mobile : 617-633-3821
    http://www.linkedin.com/pub/1/118/a45

    Join the Netragard, LLC. Linked In Group:
    http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn


krymson () gmail com wrote:
So, are you saying that because a firewall can't make every perfect decision, they do not equal security? I wonder, do they add any value to you at all? What if they do DPI and make smarter decisions?
So if security cannot be found in hardware, does that mean a fancy door lock, card/biometric authentication, and mantrap have no value?
Personally, I find value in firewalls. Sure, the security they offer is not perfect, but that doesn't discount them as being a part of a solid security regimen. In fact, while there are journalists and other part-time ITers who regularly call out about the widening or diminishing perimeters, there is still a definite need to separate networks of different trust levels to some degree or other.
I know there will be some here that can smell the straw for the hay in the above, but such a tactic can be useful to find the boundaries. 


<- snip ->
All,
Firewalls are packet control devices. They do little more than control the flow of traffic into and out of your network. Some of them contain "defensive" capabilities such as IPS. Those defenses make decisions based on the nature of the traffic. Those decisions aren't as accurate as they should be because the very medium from which they are forming "opinions" is flawed. Traffic can be spoofed/forged/manipulated, so how can one trust it.
Security is more of a process than anything else. It is enforced by policies, procedures, and the people using technology. Security can not be found via hardware. This is a bit philosophical, but I can back this up if anyone doesn't understand my perspective. 

Regards,
Adriel T. Desautels
Chief Technology Officer
Netragard, LLC.
Previous By Date Next
Previous By Thread Next

Current thread: