Firewall Wizards mailing list archives
RE: Windows host-based firewalling feasibility (was term inal services)
From: "Carroll, Shawn" <SCarroll () chittenden com>
Date: Mon, 3 Feb 2003 09:44:45 -0500
# It's an ephemeral port- just blocking it may make random # stuff not work in # some situations (like say DNS...) # # It takes someone who's thought it out to do the filtering correclty. # # Unfortunately, in my experience that's not going to happen in # response to # a worm. # # > someone in one of those discussions mentioned, often the # information made # > available on a threat, often gets read and interpreted in # far too strict # > and narrow a sense to deal with a potential threat in a # decisive manner # > the first time out. # # The worst part is that this is blockable at the host on # Win2k- if we had # host-based default deny, we'd be looking at a better # landscape for sure. You bring up a good point, similar to the patch thing, but this time about Win2k host-based firewalling: feasibility. You know, I think this is more difficult than for border routers. The sheer number of ports and aps/subsystems trying to use a given port on a Win2k box (say, for example, an Exchange Server) is really hard for me to keep track of. I invested a moderate amount of time researching to figure out what the various ports were for, etc. and came nowhere close to getting to the bottom of it, or feeling like I had it under control. Lot of work. I've done it, and it seems like regularly some component pops out of the woodwork and wants to talk to something on a port I don't recognize. And then, as Steve mentions, you have a self-DOS for as long as it takes for you to ammend the (growing) ruleset. For me, implementing this on anything but a few internet-facing machines ONLY is infeasible. Does anyone do Windows host-based firewalling on the internal LAN or on a larger scale? # I can say that for every firewall I've set up, this wouldn't # have gotten # in or out that way. I can also assure you that folks who're # doing a good # job of default deny at their border routers didn't get it from the # Internet at large. Steve's right on that score- firewalls # work fine for # ensuring that primary infection vectors are killed. Wes is # right too, # that leaves secondaries like VPNs. You're still better off with a # properly configured perimeter though, no matter what else you've got. # # Paul _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Windows host-based firewalling feasibility (was term inal services) Carroll, Shawn (Feb 03)