RE: Items within XP SP2 and Win2003

I believe Vlans and segmentation would be the best approach to allowing
only certain internal machines to access to the server. If the hacker is
able to magically bypass your border router/firewall then I doubt he/she
will have any trouble bypassing any host based firewalls you have in
place. 

The need to shut down additional services that are not used on a server
is to limit possible attack vectors, from inside or outside attackers
and to prevent performance degradation from unused services. Assuming
root cannot be achieved by exploiting one service, but local access is
granted, an open yet unpatched additional service can be used for
priviledge escalation. This is a proven practice and not my place to
question or debate over. 

My contention is this, since I will assume you have a border firewall
that is performing some sort of NAT for you, you have specified which
machines/services are available externally, should the firewall fail, no
more Nat device, no access. 

Assuming I shut down all my services except for the ones I need and have
properly segmented and implemented Vlan's and Access Control Lists on my
network devices, I have no need for a host based firewall on my server
because I have already specified network limitations on my local (device
ACL's) and external (Router/Firewall ACL's) networks.

A host based firewall may be used as a band-aid for a poor
infrastructure but realistically this is not the way I would choose to
go. 

Eric McCarty

-----Original Message-----
From: Depp, Dennis M. [mailto:deppdm@ornl.gov] 
Sent: Tuesday, September 28, 2004 7:54 AM
To: Eric McCarty; larobins@bellatlantic.net; Joe Doyle;
focus-ms@securityfocus.com
Subject: RE: Items within XP SP2 and Win2003

What if I only want part of my internal network to be able to access
this machine?
What if a hacker is able to by pass my border router?  How do I protect
my server?
If a hacker has to take over another machine to attack my server, I will
at least slow down the attack, and at best be able to intercept the
attack before he is able to continue.  
Using your argument, it is unnecessary to shutdown unneeded services on
my machine.  After all they are already blocked at the border firewall,
so why bother?  A border firewall is important to a good security plan.
To expect firewall to never fail is unrealistic.  All software has
vulnerabilities.  All firewalls involve software hence all firewalls
have vulnerabilities.  This needs to be factored into you security plan.
Using a host based firewall is one method of planning for these
vulnerabilities. 

I do not need to add a site to my trusted sites list to be able to
browse that site.  It just stops the annoying popup.

Dennis 

> -----Original Message-----
> From: Eric McCarty [mailto:eric@lawmpd.com]
> Sent: Tuesday, September 28, 2004 10:44 AM
> To: Depp, Dennis M.; larobins@bellatlantic.net; Joe Doyle; 
> focus-ms@securityfocus.com
> Subject: RE: Items within XP SP2 and Win2003
>
> Who doesn't have a border firewall? commonly its router - firewall - 
> switch. So you propose to do address filtering on your host based 
> firewall ?. I suggest rethinking this strategy as IP Address range 
> blocking should be done at the border router or firewall long before 
> any Network Translations are done or any traffic traverses the local 
> network. I can imagine a plethora of ways to get around host based IP 
> restrictions, can't get to server1, take over another machine on 
> internal network, then get to server1 and likewise.
>
> Running a host based firewall will not allow an extra layer of 
> security if its doing the same thing the border router/firewall is 
> doing.
>
> In order to browse the internet from the server you will have to add a

> lot of sites to the trusted sites list, and once a site is considered 
> trusted it's all over anyway.
>
> -----Original Message-----
> From: Depp, Dennis M. [mailto:deppdm@ornl.gov]
> Sent: Tuesday, September 28, 2004 4:18 AM
> To: Eric McCarty; larobins@bellatlantic.net; Joe Doyle; 
> focus-ms@securityfocus.com
> Subject: RE: Items within XP SP2 and Win2003
>
> Eric,
>
> A firewall will not only block services, but it will also selectively 
> allow services.  For example, I might need to run a web server, but I 
> only want users from a buisness partner to access this site.
> I can use
> the firewall to limit access to a specific IP address or subnet.  In 
> this case, a host based firewall can add another layer of security to 
> a system.  I do agree that you should not be browsing the internet 
> from a server.  However, some people will continue to browse the 
> internet from servers.  The enhancements to IE6 with W2K3 will not 
> affect you or I, but they will affect many others.
>
> Dennis
>
> > -----Original Message-----
> > From: Eric McCarty [mailto:eric@lawmpd.com]
> > Sent: Monday, September 27, 2004 5:26 PM
> > To: Depp, Dennis M.; larobins@bellatlantic.net; Joe Doyle; 
> > focus-ms@securityfocus.com
> > Subject: RE: Items within XP SP2 and Win2003
> >
> > I think this is a contradiction. On a server, you should
> turn off all
> > services you have no intention of having clients connect
> to, not setup
>
> > a firewall to block them. Next you should not be browsing
> the internet
>
> > using your server, and if you noticed, the enhanced browser
> security
> > prevents this for the most part anyway.
> >
> > Eric
> >
> >
> >
> > -----Original Message-----
> > From: Depp, Dennis M. [mailto:deppdm@ornl.gov]
> > Sent: Monday, September 27, 2004 9:27 AM
> > To: larobins@bellatlantic.net; Joe Doyle; focus-ms@securityfocus.com
> > Subject: RE: Items within XP SP2 and Win2003
> >
> > WRT Windows firewall and IE updates.
> >
> > Dennis
> >
> > > -----Original Message-----
> > > From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
> > > Sent: Sunday, September 26, 2004 2:38 AM
> > > To: 'Joe Doyle'; focus-ms@securityfocus.com
> > > Subject: RE: Items within XP SP2 and Win2003
> > >
> > > In what respects?
> > >
> > > Laura
> > >
> > > > -----Original Message-----
> > > > From: Joe Doyle [mailto:joe.doyle@promega.com]
> > > > Sent: Wednesday, September 22, 2004 5:38 PM
> > > > To: focus-ms@securityfocus.com
> > > > Subject: RE: Items within XP SP2 and Win2003
> > > >
> > > >
> > > > Not yet.  Windows 2003 Service Pack 1 is supposed to
> > bring it up to
> > > > speed with Windows XP SP2.
> > > >
> > > > Joe
> > > >
> > > > -----Original Message-----
> > > > From: James Bowman [mailto:jim@drexel.edu]
> > > > Sent: Sunday, September 19, 2004 9:11 PM
> > > > To: focus-ms@securityfocus.com
> > > > Subject: Items within XP SP2 and Win2003
> > > >
> > > >
> > > >
> > > > Is their a set of hotfixes needed for 2003 that make it
> > comprable in
> >
> > > > features / overall security posture to XP SP2?
> > > >
> > > >
> > > >
> > > > Although there's probably a bevy of XP SP2 items embedded
> > in 2003, I
> >
> > > > would imagine there's a bunch that's not...
> > > >
> > > >
> > > >
> > > > Thanks
> > > >
> > > > --------------------------------------------------------------
> > > > ----------
> > > > ---
> > > > --------------------------------------------------------------
> > > > ----------
> > > > ---
> > > >
> > > >
> > > >
> > > >
> > > > --------------------------------------------------------------
> > > > -------------
> > > > --------------------------------------------------------------
> > > > -------------
> > >
> > >
> > > --------------------------------------------------------------
> > > -------------
> > > --------------------------------------------------------------
> > > -------------
> >
> > --------------------------------------------------------------
> > ----------
> > ---
> > --------------------------------------------------------------
> > ----------
> > ---

---------------------------------------------------------------------------
---------------------------------------------------------------------------