Re: Host-Base Firewall

[Adriel Desautels <adriel () netragard com>]

John,
	I couldn't agree with you more and I'll take it a step farther. 
Firewalls do need to be configured properly and most of them aren't as 
Jon mentioned. The fact of the matter is that firewalls are not the only 
points of misconfiguration. In most businesses, most security appliances 
and other technologies also have broken or poor configurations.

	Jon's point regarding Penetration Testing is very good advice (not just 
because we/I offer those services and want your business [yes that was 
horribly shameless]) but because it will help you to understand your 
real and actual security posture... But there's a serious catch. Not all 
services offered by security company are created equal. In fact, most 
providers don't appear to be able to properly differentiate between 
different services, let alone deliver them properly.

	There are significant differences between a Penetration Test, 
Vulnerability Assessment and a Web Application Assessment. A Penetration 
Test is intrusive. It is a test where a team will attempt to hack into 
your network and gain access to your computers by exploiting a 
vulnerable service or other technology.

	A Vulnerability Assessment is similar in that it will identify 
potentially exploitable vulnerabilities in your infrastructure, but it 
will not actually exploit those vulnerabilities. As such a vulnerability 
assessment is non-intrusive. If you think about it, the names really say 
it all. Penetration denotes entry or penetrating into, assessment 
denotes examination.

	A good penetration test will create a deliverable that is the product 
of human talent. A bad penetration test will rely on automated tools and 
scanners and won't really do anything creative. I say its bad because 
malicious hackers aren't going to test you in an automated way, they are 
going to test you in a creative way if they really want to get in. In 
fact, the most important thing to remember is that you need to be tested 
at the same or greater level of threat that you face in in the real 
world. Testing at anything less is pointless, sorta like testing a tank 
with a BB gun.

	A Web Application Assessment is either a vulnerability assessment or a 
penetration test of a Web based application. Web based applications are 
any dynamic website that may (or might not) take input from a user. Web 
Applications often have back end databases, or pull data from some sort 
of data pool. About 80-90% of all successful hacks today are done by 
exploiting poorly tested and insecure Web Applications.

	Of course there is a lot more to testing than just those services. 
There are great materials on the web that people should read such as the 
OSSTMM and OWASP.

	One last thing, aside from not relying on automated tools or scanners, 
try to avoid security companies who tell you that they use confidential 
testing methodologies. In most cases that means that they do not really 
have a solid methodology and they do rely on automated scanners.

	When you get the final deliverable you will be able to tell if you've 
made the right choice. A deliverable that is automated looks automated 
and redundant. A deliverable that is created by human talent and 
expertise is usually non-redundant and looks like a well thought out 
hand typed document.

	Anyway, I wrote this in a hurry, but I'd be happy to answer any 
questions that anyone has if I was unclear about something, or if I said 
something wrong/stupid. Have a great weekend all!

Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

        Join the Netragard, LLC. Linked In Group:
        http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn


Jon Kibler wrote:
> Mohamed Farid wrote:
> > Dear All ,,,
>
> > Any recommendation for a cost effective Host-Base Firewall to be installed
> > on my remote users' Laptops - and to be managed and be administrated
> > centralized by my security team ?
>
>
> Hi All,
>
> Okay, I want to start from the top because I believe that all the posts
> to date have missed one major point: Any firewall is only as good as its
> configuration (and change control), and the configuration is only worth
> anything if it has been adequately tested.
>
> Most firewalls I see, host or network based, are grossly misconfigured.
> Host base firewalls tend to have the worst problems, because of the
> issues associated with how users work and what their access requirements
> are.
>
> I generally see one of three approaches taken to host firewall
> (mis)configurations:
>    1) Only attempt to filter traffic destined to somewhere off the LAN
> or WAN.
>    2) Filter all traffic, but the LAN / WAN traffic filter is the same
> for everyone in the organization.
>    3) Filter all traffic based upon the generic role(s) that the user
> performs.
>
> All of these approaches tend to open up holes that a tank can drive through.
>
> Regardless of how the firewalls are configured, they MUST be pen tested!
> Otherwise, how do you know that the configuration is correct? (Clue: You
> don't!)
>
> Which brings up the final issue: Do you log events (esp. on host-based
> firewalls), do you centralize logs, and do real time central event
> alerts and response?
>
> In the majority of organizations were they have deployed host based
> ANYTHING (AV, firewalls, IDS, NAC, etc.), the events are sent to the
> user as a popup window and the user simply automatically clicks 'ALLOW'
> without even reading the message. (And that presumes they could even
> comprehend the alert to begin with!)
>
> With no central logging, or no logging at all, then no one up the food
> chain has even a half a clue that an exception occurred -- except the
> clueless user, and they probably could not even remember the receiving
> the alert 30 minutes (seconds?) after it occurred.
>
> TEST! TEST! TEST! That is the ONLY way to ensure a firewall is doing
> anything of use! Also, someone other than the user should be getting a
> clue that the testing is occurring!
>
> Well, at least that is my $0.02 worth.
>
> Jon Kibler

==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.