Solved

local firewall neccesity

Posted on 2014-03-24
12
213 Views
Last Modified: 2014-03-25
Can anyone give a bit of a laymans tech free management friendly summary of the necessity of enabling the local windows firewall on internal (private network) windows servers. Realistically, if only necessary services are running, how much easier would it be for an attacker to gain access to the server if there is no local firewall enabled? And can you think of any reason why admins would not enable the firewall for internal servres, does it cause operational/support issues?
0
Comment
Question by:pma111
  • 4
  • 3
  • 3
  • +2
12 Comments
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 39949884
In management terms, it is a effort/reward balance. Maintaining local firewall rules requires minimal effort and almost zero maintenance. Even if that stops one attack one time, the effort paid for itself.
0
 
LVL 3

Author Comment

by:pma111
ID: 39949892
Realistically, if only necessary services are running, how much easier would it be for an attacker to gain access to the server if there is no local firewall enabled?
0
 
LVL 57

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 250 total points
ID: 39949912
That is an unknowable question. If the flaw were known, it'd be patched. A local firewall would have stopped Slammer. And for that matter, while the flaw Blaster had exploited had been patched a month earlier, many companies take longer than a month to approve patches. A properly configured local firewall would have prevented that as well.

Sometimes local services NEED to listen. Especially like DCOM and RPC. But a local firewall can restrict the traffic that reaches those services to a lost of approved sending IPs. So whereas a running network service alone is an all-or-nothing situation (it is either running and listening or it is stopped and isn't listening), a local firewall allows for more granular control (the service is listening but can only receive traffic from approved machines.)

So how much easier is it? Who knows... until the next slammer/blaster. But when turning on the firewall and creating a few rules is so easy, and when that can prevent the next slammer, why not?

That is a little more technical than management usually wants or needs, but there ya go...
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 77

Expert Comment

by:arnold
ID: 39949945
The quandary as your questions points out is what the exposure vector is and whether the performance/load from each system having to deal ......

Implementing an IDS/IPs proxy with content filtering anti-virus ........

IMHO, as the admin there is a way to manage the risk.

Is your question deals primarily with the local firewall on the servers or general enough to include the workstations?
0
 
LVL 3

Author Comment

by:pma111
ID: 39949999
Only interested in servers in this case.

Are you saying:

>>Implementing an IDS/IPs proxy with content filtering anti-virus ........

Mitigates the need to enable the local firewall?
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 39950027
In my opinion, a proxy-based IPS alone is not sufficient. A host-based one could be, but host-level IPS systems include a local firewall as part of their intrusion prevention.
0
 
LVL 77

Expert Comment

by:arnold
ID: 39950813
The proxy based data analysis mitigates some of the virus/backdor intrusions that often lead to these issues.  The proxy also enables the implementation of restrictions to which sites/locals access is not authorized.
Restricting plugin of storage devices is also a way to mitigate the introduction of a foreign app/virus into the environment.

The short of it, the complexity/importance of the underlying data will dictate the complexity and thouroughness of the approach.
i.e. highly valued data will have network segmentations, with each network segment having its own firewall/IPS/IDS and rules

Unfortunately, there is no yes/no answer to this question.
0
 
LVL 3

Author Comment

by:pma111
ID: 39951019
can anyone elaborate on how much easier it is to compromise a server without a local firewall, that may help visualise how vital it is to enable the local firewall. Is it a simple process to hack a server without a local firewall, and how much harder is it when a firewall with appropriate rules in place is set.
0
 
LVL 77

Accepted Solution

by:
arnold earned 250 total points
ID: 39951103
To compromise a server you have to consider the possible attack vectors:
1) is the server exposed directly to the OUTSIDE
    a) check whether the service can be compromised (buffer overflow, etc. brute force attack)
    b) if this is a web make sure your your pages are not susceptible to Sql injection, and the like
    c) if this is a mail server, make sure you do not have processing rules that may trigger the loading of the virus on the server
    d) Terminal Server: make sure to have complex passwords as well as have a password polity that forces the change of the password on a reasonable amount of time.  If possible, use two factor authentication.
     e) the use of a local firewall for the exposed services often mean they have an exemption.
2) If the compromise attack can only be achieved from the inside, only exposed services as you mentioned are susseptible: fileshares are also a way that an admin could load up in error.
3) internal users can also try buffer overflow/stack overflow through an attack on the network.  If I am not mistaken, there were times where the local firewall was saturated with packets/specific types of packets, that it was the means through which the system was compromised. buffer/stack overflow in the firewall packet processing.  I think it was a large and a specific type of packet.

IMHO, it is best to know what your system's exposure whether you use a local firewall or not.
Implementing a firewall local or dedicated external does not mitigate ones responsibility to make sure they are knowledgeable about what is running on the system and plan/secure system/services as though it is exposed to the outside.
You never know whether an error on an update can drop the firewall.
0
 
LVL 62

Expert Comment

by:gheist
ID: 39951548
Yourboss browsesnasty sites andcatches quicktime exploit. That loads the code that uses some network vulnerability on omnipresent windows workstation ports...
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 39951755
I'm not sure what you are looking for here. I've told you it is easier. How MUCH easier is not an answerable question. Arnod has explained why and given much more conceptual answers on that front.

It almost seems like you WANT someone to just tell you it is fine to leave a local firewall disabled and that they are useless. I suppose if you ask enough people enough times, you'll find someone with that opinion. But it isn't my opinion, and trying to force the answer you want to hear isn't productive for anybody here.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39951882
Hi pma111.

If a firewall blocks anything, the server cannot be used for anything, that should be clear. If all is unblocked, there will be ports open. But is that bad? Those ports could be used for attacks, yes. But if those succeed depends on many things, so in no way can you get answers on "how much easier".

Usually, you would use the firewall like this:
port range A (Ports xxx,yyy,...): accessible from machineX/group of machines Y
port range B: Accessible from machine Z/...

So you will use it to minimize the attack surface by limiting certain machines to certain ports. You won't make ports accessible to machines that don't need to use them.

I wonder if someone in charge of deciding about firewall and network settings or even setting those can hope to find an answer here if he does not even know the basics. And this question alone suggests that you don't. You should learn those elsewhere, not through a forum and then come back with questions about technical details that you don't understand.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
winrar and 7zip compression not ok 3 35
form builder not starting 3 34
Windows NLB cluster 3 29
Problem to file 13 40
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
An article on effective troubleshooting
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question