Security Basics mailing list archives

RE: win2k firewall

From: "Daniel R. Miessler" <danielrm26 () hotmail com>
Date: Tue, 7 Jan 2003 17:12:36 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Perhaps you're not familiar with what Code Red does.
First off, it doesn't attack the operating system, it
attacks the web server.  Second, all that is required
to protect yourself against CR is to disable the
ida/idq script mapping.  In fact, disabling unused
script mappings (ie, unnecessary or unused
services/functionality) is not only common sense, but
it's also all over every site that talks about
information security.


Dude, my intention is not to debate with you about this or that
little issue.  Most don't run Apache on W2K - they run IIS.  He asked
what a good firewall was to put on a W2K server, and I said that he
should use a solution that will monitor ALLOWED traffic.  I can't
possibly see what is wrong with this.  He is asking what firewall he
should use on a server, I said BlackIce.  Do you know of another
FIREWALL (Snort is an IDS) that he can put on a W2K server that will
afford any protection over turning off services, i.e. one that will
look for and block dangerous payloads in allowed traffic?

The major issue, as you know, with firewalling a server is that you
have to let things in.  And since the vast majority of firewalls do
nothing for inbound traffic, it is often said that putting a software
firewall on a server is close to pointless.  This is why I mentioned
BlackIce - it is one of the few software firewalls that does offer
additional protection for machines offering services.  Granted, it
does it by using a rulebase, but it does have some heuristic
capabilities, and it is at least another layer to add to the weak
link presented by allowed services.  

In short, I can't see what your beef is.  The recommendation of a
software firewall that runs on W2K Server and offers a unique
protection feature is more than appropriate for this discussion,
especially since that was the very question asked by the original
poster.  Please show me where I have gone astray.

- -Daniel R. Miessler

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPhtQd1Jwf7WiYT5vEQLnYQCfey7VPI5+I3O2iEoRqwwkqRwuqvsAn0OB
r3xqcagLGQS3QZbnbtcAS8Fj
=YNjd
-----END PGP SIGNATURE-----

Current thread:

RE: win2k firewall Piacquadio, Juan (Jan 06)
- <Possible follow-ups>
- re: win2k firewall H C (Jan 06)
  - RE: win2k firewall Rick Darsey (Jan 07)
    - RE: win2k firewall H C (Jan 07)
  - RE: win2k firewall Daniel R. Miessler (Jan 07)
    - RE: win2k firewall josh (Jan 08)
    - RE: win2k firewall Daniel R. Miessler (Jan 08)
    - RE: win2k firewall H C (Jan 08)
    - RE: win2k firewall Daniel R. Miessler (Jan 08)
    - RE: win2k firewall H C (Jan 08)
    - RE: win2k firewall Daniel R. Miessler (Jan 08)
    - RE: win2k firewall Jimmy Sansi (Jan 09)
    - RE: win2k firewall Jason Dixon (Jan 11)
    - RE: win2k firewall David Gillett (Jan 13)
  - re: win2k firewall Theo Spears (Jan 08)
- RE: win2k firewall Mark S. Searle (Jan 06)
- RE: win2k firewall Paul Carroll (Jan 07)
- RE: win2k firewall H C (Jan 07)
- RE: win2k firewall Mark S. Searle (Jan 08)
- RE: win2k firewall Zimin, Alex (Jan 09)
  - RE: win2k firewall Richard H. Cotterell (Jan 21)

(Thread continues...)