Firewall Wizards mailing list archives

RE: Personal/Host-based Firewalls

From: "Ames, Neil" <NAmes () anteon com>
Date: Thu, 26 Sep 2002 09:37:55 -0400

Juergen,
        I have, in addition to Rich's excellent point, two reasons for
running a host-based firewall:
1)  I am running Windows 2000 Server and IIS:  When I get patches I can end
up with things that were removed, disabled, or off being reinstalled,
enabled and/or turned on.  (I have started using FCheck for integrity checks
and am stunned at the numbers of files that are changed with patches--too
much for any configuration manager to understand.)  I have limited access to
the systems so I can't re-harden or re-evaluate the systems every time there
is a new patch.  Running a separate layer of protection mitigates those
vulnerabilities.
2)  Defense in Depth:  The security layer I introduce between my
applications and the network the is an additional protection against
mis-configuration and unknown vulnerabilities.

        The stuff is relatively cheap to buy--though the political and
administrative costs can be high.  The finger of the troubleshooter always
points to "that damned security product" as the reason that the Quake server
doesn't work ;).  When someone finds that disabling the firewall, rather
than changing a setting, makes a real problem go away then you lose
credibility and you have a rash of sudden firewall death syndrome (SFDS).
(They're willing to go into the registry to kill it.)  It is a significant
hidden cost, in my environment, to be able to manage remote firewall
configurations.  It is not, however, as significant as being shut down
permanently for losing control of the systems by other means--if you know
what I mean.


Thank you,

Fritz

-----Original Message-----
From: Gautier . Rich [mailto:RGautier () drc com]
Sent: Thursday, September 26, 2002 8:57 AM
To: 'Nieveler, Juergen'; 'Ames, Neil'; Firewall-Wizards (E-mail)
Subject: RE: [fw-wiz] Personal/Host-based Firewalls


There could be numerous reasons - for example - we have a single machine
that is fairly sensitive on our internal network.  It has a personal
firewall that lets group X do NETBIOS sessions and group Y do SQL
connections, but X is not permitted to do what Y does.  In this case, I
don't want everyone to be able to connect/attack the SQL server due to
the sensitivity of the data.  However, creating a network segment for
just one machine makes no sense when a single-host firewall will do the
trick.

Rich Gautier
Dynamics Research Corp
Personal Website - http://rgautier.tripod.com
Attachment is Public Key for the sender: rgautier () drc com


-----Original Message-----
From: Nieveler, Juergen [mailto:Juergen.Nieveler () akzonobeldeco de]
Sent: Thursday, September 26, 2002 3:28 AM
To: 'Ames, Neil'; Firewall-Wizards (E-mail)
Subject: RE: [fw-wiz] Personal/Host-based Firewalls

      I have begun investigating personal/host-based  firewalls for

Windows

2K *Server*, with the hope of finding a solid, reliable, fast product 
that I can easily manage in an environment of distributed remote 
offices (in which I have limited access to the systems, or

administration

through someone else's eyes and ears).


What do you want to achieve with such a "firewall"? If people are
supposed
to use the server, you have to open those ports that they need to use.

As for ports that they DON'T need to use - why install something on a
server
that isn't used anyway?

-- 
Mit freundlichen Grüßen / Yours sincerely

Juergen Nieveler
eMail: Juergen.Nieveler () AkzoNobelDeco de

Disclaimer: Views are mine, not my employers' 
 
--
-------------> IMPORTANT <---------------- 
This message, including attachments, is confidential and may be
privileged.
If you are not an intended recipient, please notify the sender then
delete
and destroy the original message and all copies. You should not copy,
forward and/or disclose this message, in whole or in part, without
permission of the sender.

Diese Nachricht, einschliesslich anhaengender Dateien, ist persoenlich
und
kann vertraulich sein. Wenn Sie diese Nachricht irrtuemlich erhalten,
benachrichtigen Sie bitte den Absender und loeschen Sie bitte die
Originalnachricht und alle Kopien. Sie sollten die Nachricht ohne die
Zustimmung des Absenders weder ganz noch teilweise  kopieren,
weiterleiten
oder sonstwie weiterverbreiten.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Personal/Host-based Firewalls Ames, Neil (Sep 25)
- Re: Personal/Host-based Firewalls Paul D. Robertson (Sep 26)
- <Possible follow-ups>
- RE: Personal/Host-based Firewalls Nieveler, Juergen (Sep 26)
- RE: Personal/Host-based Firewalls Ames, Neil (Sep 26)
- RE: Personal/Host-based Firewalls Gautier . Rich (Sep 26)