Re: Host-Base Firewall

[Jon Kibler <Jon.Kibler () aset com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mohamed Farid wrote:
> Dear All ,,,
>
> Any recommendation for a cost effective Host-Base Firewall to be installed
> on my remote users' Laptops - and to be managed and be administrated
> centralized by my security team ?
>  

Hi All,

Okay, I want to start from the top because I believe that all the posts
to date have missed one major point: Any firewall is only as good as its
configuration (and change control), and the configuration is only worth
anything if it has been adequately tested.

Most firewalls I see, host or network based, are grossly misconfigured.
Host base firewalls tend to have the worst problems, because of the
issues associated with how users work and what their access requirements
are.

I generally see one of three approaches taken to host firewall
(mis)configurations:
   1) Only attempt to filter traffic destined to somewhere off the LAN
or WAN.
   2) Filter all traffic, but the LAN / WAN traffic filter is the same
for everyone in the organization.
   3) Filter all traffic based upon the generic role(s) that the user
performs.

All of these approaches tend to open up holes that a tank can drive through.

Regardless of how the firewalls are configured, they MUST be pen tested!
Otherwise, how do you know that the configuration is correct? (Clue: You
don't!)

Which brings up the final issue: Do you log events (esp. on host-based
firewalls), do you centralize logs, and do real time central event
alerts and response?

In the majority of organizations were they have deployed host based
ANYTHING (AV, firewalls, IDS, NAC, etc.), the events are sent to the
user as a popup window and the user simply automatically clicks 'ALLOW'
without even reading the message. (And that presumes they could even
comprehend the alert to begin with!)

With no central logging, or no logging at all, then no one up the food
chain has even a half a clue that an exception occurred -- except the
clueless user, and they probably could not even remember the receiving
the alert 30 minutes (seconds?) after it occurred.

TEST! TEST! TEST! That is the ONLY way to ensure a firewall is doing
anything of use! Also, someone other than the user should be getting a
clue that the testing is occurring!

Well, at least that is my $0.02 worth.

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkhAW5AACgkQUVxQRc85QlM8wQCfenUctYZ46gJGXnq4uBFt0qWC
RuAAn31aGE7NwqypVJ7VGnIykVgKS1lF
=0urj
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.