Security Basics mailing list archives
RE: Patching a Firewall
From: Jimi Thompson <jimit () myrealbox com>
Date: Mon, 15 Sep 2003 23:14:27 -0500
There's way more to hardening a Windows OS than just turning off NetBIOS and stopping the services you aren't using. For starters, you need to hack the registry to turn off the administrative shares. There are very large books written on this subject so I'm not even going to try to cover it an email. I will give you the short version by saying that my experience has been that if you aren't hand hacking the registry, you probably aren't doing it right.
It is difficult and intricate to harden a Windows box sufficiently to use as a firewall, especially in the case of the poster's position (i.e. dealing with electronic funds transfers). Personally, I wouldn't even consider it. In that kind of a position, you go for the very best thing you can buy since it is literally the keys to the vault. For my money that's CheckPoint running on Trusted Solaris. You use 3 factor authentication for any log in. You should preferably be using one-time pad passwords along with PKI key authentication and encryption. Any changes made to the firewall should be made by 2 or more people who's job responsibilities rotate. That's just for starters on the firewall.
Again, because of what you are trying to secure, you must be extremely paranoid about everything.
Jimi At 7:03 PM -0400 9/15/03, dave kleiman wrote:
Define "extreme difficulty" for hardening the Windows OS. You mentioned "NSA Secure Linux" which is actually Security-Enhanced Linux (notice the NSA does not want to claim it "Secure" just enhanced). There is a NSA Security Guidelines W2K at http://www.nsa.gov/snac/index.html Level2 W2K Security at http://www.cisecurity.org/ All of which are free. And if you want to go beyond that. http://www.securit-e-doc.com/products/securitelok.asp At under $150.00 per server and takes about 30 minutes to setup. You can completely disable NetBIOS on W2K as well as every other service not needed. The above mentioned Guidelines and products do that. And I can think of many "reputable" shops running IAS. And I have several servers running IIS and E-mail that only have 7 services running (excluding AV and Spam Control), that have software Firewalls running on them. Dave _____________________ Dave Kleiman dave () netmedic net www.netmedic.net "High achievement always takes place in the framework of high expectation." Jack Kinder -----Original Message----- From: Jimi Thompson [mailto:jimit () myrealbox com] Sent: Sunday, September 14, 2003 14:05 To: Robert Mezzone; 'security-basics () securityfocus com' Subject: Re: Patching a Firewall Robert, Item 1 - I would never run Windows as a firewall simply because of the extreme difficulty in hardening the OS to prevent it from being exploited. I have heard of this being done, but I've never observed it in a reputable shop. Most places either use a device that is specifically a firewall or a hardened *nix OS (i.e. Solaris, Trusted Solaris, Trusted FreeBSD, NSA Secure Linux, Bastille, etc.). The reason for using a nix OS is so that services which are not needed can be removed from the box without causing a major disruption to the OS. Think of what would happen if you tried to un-install NetBIOS from Windows. Item 2 - If your OS on your firewall has a vulnerability, your firewall itself is vulnerable. If I can get your OS to cooperate and give me "root" or "Administrator", I can change your firewall rules, logging, user accounts, etc. to suit myself. Item 3 - Your firewall, for management purposes, probably accepts connections to itself. The question then becomes where does it accept connections from and, if you are a hacker, how can I spoof that. ANYTHING that's not physical layer can be spoofed and even that's not a guarantee that someone sneaky hasn't installed a device somewhere to trip you up. I notice from your email address that you are with an investment banker. That means you deal with money. Any time cash is involved, especially transferring cash electronically, your level of paranoia should be very very high (like almost ready to cart you off in the "i love me jacket"). Never mind the SEC regulations..... 2 Cents, Jimi At 8:15 AM -0400 9/12/03, Robert Mezzone wrote:I want to start off by saying my Firewall is fully patched. That being said my question is... Is it a big security risk if the OS (say Windows) running the firewall box, is not fully patched? My reasoning that it isn't is because the firewall should be configured to drop any connections to itself. Or being the firewall has to at least initially accept the packet in order to inspect it, enough to exploit a vulnerability. Robert ----------------------------------------------------------------------- ---- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
---------------------------------------------------------------------------Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------
Current thread:
- Patching a Firewall Robert Mezzone (Sep 12)
- Re: Patching a Firewall Jimi Thompson (Sep 15)
- RE: Patching a Firewall dave kleiman (Sep 16)
- RE: Patching a Firewall Jimi Thompson (Sep 16)
- Re: Patching a Firewall James Fields (Sep 19)
- RE: Patching a Firewall dave kleiman (Sep 16)
- Re: Patching a Firewall Birl (Sep 15)
- <Possible follow-ups>
- RE: Patching a Firewall Thomas F. Szabo (Sep 15)
- Re: Patching a Firewall Robert Mezzone (Sep 15)
- Re: Patching a Firewall Ansgar Wiechers (Sep 16)
- RE: Patching a Firewall Gino Genari (Sep 16)
- RE: Patching a Firewall brossini (Sep 17)
- Re: Patching a Firewall Jimi Thompson (Sep 15)