[SASAG] Windows Servers firewall question

Dennis Opacki dopacki at adotout.com
Fri Apr 10 08:44:05 PDT 2009


Mike,

There's also been a push in recent years for  
"deperimeterization" (sp?). This implies collapsing your network's  
trust boundary and protecting just critical data and systems. Think  
about how you would design your corporate apps so that they could be  
safely used if the network looked more like free coffee shop wireless  
than a fortress. From that vantage, its becomes easy to support  
enhancements like teleworking, SaaS, and other generally "cloudy" junk.

-Dennis

On Apr 10, 2009, at 12:58 AM, macker wrote:

> Not an easy answer to this one. I am a full time infosec guy,  
> having come from Watchguard where I started security full-time, and  
> part time throughout my entire college years which seems eons ago.
>
> I work with both host-based and perimeter, among many other things.  
> Many places (not just universities) are moving towards a more open  
> approach. The UW is one from what I understand. Bruce Schneider  
> also has some interesting answers on the topic.
>
> Granted, what is right for one organization, cannot just be  
> 'placed' into another. I would recommend googling "open network  
> security vs. closed network insecurity".
>
> 'Defense in depth', afaik, has never been debatable, but permiter  
> and host based is. I use both in *certain situations* or  
> infrastructure. In other situations, rely on mitigating controls.
>
> You be the judge: http://staff.washington.edu/gray/talks/2002/ 
> netinsec4.ppt . Not sure there is a 'right' or 'wrong'. Your people  
> are always the weakest link.
>
> -macker
>
>
>
> On Thu, Apr 9, 2009 at 11:23 PM, James Affeld  
> <jamesaffeld at yahoo.com> wrote:
>
> Yep - the "hard crust" perimeter defense approach is old school -  
> like medicine before germ theory.  One compromise through the  
> hardware firewall, to an unpatched web server, say, and all the  
> exposed services running on an interior machine are at risk.
>
>
> --- On Thu, 4/9/09, Lee Damon <nomad at castle.org> wrote:
>
> > From: Lee Damon <nomad at castle.org>
> > Subject: Re: [SASAG] Windows Servers firewall question
> > To: "Lap Huynh" <laphuy01 at yahoo.com>, "Seattle Area System  
> Administrators Guild" <members at lists.sasag.org>
> > Date: Thursday, April 9, 2009, 7:18 PM
> > Just because a firewall is protecting the exterior access
> > doesn't mean
> > your hosts are individually protected.  What happens when
> > someone brings
> > in an infected laptop?  You're completely exposed if
> > they're inside your
> > firewall.
> >
> > You need host-based protection in addition to network
> > protection.
> >
> > nomad
> >
> > Lap Huynh wrote:
> > > At my previous company we disabled Windows firewall on
> > our servers.
> > > However, at my current company we turn on windows
> > firewall. My opinion
> > > is that we don't need to turn on Windows Firewall
> > if we already have
> > > hardware firewall. Of course, reading on Microsoft
> > technet it says we
> > > should turn on Windows firewall even with hardware
> > firewall. Does Cisco
> > > or any other vendor suggest turning off that feature?
> > >
> > > Thanks,
> > >
> > >
> > >
> >  
> ---------------------------------------------------------------------- 
> --
> > >
> > > _______________________________________________
> > > Members mailing list
> > > Members at lists.sasag.org
> > > http://lists.sasag.org/mailman/listinfo/members
> > _______________________________________________
> > Members mailing list
> > Members at lists.sasag.org
> > http://lists.sasag.org/mailman/listinfo/members
>
>
>
> _______________________________________________
> Members mailing list
> Members at lists.sasag.org
> http://lists.sasag.org/mailman/listinfo/members
>
> _______________________________________________
> Members mailing list
> Members at lists.sasag.org
> http://lists.sasag.org/mailman/listinfo/members

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sasag.org/pipermail/members/attachments/20090410/21b3881e/attachment.html>


More information about the Members mailing list