Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [SPAM] - Software vs hardware firewalls ... - Email found in subject

from [Bruce Martins] Network Security [Permanent Link]
Subject: Re: [SPAM] - Software vs hardware firewalls ... - Email found in subject
Date: Tue, 12 Jul 2005 20:56:36 -0400 
We are starting to see firewalls with both ids and ips fortinet does and I 
believe junipers netscreens do as well
Bruce Martins
Systems Administrator
EXTEND>>MEDIA
190 Liberty Street
Toronto, Ontario
Canada
M6K 3L5
_______________________
e:bmartins@extend.com
t: (416) 535-4222 ext. 2307
f: (416) 535-1201
http://www.extend.com
--------------------------
Sent from my BlackBerry Wireless Handheld


-----Original Message-----
From: Wozny, Scott (US - New York) <swozny@deloitte.com>
To: Robert Synak <robert.synak@anitian.com>; firewalls@securityfocus.com 
<firewalls@securityfocus.com>
Sent: Tue Jul 12 11:58:26 2005
Subject: RE: [SPAM] - Software vs hardware firewalls ... - Email found in 
subject

I agree that a simple packet filtering firewall that makes decisions on
an L2 - L4 basis will not stop an exploit on an allowed port as you
describe.  However, I disagree that "a firewall" (a very wide range of
products call themselves that) "will not" (a universal absolute one
ought to be careful of using) protect an MS system form an LSASS
exploit.  ALGs integrated into firewalls are getting very good, very
quickly as the firewall vendors work to protect their market from the
incursion of the IPS vendors.

I've said it before and I'll say it again (and I'm sure I'll be flamed
for it again): I think the industry will EITHER see IPS disappear as the
firewall vendors start to do the same L7 inspection things and more on
top of their regular packet filtering duties OR IPS vendors will learn
how to do fast packet filtering on top of their L7 stuff and firewalls
will go the way of the dinosaur for not keeping up.  I see no good
reason for both technologies to exist when they are similar enough that
one can be taught to do what the other does.  

Regarding IDS, it is a well understood and peer-reviewed tenet of
information security that the most effective security systems have both
detective and preventative controls so I think IDS will continue to have
a place in the security structure (despite what some high profile folk
are paid to say) but they will need to get progressively smarter, more
intuitive and easier to use to stay competitive.

As far as HIPS is concerned, I'm definitely on board.  Until context
sensitive IDS / IPS / L7 Firewalls get much better at being able to
CONCLUSIVELY determine the effect of a packet stream on an end system,
we'll always need 'bodyguards' for the high profile targets that are
much more tightly integrated than any off-system protective measure can
be.

My 2 cents,

Scott

-----Original Message-----
From: firewalls-return-4288-swozny=deloitte.com@securityfocus.com
[mailto:firewalls-return-4288-swozny=deloitte.com@securityfocus.com] On
Behalf Of Robert Synak
Sent: Monday, July 11, 2005 1:25 PM
To: firewalls@securityfocus.com
Subject: RE: [SPAM] - Software vs hardware firewalls ... - Email found
in subject


We're missing an important distinction here:  the difference between a
firewall and an Intrusion Prevention System (IPS).  A firewall will not
protect an MS system from an LSASS (for example) exploit.  An Intrusion
Prevention System will protect an MS system from an LSASS exploit.

Firewalls are gatekeepers.  They enforce traffic policy:  allow port 80
and 443 out from all systems; allow port 25 out from the mail server;
allow port 25 in from any system.  But I can hack on port 25 from the
Internet all I want.  The firewall doesn't care that my traffic is
benign or mean.  They just care that it's on the right port, originating
in the right place, yadda.

IPS systems are not gatekeepers.  They typically don't care what port
things come through on.  They watch all traffic and if the traffic is
mean they kill it.

Most host based IPS systems combine firewall and IPS functions.

Host based IPS' combined with network based IPS' and effective, well
configured firewalls, create a nice crunchy outer shell that can make a
company difficult to attack from the Internet and mitigate the risk of
internal compromise.  They can make an attacker from the Internet look
for a softer target.

Host based IPS' do have their failings.  For one, they run with full
privileges in the same memory space as the OSes and applications they
endeavor to defend.  Therefore, any breach of the host based IPS - such
as the Witty Worm exploit against ISS Blackice - results in full root of
the system.  This sort of problem makes having a network based IPS
sitting in-line on the wire a nice addition to host based IPS'.

Some would say throw everything into the network based IPS and forget
the host based systems.  But network based IPS' - without things like
stand-alone SSL accelerators and for inbound SSL traffic and stand-alone
proxy servers terminating outbound client SSL sessions - only see
traffic in the clear.  No network based IPS can see inside an encrypted
tunnel, like an SSL or VPN tunnel.  However most host based systems shim
the IP stack and actually see all the traffic, encrypted and clear.
This allows one - without deploying SSL termination boxes - to defend
against attacks occurring through encrypted tunnels ... ones a network
based IPS wouldn't catch.

OK host based IPS systems:

  > ISS
  > EEye Blink
  > Sygate Personal Firewall
  > Symantec Personal Firewall

All of these can be centrally managed.  Symantec and ISS have the most
comprehensive solutions, allowing you to manage host - both server and
desktop - and network IPS from a single box.
__________________________________________________________
Robert Synak, CISSP, CCNA, SCSA, MCSE, JNCIA-FW
Security Engineer
ANITIAN  ENTERPRISE  SECURITY

3800 SW Cedar Hills Blvd, Suite 280
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-807-4429 Mobile
www.anitian.com
__________________________________________________________
 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@tacteam.net] 
Sent: Sunday, May 08, 2005 7:06 AM
To: firewalls@securityfocus.com
Subject: RE: [SPAM] - Software vs hardware firewalls ... - Email found
in subject

Hi Netnut,

These issues are clouded by the media, as they've misstated the meaning
of so-called "software" and "hardware" firewalls. All computing devices
depend on software, so the division between software and hardware is a
bit misleading. 

What you're talking about a host-based firewall versus a network
firewall. Host-based firewalls protect a single machine, while network
firewalls like the Microsoft ISA firewall or Check Point's Firewall-1
(both of which are so-called "software" firewalls) are designed to
protect hundreds or thousands of computers on a corporate network.

Host-based firewalls allow you to limit access to service listeners
(tip: if someone say's "open a port" you know they're not very jiggy on
firewalls or TCP/IP networking), but if you explicitly open a listener,
then any vulnerability in that service is exposed. 

Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


-----Original Message-----
From: netnut6@comcast.net [mailto:netnut6@comcast.net] 
Sent: Saturday, May 07, 2005 2:31 PM
To: firewalls@securityfocus.com
Subject: [SPAM] - Software vs hardware firewalls ... - Email found in
subject



Hello,

 

I was wondering how a software based firewall(mcafee, Norton etc) can
help protect your machine if the operating system(Windows XP) is
vulnerable?
Also how is a software based firewall any better then hardware.  The way
I see it if you have a software based firewall and the operating system
has security issues I doubt very much a software firewall will protect
that machine.whereas if it's a hardware based firewall and the operating
system has vulnerabilities the chances of it being attacked are slim
since they would have to first find some vulnerability with the hardware
firewall then go after the operating system(firewall default settings
with all ports closed).  Obviously if a port is open and that
application has a vulnerability then it would get attacked.  Please let
me know if I'm on the right track here.

 

 

Thank you.. 


This message (including any attachments) contains confidential information 
intended for a specific individual and purpose, and is protected by law.  If 
you are not the intended recipient, you should delete this message. Any 
disclosure, copying, or distribution of this message, or the taking of any 
action based on it, is strictly prohibited. [v.E.1]
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Newbie question... Firewalls vs cisco routers - Proxy arp versus directly connected networks..., David Gillett
Next by Date:  Re: PIX help, Sylvain Gil
Previous by Thread:  RE: [SPAM] - Software vs hardware firewalls ... - Email found in subject, Wozny, Scott (US - New York)
Next by Thread:  PIX help, just1coder
Indexes:  [Date] [Thread] [Top] [All Lists]