mailing list archives
Re: Host-Base Firewall
From: Adriel Desautels <adriel () netragard com>
Date: Fri, 30 May 2008 19:26:37 -0400
I couldn't agree with you more and I'll take it a step farther.
Firewalls do need to be configured properly and most of them aren't as
Jon mentioned. The fact of the matter is that firewalls are not the only
points of misconfiguration. In most businesses, most security appliances
and other technologies also have broken or poor configurations.
Jon's point regarding Penetration Testing is very good advice (not just
because we/I offer those services and want your business [yes that was
horribly shameless]) but because it will help you to understand your
real and actual security posture... But there's a serious catch. Not all
services offered by security company are created equal. In fact, most
providers don't appear to be able to properly differentiate between
different services, let alone deliver them properly.
There are significant differences between a Penetration Test,
Vulnerability Assessment and a Web Application Assessment. A Penetration
Test is intrusive. It is a test where a team will attempt to hack into
your network and gain access to your computers by exploiting a
vulnerable service or other technology.
A Vulnerability Assessment is similar in that it will identify
potentially exploitable vulnerabilities in your infrastructure, but it
will not actually exploit those vulnerabilities. As such a vulnerability
assessment is non-intrusive. If you think about it, the names really say
it all. Penetration denotes entry or penetrating into, assessment
A good penetration test will create a deliverable that is the product
of human talent. A bad penetration test will rely on automated tools and
scanners and won't really do anything creative. I say its bad because
malicious hackers aren't going to test you in an automated way, they are
going to test you in a creative way if they really want to get in. In
fact, the most important thing to remember is that you need to be tested
at the same or greater level of threat that you face in in the real
world. Testing at anything less is pointless, sorta like testing a tank
with a BB gun.
A Web Application Assessment is either a vulnerability assessment or a
penetration test of a Web based application. Web based applications are
any dynamic website that may (or might not) take input from a user. Web
Applications often have back end databases, or pull data from some sort
of data pool. About 80-90% of all successful hacks today are done by
exploiting poorly tested and insecure Web Applications.
Of course there is a lot more to testing than just those services.
There are great materials on the web that people should read such as the
OSSTMM and OWASP.
One last thing, aside from not relying on automated tools or scanners,
try to avoid security companies who tell you that they use confidential
testing methodologies. In most cases that means that they do not really
have a solid methodology and they do rely on automated scanners.
When you get the final deliverable you will be able to tell if you've
made the right choice. A deliverable that is automated looks automated
and redundant. A deliverable that is created by human talent and
expertise is usually non-redundant and looks like a well thought out
hand typed document.
Anyway, I wrote this in a hurry, but I'd be happy to answer any
questions that anyone has if I was unclear about something, or if I said
something wrong/stupid. Have a great weekend all!
Adriel T. Desautels
Chief Technology Officer
Office : 617-934-0269
Mobile : 617-633-3821
Join the Netragard, LLC. Linked In Group:
Netragard, LLC - http://www.netragard.com - "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security
Netragard Whitepaper Downloads:
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know : http://tinyurl.com/26pjsn
Jon Kibler wrote:
Mohamed Farid wrote:
Dear All ,,,
Any recommendation for a cost effective Host-Base Firewall to be installed
on my remote users' Laptops - and to be managed and be administrated
centralized by my security team ?
Okay, I want to start from the top because I believe that all the posts
to date have missed one major point: Any firewall is only as good as its
configuration (and change control), and the configuration is only worth
anything if it has been adequately tested.
Most firewalls I see, host or network based, are grossly misconfigured.
Host base firewalls tend to have the worst problems, because of the
issues associated with how users work and what their access requirements
I generally see one of three approaches taken to host firewall
1) Only attempt to filter traffic destined to somewhere off the LAN
2) Filter all traffic, but the LAN / WAN traffic filter is the same
for everyone in the organization.
3) Filter all traffic based upon the generic role(s) that the user
All of these approaches tend to open up holes that a tank can drive through.
Regardless of how the firewalls are configured, they MUST be pen tested!
Otherwise, how do you know that the configuration is correct? (Clue: You
Which brings up the final issue: Do you log events (esp. on host-based
firewalls), do you centralize logs, and do real time central event
alerts and response?
In the majority of organizations were they have deployed host based
ANYTHING (AV, firewalls, IDS, NAC, etc.), the events are sent to the
user as a popup window and the user simply automatically clicks 'ALLOW'
without even reading the message. (And that presumes they could even
comprehend the alert to begin with!)
With no central logging, or no logging at all, then no one up the food
chain has even a half a clue that an exception occurred -- except the
clueless user, and they probably could not even remember the receiving
the alert 30 minutes (seconds?) after it occurred.
TEST! TEST! TEST! That is the ONLY way to ensure a firewall is doing
anything of use! Also, someone other than the user should be getting a
clue that the testing is occurring!
Well, at least that is my $0.02 worth.
Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.
- Re: Host-Base Firewall Adriel Desautels (Jun 02)