RE: Client End Firewalls

["Jef Feltman" <feltman () pacbell net>]

Get integrity www.zonelabs.com, it will do it. 

-----Original Message-----
From: GuidoZ [mailto:uberguidoz () gmail com] 
Sent: Wednesday, October 27, 2004 4:45 PM
To: security-basics () securityfocus com
Cc: bugtraq () planetcobalt net
Subject: Re: Client End Firewalls

Hello again Ansgar. Sorry for my delayed response - was out of town for a
week. =)

> That may or may not help, depending on the user's skills. The problem 
> with policies in Win9x is that you can't enforce them. Any user who 
> knows the way around it will be able to bypass your measures.

Yeah, had that problem before too. Like I mentioned - it only worked for the
curious users. Not the smart ones. ;) It's very limiting to be stuck on
Win9x knowing I could do my job effectively on a WinNT system. You do what
you can though.

> Point already taken, though with respect to spyware I would rather set 
> up other measures like using other browsers and restricting IE to 
> localhost and some pages that expressly need IE to work (see other 
> sub-thread).

I agree, though in this case it just isn't really possible. Due to the
proprietary ActiveX they use, they need to access multiple machines
(everything from a data warehouse across the country to desktop PCs around
the corner). I'm looking forward to the implementation of a java based
solution instead. One has been promised within 6 months, but personally I
don't buy it. Time will tell.

When it comes to Spyware, I'm personally surprised by how much really gets
by. I educate. I use all the popular programs (SpyBot, AdAware, BHODemon,
etc). I lock down the system as best as I can. If it wasn't for the need of
ONE 3rd party browser extension, I'd turn off those too. (A wonderful to
stop a number of nasty lil malware.) Yet, it still gets through. Usually
it's due to the ID 10 T error... users disable/exit scanners to speed up the
system (being some are stuck on PIIs). Being it's not many systems, I handle
the updates manually.
That is, I make sure they get done personally. I'm still baffled how I can
perform an update one week, then go back the next and have to do it again. I
think someone is messing with me. (O_o)

> I've seen this one coming ;)

I figured you knew better. =)

> It is true that the packet filter of a PFW allows you to control 
> connections on a per-IP-basis. However, you should ask yourself why 
> users need to share folders on their desktop-PCs anyway. IMHO a 
> central file server would be a much more reasonable approach (think 
> about backups, too).

I've said the same things a number of times. However, once again this
scenario makes it difficult to do anything else. The only "server"
system they have is a Win98 box running Jana Server to allow printing from
the data warehouse. I cringe knowing that if that system were to go down,
they would go belly up. I've done what I can to protect it (mirrored the
drive with software RAID) and have setup security precautions. Hardly a
place I'd want to have everyone have access to - in any form.

Even so, it was only an example. I've also used the filters to limit access
to other aspects of the systems (like they can receive email but not send
from a certain server). More to come.

> Don't get me wrong, I'm not totally against host-based packet filtering.
> In some cases (like notebooks that get connected to various networks 
> inside and outside your company) they are indeed very useful. I just 
> don't see their use for computers that will always be connected to 
> your internal network. I prefer a reasonable network setup over 
> software based solutions.

See above (scenario warrants it). Beyond that, you make a very good point. A
reasonable network setup should be preferred, though sometimes we're forced
to do what we can with the resources at our disposal. However, even with a
"proper" network architecture in place, sometimes those added safeguards
don't hurt. I was actually just speaking to someone off list about added
layers of security. They described it something like this: "Look at the
added layers as more hoops to jump through. It's a deterrent to keep hackers
from continuing if they continue to have to jump through more and more
hoops."

Many times, the security that is put in place in organizations like this one
is similar to padlock on a storage locker. If someone (script
kiddie) is going around jiggling the doors and locks to see which is open,
it will deter them. However, if someone (true hacker) is after what's
inside, they will find a way around it. They will learn what they need to
learn in order to circumvent the protections in place.
(Bolt cutters for example.) Smaller organizations that don't have the funds
or desire to have stronger security are just like that padlocked storage
locker. The security they have certainly helps deter the average passer-by,
though it won't do squat if someone really wants inside.

> As a side-note: passwords should never be noted on post-its (or their
> like) and users should be educated about this. But you already know 
> that, right? ;)

=P Education and following policy are two very different things. I've also
educated the users NOT to disable the AV or Spyware scanners.
However, it still gets done (and causes problems). As for the post-it note
example, luckily I haven't had to deal with it (that I know of).
It's unbelievable how much of a true problem it actually is however.

A few weeks ago I was talking with the Postmaster General of a local city
(which I will withhold for their protection) about Priority Mail shipping
for my wife's business. I was invited into their office and we talked for
about 15 minutes. Eventually, we moved online so they could show me the
steps to take for printing posted and scheduling a pickup. While I was
standing there talking to them, I noticed a post-it on the door next to the
monitor. (It was on the inside, though they had left the cabinet open.) On
it was an obvious security breech... a login user/pass for the USPS
Intranet. It also had a recent date, most likely meaning they had just
changed them. I handed her one of my cards (Computer Security Consultant)
and explained what I had seen and why it was very bad. She turned almost red
and said they had been told not to do such a thing, but they were having a
problem remembering the password...

> Feel free to do so, but don't expect too much from me. Though I have 
> some experience with iptables I'm far from being a professional.

Appreciate the offer. When I go back to trying Smoothwall in that office,
I'm sure I'll run into the problems again. I'll let you know.
;)

> > > [1] http://www.luckie-online.de/programme/UserManager/index.shtml
> > > [2] 
> > > http://www.fajo.de/portal/index.php?option=content&task=view&id=6
> >
> > I've seen #2 before, though I haven't really given it a test run.
> > Thanks for the reminder. As for #1, is there an English version?
>
> AFAIK not. I mailed that question to the author and will keep you 
> posted on any reply I get.

Once again, appreciate it. Always a pleasure!

--
Peace. ~G


On Tue, 19 Oct 2004 14:31:56 +0200, Ansgar -59cobalt- Wiechers
<bugtraq () planetcobalt net> wrote:
> On 2004-10-18 GuidoZ wrote:
> > > With Windows 98 you're doomed since you have to rely on the users 
> > > not making mistakes :(
> >
> > Yeah, I've kinda had the same problem. There are ways to apply 
> > policies and such (poledit), which is helpful though. I've used this 
> > successfully to thwart some curious users.
>
> That may or may not help, depending on the user's skills. The problem 
> with policies in Win9x is that you can't enforce them. Any user who 
> knows the way around it will be able to bypass your measures.
>
> > (A useful write-up can be found here: http://www.zisman.ca/poledit/) 
> > Although, in the long run it's still Windows 98. As my father always 
> > said, "You can't polish a turd."
>
> Heh.
>
> [...]
> > > Services that don't run can't be exploited and thus don't need to 
> > > be protected by a PFW. Services that need to be available can't be 
> > > protected by a PFW.
> >
> > While this is true, that only applies to the services that I 
> > expressly defined as necessary, or shut down. Again I'll remind you 
> > that I still have to depend on users in certain circumstances. I've 
> > been in there removing Spyware on a weekly basis. Having the 
> > Firewall set to allow access to ONLY what I have defined and 
> > password protected adds a layer that, again, I prefer to keep in place.
>
> Point already taken, though with respect to spyware I would rather set 
> up other measures like using other browsers and restricting IE to 
> localhost and some pages that expressly need IE to work (see other 
> sub-thread).
>
> > I'll also comment on your second statement - you certainly CAN 
> > control necessary services with a PFW. You can setup advanced rules 
> > and filters to, for example (but not limited to), only allow access 
> > to a machine from or to a certain IP#. That way Tom (who found the 
> > password on a post-it note) can't be jumping into Jane's network 
> > share even though it's open to Bill (who had the post-it note).
>
> I've seen this one coming ;)
>
> It is true that the packet filter of a PFW allows you to control 
> connections on a per-IP-basis. However, you should ask yourself why 
> users need to share folders on their desktop-PCs anyway. IMHO a 
> central file server would be a much more reasonable approach (think 
> about backups, too).
>
> Don't get me wrong, I'm not totally against host-based packet filtering.
> In some cases (like notebooks that get connected to various networks 
> inside and outside your company) they are indeed very useful. I just 
> don't see their use for computers that will always be connected to 
> your internal network. I prefer a reasonable network setup over 
> software based solutions.
>
> As a side-note: passwords should never be noted on post-its (or their
> like) and users should be educated about this. But you already know 
> that, right? ;)
>
> [...]
> > > Well, you don't always have to have a Checkpoint or Cisco. A small 
> > > packet-filtering router (or a Linux|*BSD box) may very well 
> > > suffice and are a lot cheaper.
> >
> > This is true. I've run Smoothwall a few times as a test and it's 
> > worked quite well. There are still some minor kinks that I've yet to 
> > solve through forums, lists, and Google. Maybe I'll run them by you 
> > off-list. =)
>
> Feel free to do so, but don't expect too much from me. Though I have 
> some experience with iptables I'm far from being a professional.
>
> > > [1] http://www.luckie-online.de/programme/UserManager/index.shtml
> > > [2] 
> > > http://www.fajo.de/portal/index.php?option=content&task=view&id=6
> >
> > I've seen #2 before, though I haven't really given it a test run.
> > Thanks for the reminder. As for #1, is there an English version?
>
> AFAIK not. I mailed that question to the author and will keep you 
> posted on any reply I get.
>
> Regards
> Ansgar Wiechers
> --
> "Those who would give up liberty for a little temporary safety deserve 
> neither liberty nor safety, and will lose both."
> --Benjamin Franklin