Security Basics mailing list archives
Re: Host-Base Firewall
From: Jon Kibler <Jon.Kibler () aset com>
Date: Fri, 30 May 2008 15:54:56 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mohamed Farid wrote:
Dear All ,,, Any recommendation for a cost effective Host-Base Firewall to be installed on my remote users' Laptops - and to be managed and be administrated centralized by my security team ?
Hi All, Okay, I want to start from the top because I believe that all the posts to date have missed one major point: Any firewall is only as good as its configuration (and change control), and the configuration is only worth anything if it has been adequately tested. Most firewalls I see, host or network based, are grossly misconfigured. Host base firewalls tend to have the worst problems, because of the issues associated with how users work and what their access requirements are. I generally see one of three approaches taken to host firewall (mis)configurations: 1) Only attempt to filter traffic destined to somewhere off the LAN or WAN. 2) Filter all traffic, but the LAN / WAN traffic filter is the same for everyone in the organization. 3) Filter all traffic based upon the generic role(s) that the user performs. All of these approaches tend to open up holes that a tank can drive through. Regardless of how the firewalls are configured, they MUST be pen tested! Otherwise, how do you know that the configuration is correct? (Clue: You don't!) Which brings up the final issue: Do you log events (esp. on host-based firewalls), do you centralize logs, and do real time central event alerts and response? In the majority of organizations were they have deployed host based ANYTHING (AV, firewalls, IDS, NAC, etc.), the events are sent to the user as a popup window and the user simply automatically clicks 'ALLOW' without even reading the message. (And that presumes they could even comprehend the alert to begin with!) With no central logging, or no logging at all, then no one up the food chain has even a half a clue that an exception occurred -- except the clueless user, and they probably could not even remember the receiving the alert 30 minutes (seconds?) after it occurred. TEST! TEST! TEST! That is the ONLY way to ensure a firewall is doing anything of use! Also, someone other than the user should be getting a clue that the testing is occurring! Well, at least that is my $0.02 worth. Jon Kibler - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-224-2494 s: 843-564-4224 My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkhAW5AACgkQUVxQRc85QlM8wQCfenUctYZ46gJGXnq4uBFt0qWC RuAAn31aGE7NwqypVJ7VGnIykVgKS1lF =0urj -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
Current thread:
- Host-Base Firewall Mohamed Farid (May 28)
- Message not available
- RE: Host-Base Firewall Mohamed Farid (May 28)
- Re: Host-Base Firewall Adriel Desautels (May 28)
- RE: Host-Base Firewall Murda Mcloud (May 29)
- Re: Host-Base Firewall Adriel Desautels (May 29)
- Message not available
- Re: Host-Base Firewall Adriel Desautels (May 30)
- RE: Host-Base Firewall Mohamed Farid (May 28)
- Message not available
- Re: Host-Base Firewall Shawn A. Corrello (May 29)
- Re: Host-Base Firewall Steven D. Ellison (May 28)
- <Possible follow-ups>
- Re: Host-Base Firewall krymson (May 30)
- Re: Host-Base Firewall Adriel Desautels (May 30)
- Re: Host-Base Firewall Shawn A. Corrello (May 30)
- Re: Host-Base Firewall Adriel Desautels (May 30)
- Re: Host-Base Firewall Adriel Desautels (May 30)
- Re: Host-Base Firewall Adriel Desautels (May 30)
- RE: Host-Base Firewall Nelson, James (May 30)
- Re: Host-Base Firewall Kurt Buff (May 30)