Firewall Wizards mailing list archives
RE: Personal/Host-based Firewalls
From: "Ames, Neil" <NAmes () anteon com>
Date: Thu, 26 Sep 2002 09:37:55 -0400
Juergen, I have, in addition to Rich's excellent point, two reasons for running a host-based firewall: 1) I am running Windows 2000 Server and IIS: When I get patches I can end up with things that were removed, disabled, or off being reinstalled, enabled and/or turned on. (I have started using FCheck for integrity checks and am stunned at the numbers of files that are changed with patches--too much for any configuration manager to understand.) I have limited access to the systems so I can't re-harden or re-evaluate the systems every time there is a new patch. Running a separate layer of protection mitigates those vulnerabilities. 2) Defense in Depth: The security layer I introduce between my applications and the network the is an additional protection against mis-configuration and unknown vulnerabilities. The stuff is relatively cheap to buy--though the political and administrative costs can be high. The finger of the troubleshooter always points to "that damned security product" as the reason that the Quake server doesn't work ;). When someone finds that disabling the firewall, rather than changing a setting, makes a real problem go away then you lose credibility and you have a rash of sudden firewall death syndrome (SFDS). (They're willing to go into the registry to kill it.) It is a significant hidden cost, in my environment, to be able to manage remote firewall configurations. It is not, however, as significant as being shut down permanently for losing control of the systems by other means--if you know what I mean. Thank you, Fritz -----Original Message----- From: Gautier . Rich [mailto:RGautier () drc com] Sent: Thursday, September 26, 2002 8:57 AM To: 'Nieveler, Juergen'; 'Ames, Neil'; Firewall-Wizards (E-mail) Subject: RE: [fw-wiz] Personal/Host-based Firewalls There could be numerous reasons - for example - we have a single machine that is fairly sensitive on our internal network. It has a personal firewall that lets group X do NETBIOS sessions and group Y do SQL connections, but X is not permitted to do what Y does. In this case, I don't want everyone to be able to connect/attack the SQL server due to the sensitivity of the data. However, creating a network segment for just one machine makes no sense when a single-host firewall will do the trick. Rich Gautier Dynamics Research Corp Personal Website - http://rgautier.tripod.com Attachment is Public Key for the sender: rgautier () drc com -----Original Message----- From: Nieveler, Juergen [mailto:Juergen.Nieveler () akzonobeldeco de] Sent: Thursday, September 26, 2002 3:28 AM To: 'Ames, Neil'; Firewall-Wizards (E-mail) Subject: RE: [fw-wiz] Personal/Host-based Firewalls
I have begun investigating personal/host-based firewalls for
Windows
2K *Server*, with the hope of finding a solid, reliable, fast product that I can easily manage in an environment of distributed remote offices (in which I have limited access to the systems, or
administration
through someone else's eyes and ears).
What do you want to achieve with such a "firewall"? If people are supposed to use the server, you have to open those ports that they need to use. As for ports that they DON'T need to use - why install something on a server that isn't used anyway? -- Mit freundlichen Grüßen / Yours sincerely Juergen Nieveler eMail: Juergen.Nieveler () AkzoNobelDeco de Disclaimer: Views are mine, not my employers' -- -------------> IMPORTANT <---------------- This message, including attachments, is confidential and may be privileged. If you are not an intended recipient, please notify the sender then delete and destroy the original message and all copies. You should not copy, forward and/or disclose this message, in whole or in part, without permission of the sender. Diese Nachricht, einschliesslich anhaengender Dateien, ist persoenlich und kann vertraulich sein. Wenn Sie diese Nachricht irrtuemlich erhalten, benachrichtigen Sie bitte den Absender und loeschen Sie bitte die Originalnachricht und alle Kopien. Sie sollten die Nachricht ohne die Zustimmung des Absenders weder ganz noch teilweise kopieren, weiterleiten oder sonstwie weiterverbreiten. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Personal/Host-based Firewalls Ames, Neil (Sep 25)
- Re: Personal/Host-based Firewalls Paul D. Robertson (Sep 26)
- <Possible follow-ups>
- RE: Personal/Host-based Firewalls Nieveler, Juergen (Sep 26)
- RE: Personal/Host-based Firewalls Ames, Neil (Sep 26)
- RE: Personal/Host-based Firewalls Gautier . Rich (Sep 26)