• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 226
  • Last Modified:

local firewall neccesity

Can anyone give a bit of a laymans tech free management friendly summary of the necessity of enabling the local windows firewall on internal (private network) windows servers. Realistically, if only necessary services are running, how much easier would it be for an attacker to gain access to the server if there is no local firewall enabled? And can you think of any reason why admins would not enable the firewall for internal servres, does it cause operational/support issues?
0
pma111
Asked:
pma111
  • 4
  • 3
  • 3
  • +2
2 Solutions
 
Cliff GaliherCommented:
In management terms, it is a effort/reward balance. Maintaining local firewall rules requires minimal effort and almost zero maintenance. Even if that stops one attack one time, the effort paid for itself.
0
 
pma111Author Commented:
Realistically, if only necessary services are running, how much easier would it be for an attacker to gain access to the server if there is no local firewall enabled?
0
 
Cliff GaliherCommented:
That is an unknowable question. If the flaw were known, it'd be patched. A local firewall would have stopped Slammer. And for that matter, while the flaw Blaster had exploited had been patched a month earlier, many companies take longer than a month to approve patches. A properly configured local firewall would have prevented that as well.

Sometimes local services NEED to listen. Especially like DCOM and RPC. But a local firewall can restrict the traffic that reaches those services to a lost of approved sending IPs. So whereas a running network service alone is an all-or-nothing situation (it is either running and listening or it is stopped and isn't listening), a local firewall allows for more granular control (the service is listening but can only receive traffic from approved machines.)

So how much easier is it? Who knows... until the next slammer/blaster. But when turning on the firewall and creating a few rules is so easy, and when that can prevent the next slammer, why not?

That is a little more technical than management usually wants or needs, but there ya go...
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
arnoldCommented:
The quandary as your questions points out is what the exposure vector is and whether the performance/load from each system having to deal ......

Implementing an IDS/IPs proxy with content filtering anti-virus ........

IMHO, as the admin there is a way to manage the risk.

Is your question deals primarily with the local firewall on the servers or general enough to include the workstations?
0
 
pma111Author Commented:
Only interested in servers in this case.

Are you saying:

>>Implementing an IDS/IPs proxy with content filtering anti-virus ........

Mitigates the need to enable the local firewall?
0
 
Cliff GaliherCommented:
In my opinion, a proxy-based IPS alone is not sufficient. A host-based one could be, but host-level IPS systems include a local firewall as part of their intrusion prevention.
0
 
arnoldCommented:
The proxy based data analysis mitigates some of the virus/backdor intrusions that often lead to these issues.  The proxy also enables the implementation of restrictions to which sites/locals access is not authorized.
Restricting plugin of storage devices is also a way to mitigate the introduction of a foreign app/virus into the environment.

The short of it, the complexity/importance of the underlying data will dictate the complexity and thouroughness of the approach.
i.e. highly valued data will have network segmentations, with each network segment having its own firewall/IPS/IDS and rules

Unfortunately, there is no yes/no answer to this question.
0
 
pma111Author Commented:
can anyone elaborate on how much easier it is to compromise a server without a local firewall, that may help visualise how vital it is to enable the local firewall. Is it a simple process to hack a server without a local firewall, and how much harder is it when a firewall with appropriate rules in place is set.
0
 
arnoldCommented:
To compromise a server you have to consider the possible attack vectors:
1) is the server exposed directly to the OUTSIDE
    a) check whether the service can be compromised (buffer overflow, etc. brute force attack)
    b) if this is a web make sure your your pages are not susceptible to Sql injection, and the like
    c) if this is a mail server, make sure you do not have processing rules that may trigger the loading of the virus on the server
    d) Terminal Server: make sure to have complex passwords as well as have a password polity that forces the change of the password on a reasonable amount of time.  If possible, use two factor authentication.
     e) the use of a local firewall for the exposed services often mean they have an exemption.
2) If the compromise attack can only be achieved from the inside, only exposed services as you mentioned are susseptible: fileshares are also a way that an admin could load up in error.
3) internal users can also try buffer overflow/stack overflow through an attack on the network.  If I am not mistaken, there were times where the local firewall was saturated with packets/specific types of packets, that it was the means through which the system was compromised. buffer/stack overflow in the firewall packet processing.  I think it was a large and a specific type of packet.

IMHO, it is best to know what your system's exposure whether you use a local firewall or not.
Implementing a firewall local or dedicated external does not mitigate ones responsibility to make sure they are knowledgeable about what is running on the system and plan/secure system/services as though it is exposed to the outside.
You never know whether an error on an update can drop the firewall.
0
 
gheistCommented:
Yourboss browsesnasty sites andcatches quicktime exploit. That loads the code that uses some network vulnerability on omnipresent windows workstation ports...
0
 
Cliff GaliherCommented:
I'm not sure what you are looking for here. I've told you it is easier. How MUCH easier is not an answerable question. Arnod has explained why and given much more conceptual answers on that front.

It almost seems like you WANT someone to just tell you it is fine to leave a local firewall disabled and that they are useless. I suppose if you ask enough people enough times, you'll find someone with that opinion. But it isn't my opinion, and trying to force the answer you want to hear isn't productive for anybody here.
0
 
McKnifeCommented:
Hi pma111.

If a firewall blocks anything, the server cannot be used for anything, that should be clear. If all is unblocked, there will be ports open. But is that bad? Those ports could be used for attacks, yes. But if those succeed depends on many things, so in no way can you get answers on "how much easier".

Usually, you would use the firewall like this:
port range A (Ports xxx,yyy,...): accessible from machineX/group of machines Y
port range B: Accessible from machine Z/...

So you will use it to minimize the attack surface by limiting certain machines to certain ports. You won't make ports accessible to machines that don't need to use them.

I wonder if someone in charge of deciding about firewall and network settings or even setting those can hope to find an answer here if he does not even know the basics. And this question alone suggests that you don't. You should learn those elsewhere, not through a forum and then come back with questions about technical details that you don't understand.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 4
  • 3
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now