We're missing an important distinction here: the difference between a
firewall and an Intrusion Prevention System (IPS). A firewall will not
protect an MS system from an LSASS (for example) exploit. An Intrusion
Prevention System will protect an MS system from an LSASS exploit.
Firewalls are gatekeepers. They enforce traffic policy: allow port 80
and 443 out from all systems; allow port 25 out from the mail server;
allow port 25 in from any system. But I can hack on port 25 from the
Internet all I want. The firewall doesn't care that my traffic is
benign or mean. They just care that it's on the right port, originating
in the right place, yadda.
IPS systems are not gatekeepers. They typically don't care what port
things come through on. They watch all traffic and if the traffic is
mean they kill it.
Most host based IPS systems combine firewall and IPS functions.
Host based IPS' combined with network based IPS' and effective, well
configured firewalls, create a nice crunchy outer shell that can make a
company difficult to attack from the Internet and mitigate the risk of
internal compromise. They can make an attacker from the Internet look
for a softer target.
Host based IPS' do have their failings. For one, they run with full
privileges in the same memory space as the OSes and applications they
endeavor to defend. Therefore, any breach of the host based IPS - such
as the Witty Worm exploit against ISS Blackice - results in full root of
the system. This sort of problem makes having a network based IPS
sitting in-line on the wire a nice addition to host based IPS'.
Some would say throw everything into the network based IPS and forget
the host based systems. But network based IPS' - without things like
stand-alone SSL accelerators and for inbound SSL traffic and stand-alone
proxy servers terminating outbound client SSL sessions - only see
traffic in the clear. No network based IPS can see inside an encrypted
tunnel, like an SSL or VPN tunnel. However most host based systems shim
the IP stack and actually see all the traffic, encrypted and clear.
This allows one - without deploying SSL termination boxes - to defend
against attacks occurring through encrypted tunnels ... ones a network
based IPS wouldn't catch.
OK host based IPS systems:
> ISS
> EEye Blink
> Sygate Personal Firewall
> Symantec Personal Firewall
All of these can be centrally managed. Symantec and ISS have the most
comprehensive solutions, allowing you to manage host - both server and
desktop - and network IPS from a single box.
__________________________________________________________
Robert Synak, CISSP, CCNA, SCSA, MCSE, JNCIA-FW
Security Engineer
ANITIAN ENTERPRISE SECURITY
3800 SW Cedar Hills Blvd, Suite 280
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-807-4429 Mobile
www.anitian.com
__________________________________________________________
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@tacteam.net]
Sent: Sunday, May 08, 2005 7:06 AM
To: firewalls@securityfocus.com
Subject: RE: [SPAM] - Software vs hardware firewalls ... - Email found
in subject
Hi Netnut,
These issues are clouded by the media, as they've misstated the meaning
of so-called "software" and "hardware" firewalls. All computing devices
depend on software, so the division between software and hardware is a
bit misleading.
What you're talking about a host-based firewall versus a network
firewall. Host-based firewalls protect a single machine, while network
firewalls like the Microsoft ISA firewall or Check Point's Firewall-1
(both of which are so-called "software" firewalls) are designed to
protect hundreds or thousands of computers on a corporate network.
Host-based firewalls allow you to limit access to service listeners
(tip: if someone say's "open a port" you know they're not very jiggy on
firewalls or TCP/IP networking), but if you explicitly open a listener,
then any vulnerability in that service is exposed.
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: netnut6@comcast.net [mailto:netnut6@comcast.net]
Sent: Saturday, May 07, 2005 2:31 PM
To: firewalls@securityfocus.com
Subject: [SPAM] - Software vs hardware firewalls ... - Email found in
subject
Hello,
I was wondering how a software based firewall(mcafee, Norton etc) can
help protect your machine if the operating system(Windows XP) is
vulnerable?
Also how is a software based firewall any better then hardware. The way
I see it if you have a software based firewall and the operating system
has security issues I doubt very much a software firewall will protect
that machine.whereas if it's a hardware based firewall and the operating
system has vulnerabilities the chances of it being attacked are slim
since they would have to first find some vulnerability with the hardware
firewall then go after the operating system(firewall default settings
with all ports closed). Obviously if a port is open and that
application has a vulnerability then it would get attacked. Please let
me know if I'm on the right track here.
Thank you..
