Purpose of personal firewalls?

[xierox]

catch,

Why not run personal firewalls on top of locking down each of the machines like you described and running a high quality firewall?

If the system you described equals X, wouldn't doing this be like X+1?

- X

[Juridian]

While keeping every box locked down from the start sounds good and all you never know what new vulnerability people and or malware will take advantage of. If you have the ability to run firewalls on the client systems that can act as another layer of security filtering out the traffic from those who are misbehaving and giving you time to get/build/test a patch. It can also act as an early warning system if you are actually paying attention or have reporting done on the logs.

Also, while having an external filter is a good start...It may or may not stop all unwanted traffic. Firewalls have holes too (most likely so does your network implementation if it has existed for a while).

Internally it may or may not be politically acceptable to stop installation of software, there is also the possibility someone will bring in their own hardware and place it on your network or use a bootable CD.

You really just need to evaluate your situation and judge whether a personal firewall internally will help you or not.

[catch]

Because by doing so you:

Increase costs
Slow the system security management process
Add no new security functionality

If the firewall actually added security relevant functionality... then you'd have to weigh those gains against the added costs, reduced mobility and reduces assurance.

Compare two approaches to securing a Linux based web server:

1. Add every security tool under the sun
2. Strip the system down to do NOTHING but serve web pages

Which system is more secure?
Which system is higher assurance?
Which system offers greater mobility?
Which system is cheaper to maintain?

cheers,

catch

Internally it may or may not be politically acceptable to stop installation of software, there is also the possibility someone will bring in their own hardware and place it on your network or use a bootable CD.

A personal firewall solves none of these problems.

[Juridian]

The personal firewall doesn't solve the problem that those things can happen. It can however stop or report on the traffic coming from the person in question.

As far as slowing things up, it's my understanding that more vendors are making solutions that can be centrally managed.

You'll most likely see the most personal firewall usage as part of your endpoint security. Many vpn packages include them now for the end clients to further bolster their security and make them less likely to be used as a go between for traffic into your network.

They can also be a good idea to stick on machines that take advantage of wireless connections to filter unwanted traffic. This can also be accomplished by taking advantage of ipsec and it's packet filtering capabilities.

[xierox]

Thank you, both Jurdian and catch.

- Xierox

[catch]

The personal firewall doesn't solve the problem that those things can happen. It can however stop or report on the traffic coming from the person in question.

The personal firewall will be bypassable by custom tools if users can install what they like.

The personal firewall won't be on at all if the system is alternatively booted.

Points of high assurance will do a wonderful job at dealing with such attacks... and users should never, ever, ever, ever I repeat ever be allowed to install software at will.

Without a change control process... no point in securing anything... since you don't even know what you are securing.

cheers,

catch

[catch]

You'll most likely see the most personal firewall usage as part of your endpoint security. Many vpn packages include them now for the end clients to further bolster their security and make them less likely to be used as a go between for traffic into your network.

They can also be a good idea to stick on machines that take advantage of wireless connections to filter unwanted traffic. This can also be accomplished by taking advantage of ipsec and it's packet filtering capabilities.

No.
Personal firewalls are garbage... in a networked environment no system can ever be trusted to manage its own security.

Systems that are mobile must be on their own network segment from the internal trusted LAN.

IPSEC is different in that it is centrally managed and not "personal". It still shouldn't be on local systems though.

cheers,

catch

[Juridian]

Never ever allowed to install software eh?

That really makes software development and quality assurance a bitch.

The pf i mentioned wasn't intended to stop the users from installing whatever they like, although some have HID functionality and the ability to stop unknown processes from accessing the network adapter. It is intended to stop those people from doing things to other people's machines.

Really instead of going with a personal firewall solution I'd use IPSec to do the filtering, traffic validation, etc. It's easy enough to manage with AD and GP on winders or to script something else up for the linux systems using racoon or Openswan.

[Juridian]

Actually the vpn packages I mentioned do centralized firewall administration. Generally they also enforce a few things via GP. They force you to use the rulesets defined by the admin and generally MUST be used in order for the vpn server to take your connection. They are there to further secure the endpoints you can't control. To neglect those systems and allow just any traffic to be routed through them and into your network would be stupid.

I agree that the wireless connections should be on their own network segment, but the personal firewall on those systems is intended to prevent other people from sending those machines unwanted traffic.

Ipsec doesn't have to be centrally managed (especially on linux systems). Again, this all depends on your network environment and business needs, federal regulations, etc.

[gore]

Originally posted here by catch
Would you run a personal firewall or AV system on Linux? Why not? Because people tend to use normal, non-administrative accounts.

Playing Bastard's advocate:

I run AV software and a firewall on my main workstation one, to make sure when I send mail to someone a virii that can't hurt me doesn't get to them and a Firewall... Well, the one in the Kernel... In case I need to put the box online. But the AV software doesn't look for Linux virii, it only looks for Windows stuff.

On another machine I have I don't run either a firewall or AV. It's not because of an account, it's because the 4 Linux worms / Virii don't get in because I don't download software from anywhere and only use trusted sources. And every Peice of software has an MD5 sum, which isn't fool proof but it's another step.

SSH is installed but not running... Sendmail is there but that's only on Local. I've never been rooted. And every night on my main workstation security scripts are ran to try and crack the root password, do an Nmap scan, show all crackable accounts, tell me what's running, take all of that, add the files that have been chaned, and then take the logs and mail it all to root, and to another email addy I told it to send to like a Yahoo account or something, and I don't have to log in as root ever.

Configuration is done via sudo. So root doesn't log in and if it does that gets mailed to me as well.

This is all from software the distro came with.

Why you got positives is beyond me... the community is just full of people who have no concept of basic math skills. Damned American public schools.

Should be sued for false advertising. They call it a "school" and those are supposed to be a place to learn.