Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Windows host-based firewalling feasibility (was term inal services)

From: "Carroll, Shawn" <SCarroll () chittenden com>
Date: Mon, 3 Feb 2003 09:44:45 -0500
# It's an ephemeral port- just blocking it may make random 
# stuff not work in 
# some situations (like say DNS...)
# 
# It takes someone who's thought it out to do the filtering correclty.
# 
# Unfortunately, in my experience that's not going to happen in 
# response to 
# a worm.
# 
# > someone in one of those discussions mentioned, often the 
# information made
# > available on a threat, often gets read and interpreted in 
# far too strict
# > and narrow a sense to deal with a potential threat in a 
# decisive manner
# > the first time out.
# 
# The worst part is that this is blockable at the host on 
# Win2k- if we had 
# host-based default deny, we'd be looking at a better 
# landscape for sure.

You bring up a good point, similar to the patch thing, but this time about
Win2k host-based firewalling:  feasibility.

You know, I think this is more difficult than for border routers.  The sheer
number of ports and aps/subsystems trying to use a given port on a Win2k box
(say, for example, an Exchange Server) is really hard for me to keep track
of.  I invested a moderate amount of time researching to figure out what the
various ports were for, etc. and came nowhere close to getting to the bottom
of it, or feeling like I had it under control.  

Lot of work.  I've done it, and it seems like regularly some component pops
out of the woodwork and wants to talk to something on a port I don't
recognize.  And then, as Steve mentions, you have a self-DOS for as long as
it takes for you to ammend the (growing) ruleset.

For me, implementing this on anything but a few internet-facing machines
ONLY is infeasible.  Does anyone do Windows host-based firewalling on the
internal LAN or on a larger scale?

# I can say that for every firewall I've set up, this wouldn't 
# have gotten 
# in or out that way.  I can also assure you that folks who're 
# doing a good 
# job of default deny at their border routers didn't get it from the 
# Internet at large.  Steve's right on that score- firewalls 
# work fine for 
# ensuring that primary infection vectors are killed.  Wes is 
# right too, 
# that leaves secondaries like VPNs.  You're still better off with a 
# properly configured perimeter though, no matter what else you've got.
# 
# Paul
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: