Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness Tip #7: Host-Based Firewalls and Filtering

Published: 2007-10-07
Last Updated: 2007-10-07 23:00:03 UTC
by Joel Esler (Version: 1)
0 comment(s)

Host-Based Firewalls and Filtering

 

Increasingly I have seen Host-Based firewalls being brought up on the corporate radar in those arenas that have to deal with such things at VPN's, other remote computing solutions, and thusly trojans, worms, and other auto-spreading malware.

 

Host-Based firewalls are basically exactly what they sound like (excuse me for taking a step back for everyone's benefit), a firewall that resides on the HOST itself.  Your computer.  The Machine you using right now.  Whether it be Windows, OSX, *nix, or *bsd variant, there is a firewall available for every OS, and every OS has one built in.  Some better then others (in the interest of full disclosure, I am typing this on a PowerMac, which has a built in firewall, and one that needs a bit more tweaking).  As firewalls should be (IMHO) "Deny All, Permit by Exception". 

 

When my parents or a friend asks me what kind of "free firewall" to install on their Windows machine, I usually go with "at least turn on the built in one! (Which is now on by default as of XPSP2)", and then if more assistance is needed I usually go with ZoneAlarm.  I'm not partial to any one firewall in particular, whichever gets the job done quickly and efficiently.  Basically I say all that to make this point:  Host-Based firewalls (especially for home users) are a great idea, they come in alot of variants, and should be deployed.

 

Several years ago I was asked (along with several of my other co-workers at the time) to test various host-based firewall solutions on my work desktop.  I was stuck with Symantec's offering at the time (this was about 2001), and was not impressed.  I have no touched it since then, and had no desire to.  The firewall was not centrally managed, as it was only a test, and the ability to block things like "port 445 to 10.0.1.5" was available.  I played "user" and what did I click?  "Accept"!   (You know the user I am talking about in your network that says "Oh, Gator Wallet!  Of course I'll accept".  Guess what 10.0.1.5 was?   Domain Controller.  It let me block my Domain Controller! Guess what happened the next time I wanted to log onto my machine?  You guessed it..  Nada.  (In all fairness, how was the firewall to know that that IP was our Domain Controller?  (yes, I am being sarcastic))

So, obviously with any security solution (like anti-virus), you'd need to have central management to keep "users" from doing things like what I did in my test.  Is it necessary for you to deploy firewalls in your corporate environment?  That's something that you need to access by looking at your corporate landscape.  Do you have problems with Worms?  Viruses?  Do you have perimeter security on your network?  Can you mitigate the threat?  How do you mitigate the threat.

 

I'm not making a case in either direction, simply saying that both avenues need to be explored and a decision made.  Does this help me do my job in a more efficient manner and generally make my life easier?

 

Filtering solutions (ex: Websense, etc) have a special place in my heart as well.  I had a bad experience in my previous job with a filtering solution, so I am biased to NOT being a fan.  But the same assessments as before need to be made.  Does this make my life easier?  Does this make it easier to do my job, as the security person?  Are you defending your networks against bad websites?  Or are you defending the corporation against your users?  Are you keeping people from doing their jobs, or are you keeping them doing their jobs?  (By keeping them on task).

 

Good Luck!

 

Joel Esler

http://handlers.sans.org/jesler

Keywords:
0 comment(s)
Diary Archives