Solved

local firewall neccesity

Posted on 2014-03-24
12
210 Views
Last Modified: 2014-03-25
Can anyone give a bit of a laymans tech free management friendly summary of the necessity of enabling the local windows firewall on internal (private network) windows servers. Realistically, if only necessary services are running, how much easier would it be for an attacker to gain access to the server if there is no local firewall enabled? And can you think of any reason why admins would not enable the firewall for internal servres, does it cause operational/support issues?
0
Comment
Question by:pma111
  • 4
  • 3
  • 3
  • +2
12 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
In management terms, it is a effort/reward balance. Maintaining local firewall rules requires minimal effort and almost zero maintenance. Even if that stops one attack one time, the effort paid for itself.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Realistically, if only necessary services are running, how much easier would it be for an attacker to gain access to the server if there is no local firewall enabled?
0
 
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 250 total points
Comment Utility
That is an unknowable question. If the flaw were known, it'd be patched. A local firewall would have stopped Slammer. And for that matter, while the flaw Blaster had exploited had been patched a month earlier, many companies take longer than a month to approve patches. A properly configured local firewall would have prevented that as well.

Sometimes local services NEED to listen. Especially like DCOM and RPC. But a local firewall can restrict the traffic that reaches those services to a lost of approved sending IPs. So whereas a running network service alone is an all-or-nothing situation (it is either running and listening or it is stopped and isn't listening), a local firewall allows for more granular control (the service is listening but can only receive traffic from approved machines.)

So how much easier is it? Who knows... until the next slammer/blaster. But when turning on the firewall and creating a few rules is so easy, and when that can prevent the next slammer, why not?

That is a little more technical than management usually wants or needs, but there ya go...
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
The quandary as your questions points out is what the exposure vector is and whether the performance/load from each system having to deal ......

Implementing an IDS/IPs proxy with content filtering anti-virus ........

IMHO, as the admin there is a way to manage the risk.

Is your question deals primarily with the local firewall on the servers or general enough to include the workstations?
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Only interested in servers in this case.

Are you saying:

>>Implementing an IDS/IPs proxy with content filtering anti-virus ........

Mitigates the need to enable the local firewall?
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
In my opinion, a proxy-based IPS alone is not sufficient. A host-based one could be, but host-level IPS systems include a local firewall as part of their intrusion prevention.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 76

Expert Comment

by:arnold
Comment Utility
The proxy based data analysis mitigates some of the virus/backdor intrusions that often lead to these issues.  The proxy also enables the implementation of restrictions to which sites/locals access is not authorized.
Restricting plugin of storage devices is also a way to mitigate the introduction of a foreign app/virus into the environment.

The short of it, the complexity/importance of the underlying data will dictate the complexity and thouroughness of the approach.
i.e. highly valued data will have network segmentations, with each network segment having its own firewall/IPS/IDS and rules

Unfortunately, there is no yes/no answer to this question.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
can anyone elaborate on how much easier it is to compromise a server without a local firewall, that may help visualise how vital it is to enable the local firewall. Is it a simple process to hack a server without a local firewall, and how much harder is it when a firewall with appropriate rules in place is set.
0
 
LVL 76

Accepted Solution

by:
arnold earned 250 total points
Comment Utility
To compromise a server you have to consider the possible attack vectors:
1) is the server exposed directly to the OUTSIDE
    a) check whether the service can be compromised (buffer overflow, etc. brute force attack)
    b) if this is a web make sure your your pages are not susceptible to Sql injection, and the like
    c) if this is a mail server, make sure you do not have processing rules that may trigger the loading of the virus on the server
    d) Terminal Server: make sure to have complex passwords as well as have a password polity that forces the change of the password on a reasonable amount of time.  If possible, use two factor authentication.
     e) the use of a local firewall for the exposed services often mean they have an exemption.
2) If the compromise attack can only be achieved from the inside, only exposed services as you mentioned are susseptible: fileshares are also a way that an admin could load up in error.
3) internal users can also try buffer overflow/stack overflow through an attack on the network.  If I am not mistaken, there were times where the local firewall was saturated with packets/specific types of packets, that it was the means through which the system was compromised. buffer/stack overflow in the firewall packet processing.  I think it was a large and a specific type of packet.

IMHO, it is best to know what your system's exposure whether you use a local firewall or not.
Implementing a firewall local or dedicated external does not mitigate ones responsibility to make sure they are knowledgeable about what is running on the system and plan/secure system/services as though it is exposed to the outside.
You never know whether an error on an update can drop the firewall.
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
Yourboss browsesnasty sites andcatches quicktime exploit. That loads the code that uses some network vulnerability on omnipresent windows workstation ports...
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
I'm not sure what you are looking for here. I've told you it is easier. How MUCH easier is not an answerable question. Arnod has explained why and given much more conceptual answers on that front.

It almost seems like you WANT someone to just tell you it is fine to leave a local firewall disabled and that they are useless. I suppose if you ask enough people enough times, you'll find someone with that opinion. But it isn't my opinion, and trying to force the answer you want to hear isn't productive for anybody here.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Hi pma111.

If a firewall blocks anything, the server cannot be used for anything, that should be clear. If all is unblocked, there will be ports open. But is that bad? Those ports could be used for attacks, yes. But if those succeed depends on many things, so in no way can you get answers on "how much easier".

Usually, you would use the firewall like this:
port range A (Ports xxx,yyy,...): accessible from machineX/group of machines Y
port range B: Accessible from machine Z/...

So you will use it to minimize the attack surface by limiting certain machines to certain ports. You won't make ports accessible to machines that don't need to use them.

I wonder if someone in charge of deciding about firewall and network settings or even setting those can hope to find an answer here if he does not even know the basics. And this question alone suggests that you don't. You should learn those elsewhere, not through a forum and then come back with questions about technical details that you don't understand.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Windows Backup image 3 21
How to create a youtube account 33 88
Read-only access for auditors 5 40
regedit.exe REG ADD problems 2 13
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now