Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Basics: Re: Host-Base Firewall

Re: Host-Base Firewall

From: Adriel Desautels <adriel_at_netragard.com>
Date: Fri, 30 May 2008 12:19:37 -0400

Incorrect, but firewalls do not equal security. They equal a component
of security that provides you with a reasonable demarcation point
between one network and another. Good and strong security is a process
that includes well written policies, procedures, training, technology,
etc. Technology is near useless if the people that are using it are not
trained properly and are unaware of what threat they are trying to
defend against.

Fancy door licks, card/biometric authentication, and mantraps can all be
circumvented, especially if well trained people are not present.

I remember once we were testing a facility that had a mantrap with
biometric hand scanners. I watched one of the employees let me into the
server area and took note of his pin code as he typed it into the hand
scanner. Later on during the test I managed to take his card from his
desk, stick my hand in the scanner, and type in the code and the door
opened! As it turns out the so called biometric scanner only measured
the size of my hand which was nearly the same size as his (pretty weak).

So, not all scanners, door locks, etc are effective. IMHO, most
biometric scanners, not all, are good for show and thats about it. There
are other more obvious ways to bypass such technologies, but I won't go
into those unless people want to hear it.

Had the security guard been well trained and not let me see his pin, not
left his card on his desk in his open office, then I would have had to
use a different technique to get in. Had the policies and procedures
that were written been followed, I would not have been able to get in.

Technology is far from useless, but it can become ineffective when the
people supporting it don't know how to do their jobs, or just become lazy.

Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

        Join the Netragard, LLC. Linked In Group:
        http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com - "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know : http://tinyurl.com/26pjsn

krymson_at_gmail.com wrote:
> So, are you saying that because a firewall can't make every perfect decision, they do not equal security? I wonder, do they add any value to you at all? What if they do DPI and make smarter decisions?
>
> So if security cannot be found in hardware, does that mean a fancy door lock, card/biometric authentication, and mantrap have no value?
>
> Personally, I find value in firewalls. Sure, the security they offer is not perfect, but that doesn't discount them as being a part of a solid security regimen. In fact, while there are journalists and other part-time ITers who regularly call out about the widening or diminishing perimeters, there is still a definite need to separate networks of different trust levels to some degree or other.
>
>
>
> I know there will be some here that can smell the straw for the hay in the above, but such a tactic can be useful to find the boundaries.
>
>
> <- snip ->
> All,
> Firewalls are packet control devices. They do little more than control
> the flow of traffic into and out of your network. Some of them contain
> "defensive" capabilities such as IPS. Those defenses make decisions
> based on the nature of the traffic. Those decisions aren't as accurate
> as they should be because the very medium from which they are forming
> "opinions" is flawed. Traffic can be spoofed/forged/manipulated, so how
> can one trust it.
>
> Security is more of a process than anything else. It is enforced by
> policies, procedures, and the people using technology. Security can not
> be found via hardware. This is a bit philosophical, but I can back this
> up if anyone doesn't understand my perspective.
>
> Regards,
> Adriel T. Desautels
> Chief Technology Officer
> Netragard, LLC.
Received on May 30 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]