[SASAG] Windows Servers firewall question

Richard Haynal Richard.Haynal at wsha.org
Fri Apr 10 09:52:50 PDT 2009

I have been involved with security for about 10 years now. I am SANS trained and certified (not that it should matter). The basic principles of security have been established for quite some time. I when I hear terms like "old school, new school, "deperimeterization", etc.  I think some one is just trying to sale something to organizations that don't have trained security staff. 
First off good security practice needs to define a perimeter. If you don't know what's yours, you can't defend it. Also defining a perimeter allows you to funnel all traffic though certain choke points (Firewall) were you can attempt to monitor and mitigate certain attacks. It's an old practice, that one breaks up what you are defending into zones. Each zone will have their own security requirements.  Possibly what Mike is referring to as "deperimeterization". After setting up zones, "defense in depth" can offered added protection in areas that are determined to be critical. That means in addition to network protection (firewalls, intrusion detection, etc) you apply host based protection (firewall, tripwire, host based intrusion detection) as well.
Personally, I don't like a firewall on hosts as it can create certain "users" problems. Also host firewalls can block authorize scanning of workstations. I would much rather use a product like trip wire. But if I were to stick a firewall on a host I would use something other than the one that comes with Windows. Most exploits target MS protocols and ports. But MS needs some of these to be open to function properly. So they have a stake at letting some potential problems go through.
Anyhow ... all security boils down to Risk Management. After doing a risk assessment, how much resources are you willing or can you commit to mitigate some or all of the risk, and what level of risk are you willing to live with.

>>> On 4/10/2009 at 8:44 AM, in message <73EFAA75-D384-4F0D-9595-B5D21D228A84 at adotout.com>, Dennis Opacki <dopacki at adotout.com> wrote:

There's also been a push in recent years for "deperimeterization" (sp?). This implies collapsing your network's trust boundary and protecting just critical data and systems. Think about how you would design your corporate apps so that they could be safely used if the network looked more like free coffee shop wireless than a fortress. From that vantage, its becomes easy to support enhancements like teleworking, SaaS, and other generally "cloudy" junk. 


On Apr 10, 2009, at 12:58 AM, macker wrote:

Not an easy answer to this one. I am a full time infosec guy, having come from Watchguard where I started security full-time, and part time throughout my entire college years which seems eons ago.

I work with both host-based and perimeter, among many other things. Many places (not just universities) are moving towards a more open approach. The UW is one from what I understand. Bruce Schneider also has some interesting answers on the topic. 

Granted, what is right for one organization, cannot just be 'placed' into another. I would recommend googling "open network security vs. closed network insecurity".

'Defense in depth', afaik, has never been debatable, but permiter and host based is. I use both in *certain situations* or infrastructure. In other situations, rely on mitigating controls.

You be the judge: http://staff.washington.edu/gray/talks/2002/netinsec4.ppt . Not sure there is a 'right' or 'wrong'. Your people are always the weakest link.


On Thu, Apr 9, 2009 at 11:23 PM, James Affeld <jamesaffeld at yahoo.com> wrote:

Yep - the "hard crust" perimeter defense approach is old school - like medicine before germ theory.  One compromise through the hardware firewall, to an unpatched web server, say, and all the exposed services running on an interior machine are at risk.

--- On Thu, 4/9/09, Lee Damon <nomad at castle.org> wrote:

> From: Lee Damon <nomad at castle.org>
> Subject: Re: [SASAG] Windows Servers firewall question
> To: "Lap Huynh" <laphuy01 at yahoo.com>, "Seattle Area System Administrators Guild" <members at lists.sasag.org>
> Date: Thursday, April 9, 2009, 7:18 PM
> Just because a firewall is protecting the exterior access
> doesn't mean
> your hosts are individually protected.  What happens when
> someone brings
> in an infected laptop?  You're completely exposed if
> they're inside your
> firewall.
> You need host-based protection in addition to network
> protection.
> nomad
> Lap Huynh wrote:
> > At my previous company we disabled Windows firewall on
> our servers.
> > However, at my current company we turn on windows
> firewall. My opinion
> > is that we don't need to turn on Windows Firewall
> if we already have
> > hardware firewall. Of course, reading on Microsoft
> technet it says we
> > should turn on Windows firewall even with hardware
> firewall. Does Cisco
> > or any other vendor suggest turning off that feature?
> >
> > Thanks,
> >
> >
> >
> ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Members mailing list
> > Members at lists.sasag.org 
> > http://lists.sasag.org/mailman/listinfo/members 
> _______________________________________________
> Members mailing list
> Members at lists.sasag.org 
> http://lists.sasag.org/mailman/listinfo/members 

Members mailing list
Members at lists.sasag.org 

Members mailing list
Members at lists.sasag.org 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sasag.org/pipermail/members/attachments/20090410/045d11cc/attachment.html>

More information about the Members mailing list