Purpose of personal firewalls?

[gore]

Originally posted here by zencoder
catch I had a whole reply lined up, but I've deleted it.

I, like others, am done discussing things with you. I won't ignore you, because I do value your input, but I recognize you have a strong opinion on how you think things should be done and do not respond to others suggestions or opinions, except to point out how flawed they are in your view of the universe.

I hope you are lucky enough to continue to work in sorts of environments you've described. The rest of us will continue to 'get by' in the trenches as we have.

Cheers.

You pussy.

Catch Linux is better. Damn dude have some balls it's fun when he gets pissed and gets dwn to the details.

[zencoder]

<off-topic>
I'm too old and tired.

http://tinyurl.com/bm3vz

Link is safe for work, although will probably offend some people. Sorry...don't mean to be insensitive, but that's what humor is all about, isn't it?
</off-topic>

[thehorse13]

If you boil down this entire thread, you can find the truth somewhere in the middle.

First, requirements drive everything you do. Once you have them in hand, you can quickly do a risk assessment and see where the biggest break points are. Models, standards and such will all hang off the framework of your requirements and in some cases, your requirements may change based on mandates that the project manager is not aware of.

Second, you address these issues with the available resources and time provided. Rarely will you ever hear me say, "We've completely mitigated all risks." As someone mentioned, the real end point here is acceptable levels of risk in order to conduct business.

Third, there are several elements that must make up a secure organization. If management doesn't buy into change control (which I see as a corner stone to a secure environment), then the fight is over. There is no way you can successfully defend an organization when there are infinite vectors of attack.

Fourth, personal firewalls like the one in XP SP2 are not good. They suck to be quite frank. There are numerous reports out there which show that most of these solutions are useless because end users are not capable of making sound decisions when prompted by the app. Case in point, a malware seeder went to a gaming chat room and popped up links to free games. He then told them to click ok to whatever warnings came up on the screen. This of course allowed the seeding to begin. Now, the audience was 14 year old kids and contrary to what some may believe, daddy or mommy will allow jr to use corporate resources such as laptops when they are at home.

Also, many vectors of attack don’t require the end user at all. The point here is not to rely on a flawed model that has already had it’s time in the history of computing. I feel the same way about signature based solutions (AV and such) but that’s another fight altogether.

Fifth, defense in depth is a wonderful posture and does work well. The catch here is in design and management. I can't go into great detail here but our system is damn near perfect. No zero days, ever, in our sensitive subnets. Note that physical security is also stitched in this stance. Least privilege is my religion. Allow only what is known to be safe and nothing else. Hmmmm, there’s a tattoo idea. LOL.

Sixth, standardized desktops and allowing users to only do what they're job function calls for is an excellent stance. While it isn't fool proof, you'll weed out 95% of the nonsense and you'll notice that your bandwidth suddenly has risen to new speed levels.

Side note: Gibson research really isn't about research. It's about sales. I once noted that the GR site is like McDonalds. If you want something really fast and terribly bad for you then it's the perfect place to visit.

Anyway, just another 2 cents.

[MrBabis]

"Look n Stop Lite" is good for blocking ports and it is free, but free version cannot block programs.
I think that it is good alternative to "Kerio" personal firewall. cuz kerio will not be free soon.

you can download it and some more from http://www.snapfiles.com/freeware/se...wfirewall.html
and test what you like more.

[catch]

Excellect reply thehorse... and MrBabis... you should be shamed following that post with what you did.

cheers,

catch

[genXer]

Hello all-

Great thread - quite insiteful - both in the technical and methodological senses. However, one question continues to plague me from zencoders post; who are catchs Oompah-Loompahs? They're wily devils to being with, and getting them to work on security must be one helluva trick. Heh.

Ok - and it was mentioned throughout the thread, "Defense-in-Depth" - is there a proven methodology that most people agree to deploy? Is it something like ISO 17799? Is one model a pipe dream? I realize security is a continually moving and evolving topic, but is there a general framework people tend to use? I know this is opening me up, but I just found out I get easily confused when weeding through the mud looking for diamonds.

catch, zencoder and TH13 - thanks for the great posts - a lot of good information and TH13's post helped to summarize.

zencoder - you're not too old and tired - Eye of the Tiger! Eye of the Tiger!

catch - you're not leaving AO are you?!?

[Soda_Popinsky]

I just wanted to add that the enviroment Catch frequently describes is not uncommon, it happens to be one I work in myself, and I would appreciate it if his input wasn't shot down so often as unfathomable.

Thanks

[WolfRune]

I think that, as in most things, the "appropriate" solution depends on your situation. For example, at work a host-based firewall would severely hamper various tools needed for day-to-day functioning; on the other hand, the network at my home has several computers, most of which are not mine, and therefore I don't entirely trust them to be secured and patched, thus I run a host-based firewall even though I also have a router with a firewall running. After all, how do I know that my friend's unpatched/unfirewalled machine won't get infected if something manages to get past the router's firewall, and thus establish itself within the "trusted" portion of the network?

[g3neration]

For example, at work a host-based firewall would severely hamper various tools needed for day-to-day functioning; on the other hand, the network at my home has several computers, most of which are not mine, and therefore I don't entirely trust them to be secured and patched, thus I run a host-based firewall even though I also have a router with a firewall running.

Thats one thing that I'm still wondering about. Would you really need a host/personal firewall? In my case I'm kind of paranoid and I like to know what dials out, but for most of your non-technical or even technical users, do you really need a firewall on a host system?

After all, the majority of the user PC's dont run services. If someone really wants to crack into the system, what is there to crack? What services can he connect to since the user isnt running any?

Even the systems that run service, ie. web/ftp server, their purpose is to allow others to connect to them. So would a firewall really be useful in this case? The admin/whoever would still have to open up the port to connect to that service. So what would be the purpose of the firewall in that case?

I understand the situation in which, for example, a FTP server was in the DMZ and you would want to block specific IP's because they keep hammering the server then a firewall would be used but even then cant a router just be configured to drop packets from X.X.X.X? In certain special situations, the need for a firewall may be apparent but in most cases does one really need to have a firewall in place? I guess its standard practice to have a firewall at the point of entry into the network from the net and one from the DMZ into the internal network but other than that, does anything else really need a firewall? If a system got cracked, its usually because it was offering a service and the program that offered that service had some sort of flaw in it.

I'm trying to justify running a firewall on a PC that isnt acting as a router/bridge/etc, a typical users PC or even a server.

I'm starting to think that getting a firewall is all a conspiracy cooked up by corporations to earn more money.

how do I know that my friend's unpatched/unfirewalled machine won't get infected if something manages to get past the router's firewall, and thus establish itself within the "trusted" portion of the network?

Wouldnt in this case, that be an antivirus issue? What is there to worry about in that part of the network? Even if someone in that network were to do a port scan/etc., so what? What is there to crack in that case?

[alleyCat]

Originally posted here by Soda_Popinsky
I just wanted to add that the enviroment Catch frequently describes is not uncommon, it happens to be one I work in myself, and I would appreciate it if his input wasn't shot down so often as unfathomable.

I guess this discussion should be established as two-sided, because the few environments I've worked in HAVEN'T had these controls in place. It isn't really a trusted environment. In these cases we should be treating the network as untrusted as the internet.

Originally posted here by g3neration
Thats one thing that I'm still wondering about. Would you really need a host/personal firewall? In my case I'm kind of paranoid and I like to know what dials out, but for most of your non-technical or even technical users, do you really need a firewall on a host system?

If the system is Internet-facing (ie modem) as in many non-technical homes which only have the single computer, then a personal firewall is the first line of defence against external sources.

Probably why someone asked you what kind of network you were planning... if any system is internet facing then you need some sort of firewall device between (software or hardware).

Originally posted here by g3neration After all, the majority of the user PC's dont run services.

What do you mean by services? If non-technical Mr Joe installs Windows XP/Linux and plugs in the modem, dials up, no firewall, he will have many services open to the internet...

Where as you sound like you would disable those services... so there would seem to be no _immediate_ need for a firewall... as d0pp originally said.

The ignorance of Mr Joe means that he will be exposed... I would recommend to anyone like Mr Joe who wanted to get computer savvy to check out firewalls and install one. Not only should it block all services by default and enhance security, but Mr Joe starts to learn that his computer does a lot more than what he can click and type.

I have simplified it down to Mr Joe because many computer users are like that. Even some smaller business networks have the attitude "every man for himself". I think that is the culture zencoder is refering too.

Catch's recommendations are sound in a well controlled environment. Unfortunately not all environments are controlled... and the admins must do what they can to enforce policy[best practice] in the hostile environment [adhoc wireless, poor password management, lack of skillset, all compounded by management who say IT is already too expensive].

Thats my 2c...

Al