Solved

local firewall neccesity

Posted on 2014-03-24
12
214 Views
Last Modified: 2014-03-25
Can anyone give a bit of a laymans tech free management friendly summary of the necessity of enabling the local windows firewall on internal (private network) windows servers. Realistically, if only necessary services are running, how much easier would it be for an attacker to gain access to the server if there is no local firewall enabled? And can you think of any reason why admins would not enable the firewall for internal servres, does it cause operational/support issues?
0
Comment
Question by:pma111
  • 4
  • 3
  • 3
  • +2
12 Comments
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 39949884
In management terms, it is a effort/reward balance. Maintaining local firewall rules requires minimal effort and almost zero maintenance. Even if that stops one attack one time, the effort paid for itself.
0
 
LVL 3

Author Comment

by:pma111
ID: 39949892
Realistically, if only necessary services are running, how much easier would it be for an attacker to gain access to the server if there is no local firewall enabled?
0
 
LVL 57

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 250 total points
ID: 39949912
That is an unknowable question. If the flaw were known, it'd be patched. A local firewall would have stopped Slammer. And for that matter, while the flaw Blaster had exploited had been patched a month earlier, many companies take longer than a month to approve patches. A properly configured local firewall would have prevented that as well.

Sometimes local services NEED to listen. Especially like DCOM and RPC. But a local firewall can restrict the traffic that reaches those services to a lost of approved sending IPs. So whereas a running network service alone is an all-or-nothing situation (it is either running and listening or it is stopped and isn't listening), a local firewall allows for more granular control (the service is listening but can only receive traffic from approved machines.)

So how much easier is it? Who knows... until the next slammer/blaster. But when turning on the firewall and creating a few rules is so easy, and when that can prevent the next slammer, why not?

That is a little more technical than management usually wants or needs, but there ya go...
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 77

Expert Comment

by:arnold
ID: 39949945
The quandary as your questions points out is what the exposure vector is and whether the performance/load from each system having to deal ......

Implementing an IDS/IPs proxy with content filtering anti-virus ........

IMHO, as the admin there is a way to manage the risk.

Is your question deals primarily with the local firewall on the servers or general enough to include the workstations?
0
 
LVL 3

Author Comment

by:pma111
ID: 39949999
Only interested in servers in this case.

Are you saying:

>>Implementing an IDS/IPs proxy with content filtering anti-virus ........

Mitigates the need to enable the local firewall?
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 39950027
In my opinion, a proxy-based IPS alone is not sufficient. A host-based one could be, but host-level IPS systems include a local firewall as part of their intrusion prevention.
0
 
LVL 77

Expert Comment

by:arnold
ID: 39950813
The proxy based data analysis mitigates some of the virus/backdor intrusions that often lead to these issues.  The proxy also enables the implementation of restrictions to which sites/locals access is not authorized.
Restricting plugin of storage devices is also a way to mitigate the introduction of a foreign app/virus into the environment.

The short of it, the complexity/importance of the underlying data will dictate the complexity and thouroughness of the approach.
i.e. highly valued data will have network segmentations, with each network segment having its own firewall/IPS/IDS and rules

Unfortunately, there is no yes/no answer to this question.
0
 
LVL 3

Author Comment

by:pma111
ID: 39951019
can anyone elaborate on how much easier it is to compromise a server without a local firewall, that may help visualise how vital it is to enable the local firewall. Is it a simple process to hack a server without a local firewall, and how much harder is it when a firewall with appropriate rules in place is set.
0
 
LVL 77

Accepted Solution

by:
arnold earned 250 total points
ID: 39951103
To compromise a server you have to consider the possible attack vectors:
1) is the server exposed directly to the OUTSIDE
    a) check whether the service can be compromised (buffer overflow, etc. brute force attack)
    b) if this is a web make sure your your pages are not susceptible to Sql injection, and the like
    c) if this is a mail server, make sure you do not have processing rules that may trigger the loading of the virus on the server
    d) Terminal Server: make sure to have complex passwords as well as have a password polity that forces the change of the password on a reasonable amount of time.  If possible, use two factor authentication.
     e) the use of a local firewall for the exposed services often mean they have an exemption.
2) If the compromise attack can only be achieved from the inside, only exposed services as you mentioned are susseptible: fileshares are also a way that an admin could load up in error.
3) internal users can also try buffer overflow/stack overflow through an attack on the network.  If I am not mistaken, there were times where the local firewall was saturated with packets/specific types of packets, that it was the means through which the system was compromised. buffer/stack overflow in the firewall packet processing.  I think it was a large and a specific type of packet.

IMHO, it is best to know what your system's exposure whether you use a local firewall or not.
Implementing a firewall local or dedicated external does not mitigate ones responsibility to make sure they are knowledgeable about what is running on the system and plan/secure system/services as though it is exposed to the outside.
You never know whether an error on an update can drop the firewall.
0
 
LVL 62

Expert Comment

by:gheist
ID: 39951548
Yourboss browsesnasty sites andcatches quicktime exploit. That loads the code that uses some network vulnerability on omnipresent windows workstation ports...
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 39951755
I'm not sure what you are looking for here. I've told you it is easier. How MUCH easier is not an answerable question. Arnod has explained why and given much more conceptual answers on that front.

It almost seems like you WANT someone to just tell you it is fine to leave a local firewall disabled and that they are useless. I suppose if you ask enough people enough times, you'll find someone with that opinion. But it isn't my opinion, and trying to force the answer you want to hear isn't productive for anybody here.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39951882
Hi pma111.

If a firewall blocks anything, the server cannot be used for anything, that should be clear. If all is unblocked, there will be ports open. But is that bad? Those ports could be used for attacks, yes. But if those succeed depends on many things, so in no way can you get answers on "how much easier".

Usually, you would use the firewall like this:
port range A (Ports xxx,yyy,...): accessible from machineX/group of machines Y
port range B: Accessible from machine Z/...

So you will use it to minimize the attack surface by limiting certain machines to certain ports. You won't make ports accessible to machines that don't need to use them.

I wonder if someone in charge of deciding about firewall and network settings or even setting those can hope to find an answer here if he does not even know the basics. And this question alone suggests that you don't. You should learn those elsewhere, not through a forum and then come back with questions about technical details that you don't understand.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
How to record audio from input sources to your PC – connected devices, connected preamp to record vinyl discs, streaming media, that play through your audio card: Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10 – both 32 bit & 64.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question