From: gufus on
Hello, schtebo!

You wrote on Thu, 8 Apr 2010 04:50:02 -0700 (PDT):


s> I think default Firewall from Microsoft should do it for us all.

After setting up a few off-the-shelf firewalls, and getting frustrated with
everything, I'm back to using Win NT stock firewall, everything is back
working again.

Good advice. :)


--
With best regards, gufus. E-mail: stop.nospam.gbbsg(a)shaw.ca


From: Grant Taylor on
Ansgar -59cobalt- Wiechers wrote:
> I guess it'll have to.

Fair enough. ;-)

> http://en.wikipedia.org/wiki/Witty_(computer_worm)

Interesting. I will have to do some follow up reading on that.

> If you have to do that, you have a server placement issue. Boxes that
> shouldn't be able to access what the server is providing, should not
> be located in the same network segment.

I think we mis-understand each other. Let me give an example.

Suppose that a hosting company has multiple IIS web servers behind an
edge ingress filtering firewall that only allows traffic to TCP ports 80
and 443 through. With in the network the servers also allow SNMP and /
or RPC for remote computer management.

What prevents a web site on one of these hosts from becoming compromised
and running a local program that starts attacking the other systems in
the local subnet. This local program would have unfettered access to
SNMP and / or RPC to the other servers that are behind the edge ingress
filtering firewall.

Conversely if the web servers were running a software based firewall,
they could easily filter SNMP and / or RPC traffic so that only the
management station(s) could access them. There by protecting them from
the program running locally on the compromised server.

These types of side attacks (if you will) are what I'm saying that a
software based firewall will help prevent.

> This is the exact type of thing, that firewall can't protect you from
> (unless you're using a sanitizing reverse proxy or something).

I'm not sure that I understand what you are trying to say.

The closest that I can come up with is that the edge firewall is doing
egress filtering.

> Again: any service that should be accessible, cannot be protected by
> a packet filter. Any service that shouldn't be accessible, should not
> be running (or at least not be listening on the external interface)
> in the first place. It really is as simple as that.

What if you modify my above example of the server farm where one
interface is public and another interface is private (think DMZ /
management network) and the local program starts attacking the internal
network. Again, I believe that the software based firewall would help
protect other servers from the attack.

A perfect example of a service would be to not run SSH on the external
interface, yet run it on the internal interface for remote management.

> They can't afford using the tools that come with the operating
> system, but can afford to buy a centrally manageable host-based
> firewall solution? You have to be kidding me.

I believe you mis-understand what I'm getting at.

I'm not aware of any utility included in either 2k3 or 2k8 that allows
changes to multiple IIS web servers at one time. I.e. do not process
requests from the w.x.y/24 network.

> "sc /?" tells you why you're wrong.

You are correct that there are ways to administer the operational state
of a service in such as is it started / stopped / etc. That does little
to prevent a service from talking to a given subnet.

> A quite substantiated opinion, no less.

I'm sure it is. ;-)



Grant. . . .
From: Ansgar -59cobalt- Wiechers on
gufus <stop.nospam.gbbsg(a)shaw.ca> wrote:
> 12 Apr 10, Ansgar -59cobalt- Wiechers writes to Gypsy BBS:
>> You missed the point again. Even the best employees are
>
> I beg to differ. Sir.
>
> Employees /need/ to understand the system,

True, but besides the point. Repeating myself: even the best employees
are still human and *will* make mistakes here and there. Unnecessarily
raising the complexity of a system will only increase the chances of
this happening.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
From: gufus on
Hi Ansgar,

13 Apr 10, Ansgar -59cobalt- Wiechers writes to Gypsy BBS:

> From: usenet-2010(a)planetcobalt.net
>> Employees /need/ to understand the system,

> True, but besides the point. Repeating myself: even the best
> employees are still human and *will* make mistakes here and

Agreed... and you don't have to repeat your self, there will always be human
error in life. Thats life.

gufus
--
K Klement

Enhance your marketing at http://www.gypsy-designs.com
mailto:info(a)gypsy-designs.com
Gypsy Designs Fax: (403) 242-3221

.... Dr. Scott!" " Janet!" " Brad!" "Rocky!" "Uhhh!
From: gufus on
Hi Grant,

12 Apr 10, Grant Taylor writes to All:

> Conversely if the web servers were running a software based
> firewall, they could easily filter SNMP and / or RPC traffic
> so that only the management station(s) could access them.
> There by protecting them from the program running locally on
> the compromised server.

> These types of side attacks (if you will) are what I'm
> saying that a software based firewall will help prevent.

I still think your way is more secure. IMHO.

gufus
--
K Klement

Enhance your marketing at http://www.gypsy-designs.com
mailto:info(a)gypsy-designs.com
Gypsy Designs Fax: (403) 242-3221

.... Up your accumulator.