Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Items within XP SP2 and Win2003

from [Depp, Dennis M.] Network Security [Permanent Link]
Subject: RE: Items within XP SP2 and Win2003
Date: Tue, 28 Sep 2004 11:37:41 -0400 
You make two assumptions that may not be valid:

1)  My firewall is doing NAT

2)  A firewall failure will also eliminate the ability to do NAT.

Lets look at 2 more in depth.  There are many ways a firewall can fail.
One is a catastophic failure that will take down the entire firewall.
As you mention this will probably take down NAT with it.  What other
types of firewall failures are their?  One failure would be a
configuration error.  I think I am blocking a particular type of traffic
but in reality I am not.  This type of firewall failure is probably the
most common.  Second there may be a vulnerability in the firewall that
can be exploited to allow unwanted traffic into my interior network.
Third, a firewall vulnerability could allow a user admin access to my
firewall.  With this access they could change the configuration to allow
unwanted access.  

As you mention, the principal in shutting down unneeded services is to
limit additional attack vectors.  The use of VLANS and segmentation also
serves to limit attack vectors.  A host based firewall is another method
of reducing attack vectors.  A host based firewall can be used
effectively as an additional means of defense.  If you get a system with
a central configuration point, it can also serve as a rapid response
effort in the event of an attack.  For example if I am under attack
through file shares, I can shut quickly block file sharing while still
allowing my web server on the same machine to function.

As far as it being a band-aid for a poor intfrastructure, how many
small/medium buisinesses do you think have the best laid out
infrastructure?

Dennis 


-----Original Message-----
From: Eric McCarty [mailto:eric@lawmpd.com] 
Sent: Tuesday, September 28, 2004 11:10 AM
To: Depp, Dennis M.; larobins@bellatlantic.net; Joe Doyle; 
focus-ms@securityfocus.com
Subject: RE: Items within XP SP2 and Win2003

I believe Vlans and segmentation would be the best approach 
to allowing
only certain internal machines to access to the server. If 
the hacker is
able to magically bypass your border router/firewall then I 
doubt he/she
will have any trouble bypassing any host based firewalls you have in
place. 

The need to shut down additional services that are not used 
on a server
is to limit possible attack vectors, from inside or outside attackers
and to prevent performance degradation from unused services. Assuming
root cannot be achieved by exploiting one service, but local access is
granted, an open yet unpatched additional service can be used for
priviledge escalation. This is a proven practice and not my place to
question or debate over. 

My contention is this, since I will assume you have a border firewall
that is performing some sort of NAT for you, you have specified which
machines/services are available externally, should the 
firewall fail, no
more Nat device, no access. 

Assuming I shut down all my services except for the ones I 
need and have
properly segmented and implemented Vlan's and Access Control 
Lists on my
network devices, I have no need for a host based firewall on my server
because I have already specified network limitations on my 
local (device
ACL's) and external (Router/Firewall ACL's) networks.

A host based firewall may be used as a band-aid for a poor
infrastructure but realistically this is not the way I would choose to
go. 

Eric McCarty

-----Original Message-----
From: Depp, Dennis M. [mailto:deppdm@ornl.gov] 
Sent: Tuesday, September 28, 2004 7:54 AM
To: Eric McCarty; larobins@bellatlantic.net; Joe Doyle;
focus-ms@securityfocus.com
Subject: RE: Items within XP SP2 and Win2003

What if I only want part of my internal network to be able to access
this machine?
What if a hacker is able to by pass my border router?  How do 
I protect
my server?
If a hacker has to take over another machine to attack my 
server, I will
at least slow down the attack, and at best be able to intercept the
attack before he is able to continue.  
Using your argument, it is unnecessary to shutdown unneeded 
services on
my machine.  After all they are already blocked at the border 
firewall,
so why bother?  A border firewall is important to a good 
security plan.
To expect firewall to never fail is unrealistic.  All software has
vulnerabilities.  All firewalls involve software hence all firewalls
have vulnerabilities.  This needs to be factored into you 
security plan.
Using a host based firewall is one method of planning for these
vulnerabilities. 

I do not need to add a site to my trusted sites list to be able to
browse that site.  It just stops the annoying popup.

Dennis 


-----Original Message-----
From: Eric McCarty [mailto:eric@lawmpd.com]
Sent: Tuesday, September 28, 2004 10:44 AM
To: Depp, Dennis M.; larobins@bellatlantic.net; Joe Doyle; 
focus-ms@securityfocus.com
Subject: RE: Items within XP SP2 and Win2003

Who doesn't have a border firewall? commonly its router - 

firewall - 

switch. So you propose to do address filtering on your host based 
firewall ?. I suggest rethinking this strategy as IP Address range 
blocking should be done at the border router or firewall 

long before 

any Network Translations are done or any traffic traverses 

the local 

network. I can imagine a plethora of ways to get around 

host based IP 

restrictions, can't get to server1, take over another machine on 
internal network, then get to server1 and likewise.

Running a host based firewall will not allow an extra layer of 
security if its doing the same thing the border router/firewall is 
doing.

In order to browse the internet from the server you will 

have to add a


lot of sites to the trusted sites list, and once a site is 

considered 

trusted it's all over anyway.

-----Original Message-----
From: Depp, Dennis M. [mailto:deppdm@ornl.gov]
Sent: Tuesday, September 28, 2004 4:18 AM
To: Eric McCarty; larobins@bellatlantic.net; Joe Doyle; 
focus-ms@securityfocus.com
Subject: RE: Items within XP SP2 and Win2003

Eric,

A firewall will not only block services, but it will also 

selectively 

allow services.  For example, I might need to run a web 

server, but I 

only want users from a buisness partner to access this site.
I can use
the firewall to limit access to a specific IP address or 

subnet.  In 

this case, a host based firewall can add another layer of 

security to 

a system.  I do agree that you should not be browsing the internet 
from a server.  However, some people will continue to browse the 
internet from servers.  The enhancements to IE6 with W2K3 will not 
affect you or I, but they will affect many others.

Dennis


-----Original Message-----
From: Eric McCarty [mailto:eric@lawmpd.com]
Sent: Monday, September 27, 2004 5:26 PM
To: Depp, Dennis M.; larobins@bellatlantic.net; Joe Doyle; 
focus-ms@securityfocus.com
Subject: RE: Items within XP SP2 and Win2003

I think this is a contradiction. On a server, you should

turn off all

services you have no intention of having clients connect

to, not setup


a firewall to block them. Next you should not be browsing

the internet


using your server, and if you noticed, the enhanced browser

security

prevents this for the most part anyway.

Eric



-----Original Message-----
From: Depp, Dennis M. [mailto:deppdm@ornl.gov]
Sent: Monday, September 27, 2004 9:27 AM
To: larobins@bellatlantic.net; Joe Doyle; 

focus-ms@securityfocus.com

Subject: RE: Items within XP SP2 and Win2003

WRT Windows firewall and IE updates.

Dennis


-----Original Message-----
From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
Sent: Sunday, September 26, 2004 2:38 AM
To: 'Joe Doyle'; focus-ms@securityfocus.com
Subject: RE: Items within XP SP2 and Win2003

In what respects?

Laura


-----Original Message-----
From: Joe Doyle [mailto:joe.doyle@promega.com]
Sent: Wednesday, September 22, 2004 5:38 PM
To: focus-ms@securityfocus.com
Subject: RE: Items within XP SP2 and Win2003


Not yet.  Windows 2003 Service Pack 1 is supposed to

bring it up to

speed with Windows XP SP2.

Joe

-----Original Message-----
From: James Bowman [mailto:jim@drexel.edu]
Sent: Sunday, September 19, 2004 9:11 PM
To: focus-ms@securityfocus.com
Subject: Items within XP SP2 and Win2003



Is their a set of hotfixes needed for 2003 that make it

comprable in


features / overall security posture to XP SP2?



Although there's probably a bevy of XP SP2 items embedded

in 2003, I


would imagine there's a bunch that's not...



Thanks

--------------------------------------------------------------
----------
---
--------------------------------------------------------------
----------
---




--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------




--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------




--------------------------------------------------------------
----------
---
--------------------------------------------------------------
----------
---








---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Items within XP SP2 and Win2003, Eric McCarty
Next by Date:  Win2k3 IIS6.0 Port 4531, Julius G. Perkins, IV
Previous by Thread:  Re: Items within XP SP2 and Win2003, James Riden
Next by Thread:  RE: Items within XP SP2 and Win2003, Renouf, Phil
Indexes:  [Date] [Thread] [Top] [All Lists]