Solved

local firewall neccesity

Posted on 2014-03-24
12
215 Views
Last Modified: 2014-03-25
Can anyone give a bit of a laymans tech free management friendly summary of the necessity of enabling the local windows firewall on internal (private network) windows servers. Realistically, if only necessary services are running, how much easier would it be for an attacker to gain access to the server if there is no local firewall enabled? And can you think of any reason why admins would not enable the firewall for internal servres, does it cause operational/support issues?
0
Comment
Question by:pma111
  • 4
  • 3
  • 3
  • +2
12 Comments
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 39949884
In management terms, it is a effort/reward balance. Maintaining local firewall rules requires minimal effort and almost zero maintenance. Even if that stops one attack one time, the effort paid for itself.
0
 
LVL 3

Author Comment

by:pma111
ID: 39949892
Realistically, if only necessary services are running, how much easier would it be for an attacker to gain access to the server if there is no local firewall enabled?
0
 
LVL 58

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 250 total points
ID: 39949912
That is an unknowable question. If the flaw were known, it'd be patched. A local firewall would have stopped Slammer. And for that matter, while the flaw Blaster had exploited had been patched a month earlier, many companies take longer than a month to approve patches. A properly configured local firewall would have prevented that as well.

Sometimes local services NEED to listen. Especially like DCOM and RPC. But a local firewall can restrict the traffic that reaches those services to a lost of approved sending IPs. So whereas a running network service alone is an all-or-nothing situation (it is either running and listening or it is stopped and isn't listening), a local firewall allows for more granular control (the service is listening but can only receive traffic from approved machines.)

So how much easier is it? Who knows... until the next slammer/blaster. But when turning on the firewall and creating a few rules is so easy, and when that can prevent the next slammer, why not?

That is a little more technical than management usually wants or needs, but there ya go...
0
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

 
LVL 78

Expert Comment

by:arnold
ID: 39949945
The quandary as your questions points out is what the exposure vector is and whether the performance/load from each system having to deal ......

Implementing an IDS/IPs proxy with content filtering anti-virus ........

IMHO, as the admin there is a way to manage the risk.

Is your question deals primarily with the local firewall on the servers or general enough to include the workstations?
0
 
LVL 3

Author Comment

by:pma111
ID: 39949999
Only interested in servers in this case.

Are you saying:

>>Implementing an IDS/IPs proxy with content filtering anti-virus ........

Mitigates the need to enable the local firewall?
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 39950027
In my opinion, a proxy-based IPS alone is not sufficient. A host-based one could be, but host-level IPS systems include a local firewall as part of their intrusion prevention.
0
 
LVL 78

Expert Comment

by:arnold
ID: 39950813
The proxy based data analysis mitigates some of the virus/backdor intrusions that often lead to these issues.  The proxy also enables the implementation of restrictions to which sites/locals access is not authorized.
Restricting plugin of storage devices is also a way to mitigate the introduction of a foreign app/virus into the environment.

The short of it, the complexity/importance of the underlying data will dictate the complexity and thouroughness of the approach.
i.e. highly valued data will have network segmentations, with each network segment having its own firewall/IPS/IDS and rules

Unfortunately, there is no yes/no answer to this question.
0
 
LVL 3

Author Comment

by:pma111
ID: 39951019
can anyone elaborate on how much easier it is to compromise a server without a local firewall, that may help visualise how vital it is to enable the local firewall. Is it a simple process to hack a server without a local firewall, and how much harder is it when a firewall with appropriate rules in place is set.
0
 
LVL 78

Accepted Solution

by:
arnold earned 250 total points
ID: 39951103
To compromise a server you have to consider the possible attack vectors:
1) is the server exposed directly to the OUTSIDE
    a) check whether the service can be compromised (buffer overflow, etc. brute force attack)
    b) if this is a web make sure your your pages are not susceptible to Sql injection, and the like
    c) if this is a mail server, make sure you do not have processing rules that may trigger the loading of the virus on the server
    d) Terminal Server: make sure to have complex passwords as well as have a password polity that forces the change of the password on a reasonable amount of time.  If possible, use two factor authentication.
     e) the use of a local firewall for the exposed services often mean they have an exemption.
2) If the compromise attack can only be achieved from the inside, only exposed services as you mentioned are susseptible: fileshares are also a way that an admin could load up in error.
3) internal users can also try buffer overflow/stack overflow through an attack on the network.  If I am not mistaken, there were times where the local firewall was saturated with packets/specific types of packets, that it was the means through which the system was compromised. buffer/stack overflow in the firewall packet processing.  I think it was a large and a specific type of packet.

IMHO, it is best to know what your system's exposure whether you use a local firewall or not.
Implementing a firewall local or dedicated external does not mitigate ones responsibility to make sure they are knowledgeable about what is running on the system and plan/secure system/services as though it is exposed to the outside.
You never know whether an error on an update can drop the firewall.
0
 
LVL 62

Expert Comment

by:gheist
ID: 39951548
Yourboss browsesnasty sites andcatches quicktime exploit. That loads the code that uses some network vulnerability on omnipresent windows workstation ports...
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 39951755
I'm not sure what you are looking for here. I've told you it is easier. How MUCH easier is not an answerable question. Arnod has explained why and given much more conceptual answers on that front.

It almost seems like you WANT someone to just tell you it is fine to leave a local firewall disabled and that they are useless. I suppose if you ask enough people enough times, you'll find someone with that opinion. But it isn't my opinion, and trying to force the answer you want to hear isn't productive for anybody here.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39951882
Hi pma111.

If a firewall blocks anything, the server cannot be used for anything, that should be clear. If all is unblocked, there will be ports open. But is that bad? Those ports could be used for attacks, yes. But if those succeed depends on many things, so in no way can you get answers on "how much easier".

Usually, you would use the firewall like this:
port range A (Ports xxx,yyy,...): accessible from machineX/group of machines Y
port range B: Accessible from machine Z/...

So you will use it to minimize the attack surface by limiting certain machines to certain ports. You won't make ports accessible to machines that don't need to use them.

I wonder if someone in charge of deciding about firewall and network settings or even setting those can hope to find an answer here if he does not even know the basics. And this question alone suggests that you don't. You should learn those elsewhere, not through a forum and then come back with questions about technical details that you don't understand.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question