Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: When is a firewall not a firewall?

From: Matthew Keller <kellermg () POTSDAM EDU>
Date: Fri, 5 Sep 2003 16:30:51 -0400
There is still a nasty gap during which a hammering attack can exploit
system vulnerabilities.

There is no solution for Microsoft Windows to close that gap because the
OS loads networking components before it allows other services to come
on-line.

On Fri, 2003-09-05 at 15:57, Hahn, Jacob wrote:

IP Security policies that are built in to the local and group policies may
provide what you are looking for.
The real beauty of the group policy based IP Security policies is that can
be centrally managed via active directory.



Jacob Hahn
MCSE Windows 2000, MCP, CCA
Information Technology Center
Montana State University - Bozeman

Web: http://www.montana.edu/wwwitc/

-----Original Message-----
From: Gary Dobbins [mailto:dobbins () ND EDU]
Sent: Friday, September 05, 2003 12:28 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] When is a firewall not a firewall?

Wondering if anyone out there has seen this characteristic of XP's
built-in 'firewall', and/or if it's widely known:

Some folks have asked recently how it's seemed possible for someone's
XP machine to have contracted one of the recent RPC/DCOM worms even
though they had the XP firewall enabled.  Maybe they hadn't had a
chance to install the patch yet, but knew the firewall would hold off
the probes by worms seeking victims.  They were right, except...

Just don't reboot.

During the period of time during Windows startup, between the IP stack
coming up and the firewall service starting, Windows is fully exposed
to the net.  On one test I just ran, XP dutifully responded to probes
for at least 10 seconds, while it was busy preparing the "welcome
screen" for login.

Same syndrome seen using Kerio v2 and McAfee v8.

The XP firewall operates as a "service", which means it can start
running even after other parts of the system have become ready (like
the DCOM server processes).  Messing with inter-service dependencies
is tempting, but may bear no fruit as the XPFW may not hook network
drivers low enough to hold them off during startup, and/or it may
depend on other services, creating a Catch-22 sort of problem.

Needless to say, we'll be looking at other firewall products to see if
any are constructed in a way that lets them "fail closed" where they
intercept the network at a low enough layer to deny everything until
they're ready to permit, versus the other way 'round.

--

   ------------------------------------------------------------
   Gary Dobbins, CISSP -- dobbins () nd edu
   Director, Information Security
   University of Notre Dame, Office of Information Technologies
   Voice: 574.631.5554
   ------------------------------------------------------------

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

--
Matthew Keller
Enterprise Systems Analyst
Computing & Technology Services
State University of New York @ Potsdam
Potsdam, NY USA
http://mattwork.potsdam.edu/

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: