Why not? ;)
I'd actually suggest using something like OSSEC (Host ID/PS) to control
the security of host based systems in combination with the standard
windows based firewall. OSSEC is a cheaper alternative to Cisco's
Security Agent and can be pretty restrictive if you configure it properly.
I do not think that using a windows firewall, or any firewall alone will
provide you with the solution that you are looking for. Especially if
your end user gets hit with a browser based exploit, or some other
client-side exploit.
The security boundary isn't just creating a shell around the yolk these
days, its also about hardening the yolk as much as you reasonably can
without crippling yourself.
How's that?
Regards,
Adriel T. Desautels
Chief Technology Officer
Netragard, LLC.
Office : 617-934-0269
Mobile : 617-633-3821
http://www.linkedin.com/pub/1/118/a45
Join the Netragard, LLC. Linked In Group:
http://www.linkedin.com/e/gis/48683/0B98E1705142
---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com - "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security
Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know : http://tinyurl.com/26pjsn
Shawn A. Corrello wrote:
> So...why not suggest a suitable host based firewall for the thread
> creator so he can utilize a component of security; instead of continuing
> to take this further and further off topic.
>
> -SC
>
> On Fri, 30 May 2008, Adriel Desautels wrote:
>
>> Incorrect, but firewalls do not equal security. They equal a component
>> of security that provides you with a reasonable demarcation point
>> between one network and another. Good and strong security is a process
>> that includes well written policies, procedures, training, technology,
>> etc. Technology is near useless if the people that are using it are
>> not trained properly and are unaware of what threat they are trying to
>> defend against.
>>
>> Fancy door licks, card/biometric authentication, and mantraps can all
>> be circumvented, especially if well trained people are not present.
>>
>> I remember once we were testing a facility that had a mantrap with
>> biometric hand scanners. I watched one of the employees let me into
>> the server area and took note of his pin code as he typed it into the
>> hand scanner. Later on during the test I managed to take his card from
>> his desk, stick my hand in the scanner, and type in the code and the
>> door opened! As it turns out the so called biometric scanner only
>> measured the size of my hand which was nearly the same size as his
>> (pretty weak).
>>
>> So, not all scanners, door locks, etc are effective. IMHO, most
>> biometric scanners, not all, are good for show and thats about it.
>> There are other more obvious ways to bypass such technologies, but I
>> won't go into those unless people want to hear it.
>>
>> Had the security guard been well trained and not let me see his pin,
>> not left his card on his desk in his open office, then I would have
>> had to use a different technique to get in. Had the policies and
>> procedures that were written been followed, I would not have been able
>> to get in.
>>
>> Technology is far from useless, but it can become ineffective when the
>> people supporting it don't know how to do their jobs, or just become
>> lazy.
>>
>> Regards,
>> Adriel T. Desautels
>> Chief Technology Officer
>> Netragard, LLC.
>> Office : 617-934-0269
>> Mobile : 617-633-3821
>> http://www.linkedin.com/pub/1/118/a45
>>
>> Join the Netragard, LLC. Linked In Group:
>> http://www.linkedin.com/e/gis/48683/0B98E1705142
>>
>> ---------------------------------------------------------------
>> Netragard, LLC - http://www.netragard.com - "We make IT Safe"
>> Penetration Testing, Vulnerability Assessments, Website Security
>>
>> Netragard Whitepaper Downloads:
>> -------------------------------
>> Choosing the right provider : http://tinyurl.com/2ahk3j
>> Three Things you must know : http://tinyurl.com/26pjsn
>>
>>
>> krymson_at_gmail.com wrote:
>>> So, are you saying that because a firewall can't make every perfect
>>> decision, they do not equal security? I wonder, do they add any value
>>> to you at all? What if they do DPI and make smarter decisions?
>>>
>>> So if security cannot be found in hardware, does that mean a fancy
>>> door lock, card/biometric authentication, and mantrap have no value?
>>>
>>> Personally, I find value in firewalls. Sure, the security they offer
>>> is not perfect, but that doesn't discount them as being a part of a
>>> solid security regimen. In fact, while there are journalists and
>>> other part-time ITers who regularly call out about the widening or
>>> diminishing perimeters, there is still a definite need to separate
>>> networks of different trust levels to some degree or other.
>>>
>>>
>>>
>>> I know there will be some here that can smell the straw for the hay
>>> in the above, but such a tactic can be useful to find the boundaries.
>>>
>>>
>>> <- snip ->
>>> All,
>>> Firewalls are packet control devices. They do little more than
>>> control the flow of traffic into and out of your network. Some of
>>> them contain "defensive" capabilities such as IPS. Those defenses
>>> make decisions based on the nature of the traffic. Those decisions
>>> aren't as accurate as they should be because the very medium from
>>> which they are forming "opinions" is flawed. Traffic can be
>>> spoofed/forged/manipulated, so how can one trust it.
>>>
>>> Security is more of a process than anything else. It is enforced by
>>> policies, procedures, and the people using technology. Security can
>>> not be found via hardware. This is a bit philosophical, but I can
>>> back this up if anyone doesn't understand my perspective.
>>>
>>> Regards,
>>> Adriel T. Desautels
>>> Chief Technology Officer
>>> Netragard, LLC.
>>
Received on May 30 2008
Intro
