[LUNI] Somewhat OT Security Question?

mjinks at sysvi.com mjinks at sysvi.com
Mon Dec 31 16:05:01 CST 2001 

On Mon, Dec 31, 2001 at 03:25:14PM -0600, Jack Beglinger wrote:
> > Oh yeah, and in response to the post about a firewall: Beware!  Firewalls
> > don't solve everything and they create problems in addition to the ones
> > they solve.  Unless you know why you need a firewall and what to do with
> > it, you don't need it.
> 
> This is bunk.  Oh RBM - please post your checking numbers since of course 
> no one will be able to take any money out...

What?

> Every one needs a firewall, period.  

This is bunk.  If you have one machine, decently secured, firewalls add
needless complication and may degrade functionality.

If you are clueless, firewalls do the above and also contribute to a
false sense of security.

Note that for the present discussion I'm assuming "firewall" to mean a
separate device; firewalling rules on a host are a different matter, and
particularly if the code to run them is free (gratis, at least) it's hard
to find fault with such things.  But (note: recurring theme) you have to
know how to use them.

> If you do not have one - that is one more 
> way you can lose the control of your system.

er...

If you don't have one, it's true that goofy things you do on the "target"
system may make you more vulnerable, and some of those goofy things are
done by default in Windows.

If you do have one, you might be better off or you might not; how do we
know, having never seen any of the machines in question, nor the putative
firewall which might protect it/them?  Or you might suddenly find that
your Net access is shot.  Firewall's fault?  Dunno, better read up on some
documentation, which was what I meant my thesis to be in the first place.

I happen to run a firewall at home; I happen _not_ to run one at work.  In
each case I have good reasons.  Beware of overgeneralization.  I use my
network to do certain things; do you know what they are?  And since you
don't know what they are, can you tell me how best to protect the machines
that I'm using?

> Firewalls - help protect from external attacks. 

...by using certain mechanisms, most of which will be terra incognita to
the casual Windows network user, each of which are helpful in preventing
only certain classes of exploits.  A given firewall on a given network
might stop a given attack; but we're talking about networks in general
(because we don't know this guy's setup), firewalls in gneral (there are
many and they are various), attacks in general (only some of which have
anything to do with hammering away on an unguarded network port).

> Mostly because of 
> misconfigured systems services will not be board cast or allowed to attached 
> to by an outside system - IE: Windows and Sharing Drives.  

If you're purchasing (or recommending the purchase of) firewalls in order
to shut off Windows drive sharing, particularly for a one-host network,
you're wasting money.  So much easier to just shut off the stupid drive
shares in the first place.

Once they have a real network, such that drive sharing might actually be
useful, then we can revisit the issue; but even then a host dedicated to
guarding the border is still an open question.

> Systems from 
> the outside will not be able to connect to your systems since that type of 
> traffic is normally blocked - both in- and out- bound.  

"Normally"?

One of the reasons I shied away from specifics in my initial post is that
we know nothing, not a thing, about this person's friend's network.  Now
you'd have us assume qualities of a device that this person's friend has 
not yet shopped for let alone bought?

> Another example is IIS 
> and Code RED.  I have internally a IIS Server but no problems with code 
> since it services are are available to in-bound requests.

What?

I don't look at consumer-grade firewalls all that much, but I have yet to
see one that would do anything at all about Code Red or Nimda.  Most of
them just filter by protocol and possibly also by state; so, open the
web port, in comes Code Red (or whatever), firewall be damned.  This is
precisely the sort of message I did my best NOT to send in the first place
and the sort of idea that firewall-as-panacea can give rise to.

You recommend a few (very good) open-source software projects; but even
in those cases there's no substitute for knowledge, and once you're 
knowledgeable you don't need the product recommendations all that much.

> Safety for you and your information is in using all available tools to help 
> protect.  Do not let some one tell you is hard to do - or scare you with 
> "problems" - as with everything there is good and bad - you need to use your 
> head, do research and choose what is best for you.

Enthusiastically agreed.

--Rev. Bad Mikey

More information about the luni mailing list