Home page logo
/

basics logo Security Basics mailing list archives

Re: Host-Base Firewall
From: Adriel Desautels <adriel () netragard com>
Date: Fri, 30 May 2008 19:26:37 -0400

John,
I couldn't agree with you more and I'll take it a step farther. Firewalls do need to be configured properly and most of them aren't as Jon mentioned. The fact of the matter is that firewalls are not the only points of misconfiguration. In most businesses, most security appliances and other technologies also have broken or poor configurations.

Jon's point regarding Penetration Testing is very good advice (not just because we/I offer those services and want your business [yes that was horribly shameless]) but because it will help you to understand your real and actual security posture... But there's a serious catch. Not all services offered by security company are created equal. In fact, most providers don't appear to be able to properly differentiate between different services, let alone deliver them properly.

There are significant differences between a Penetration Test, Vulnerability Assessment and a Web Application Assessment. A Penetration Test is intrusive. It is a test where a team will attempt to hack into your network and gain access to your computers by exploiting a vulnerable service or other technology.

A Vulnerability Assessment is similar in that it will identify potentially exploitable vulnerabilities in your infrastructure, but it will not actually exploit those vulnerabilities. As such a vulnerability assessment is non-intrusive. If you think about it, the names really say it all. Penetration denotes entry or penetrating into, assessment denotes examination.

A good penetration test will create a deliverable that is the product of human talent. A bad penetration test will rely on automated tools and scanners and won't really do anything creative. I say its bad because malicious hackers aren't going to test you in an automated way, they are going to test you in a creative way if they really want to get in. In fact, the most important thing to remember is that you need to be tested at the same or greater level of threat that you face in in the real world. Testing at anything less is pointless, sorta like testing a tank with a BB gun.

A Web Application Assessment is either a vulnerability assessment or a penetration test of a Web based application. Web based applications are any dynamic website that may (or might not) take input from a user. Web Applications often have back end databases, or pull data from some sort of data pool. About 80-90% of all successful hacks today are done by exploiting poorly tested and insecure Web Applications.

Of course there is a lot more to testing than just those services. There are great materials on the web that people should read such as the OSSTMM and OWASP.

One last thing, aside from not relying on automated tools or scanners, try to avoid security companies who tell you that they use confidential testing methodologies. In most cases that means that they do not really have a solid methodology and they do rely on automated scanners.

When you get the final deliverable you will be able to tell if you've made the right choice. A deliverable that is automated looks automated and redundant. A deliverable that is created by human talent and expertise is usually non-redundant and looks like a well thought out hand typed document.

Anyway, I wrote this in a hurry, but I'd be happy to answer any questions that anyone has if I was unclear about something, or if I said something wrong/stupid. Have a great weekend all!

Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

        Join the Netragard, LLC. Linked In Group:
        http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn


Jon Kibler wrote:
Mohamed Farid wrote:
Dear All ,,,

Any recommendation for a cost effective Host-Base Firewall to be installed
on my remote users' Laptops - and to be managed and be administrated
centralized by my security team ?


Hi All,

Okay, I want to start from the top because I believe that all the posts
to date have missed one major point: Any firewall is only as good as its
configuration (and change control), and the configuration is only worth
anything if it has been adequately tested.

Most firewalls I see, host or network based, are grossly misconfigured.
Host base firewalls tend to have the worst problems, because of the
issues associated with how users work and what their access requirements
are.

I generally see one of three approaches taken to host firewall
(mis)configurations:
   1) Only attempt to filter traffic destined to somewhere off the LAN
or WAN.
   2) Filter all traffic, but the LAN / WAN traffic filter is the same
for everyone in the organization.
   3) Filter all traffic based upon the generic role(s) that the user
performs.

All of these approaches tend to open up holes that a tank can drive through.

Regardless of how the firewalls are configured, they MUST be pen tested!
Otherwise, how do you know that the configuration is correct? (Clue: You
don't!)

Which brings up the final issue: Do you log events (esp. on host-based
firewalls), do you centralize logs, and do real time central event
alerts and response?

In the majority of organizations were they have deployed host based
ANYTHING (AV, firewalls, IDS, NAC, etc.), the events are sent to the
user as a popup window and the user simply automatically clicks 'ALLOW'
without even reading the message. (And that presumes they could even
comprehend the alert to begin with!)

With no central logging, or no logging at all, then no one up the food
chain has even a half a clue that an exception occurred -- except the
clueless user, and they probably could not even remember the receiving
the alert 30 minutes (seconds?) after it occurred.

TEST! TEST! TEST! That is the ONLY way to ensure a firewall is doing
anything of use! Also, someone other than the user should be getting a
clue that the testing is occurring!

Well, at least that is my $0.02 worth.

Jon Kibler

==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault