Poll: Is a software firewall necessary if you have a hardware firewall ??

Page 5 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.

Oaf357

Senior member
Sep 2, 2001
956
0
0
Originally posted by: spidey07
Once again, a list of companies I have personally designed and implemented a desktop firewall on every PC:

American Standard
UPS
Netgain
My current employer

My ego is not bruised at all. You just aren't listening.

How is a roaming laptop that attaches to networks outside of your administrative control protected by good administration? This is really the worst case, with the second worst being internal hacking/survalence.

As I understand your position you are saying that it is alright if I attach to your network, scan all your hosts and then run known exploits on them. Or simply get a topogy map of your networks and all hosts attached?

I'm sorry. I can't leave this alone.

My first point, spidey07, is if this is your only point of every desktop having a software firewall then you're adding quite a bit of overhead to accomplish very little. If this were a very common thing in your network then I would be talking to the president of the company, because some people need to go.

My second point, administration and good physical management makes this quite difficult. Plus, if you have good sniffers in and around critical locations you should be warned of such events and catch them in the act, which in some ways is better than denying them because the problem is eliminated (and in some cases hauled off to jail). However, read my first point again.
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
That's a good point oaf,

Unfortunately it happens in a lot of companies. One of the most annoying vulnerabilities is tunneling over HTTP or HTTPS because this effectively disables any edge firewalls. Consultant comes in for a few weeks of work, fires up a VPN tunnel to his work place to get some e-mail - the firewall has been effectively bypassed. The traffic is now encrypted in HTTPS meaning no amount of IDS can "see" the traffic. Consultant now has free rain of any application. Hopefully you can contain that activity incase he gets some kind of worm or backdoor. With all your personal firewalls in place, all with a central policy and all with central logging gives you incredible visibility into any suspicous activity that may occur. The overhead to run such a centrally managed policy really almost runs itself, similar to a good virus or software distribution package.

But our discussion leads down a critical path -

There are MANY ways to do security, one of which includes personal firewalls that supplement other best practices. They support each other and are not completely mutually exclusive.
 

chsh1ca

Golden Member
Feb 17, 2003
1,179
0
0
Originally posted by: spidey07


American Standard
UPS
Netgain
My current employer

My ego is not bruised at all. You just aren't listening.

Then why all the moaning about insulting you in a public forum and such? I invited you to continue the conversation privately, or in a new thread, you said no, and proceeded to continue in this thread, which is irrelevant to the discussion we are having...

How is a roaming laptop that attaches to networks outside of your administrative control protected by good administration? This is really the worst case, with the second worst being internal hacking/survalence.

As I understand your position you are saying that it is alright if I attach to your network, scan all your hosts and then run known exploits on them. Or simply get a topogy map of your networks and all hosts attached?

If you are going to claim the other person in a debate isn't listening, at least make sure you've given every effort to understand what they are saying.

I specifically said that if you have untrusted machines attaching to your network, then you put them on an UNTRUSTED network segment of their own. You treat them as no better than the internet in terms of security. This is in and of itself a Network Administration principle. You have to combine both good Network Administration with good Systems Administration. In situations where you can't control the laptop itself, it is considered 'untrusted', hence you don't put it on the same network as your 'trusted' boxes. This falls outside of the realm of everything I have been discussing, and I have made it explicitly clear in every post that it is specifically 'trusted' boxes I'm talking about.

Now, given what you are saying (that each desktop should protect itself from every other desktop on the network, because some of them may be untrusted), I'm saying that given a simple basic principle of network security (separating the untrusted boxes onto their own network) and with good systems administration (protected shares, etc.), you can dispel the need for installing desktop firewalls on every desktop, which would save a LOT of money on licensing.

Note that at no point during this debate have I said there would never be a need for it, merely that I didn't see one, and can't imagine one simply because you should be able to consider any box you maintain to be 'trusted', and should therefore only have to worry about 'untrusted' boxes, which you wouldn't maintain... In the case of a user bringing a laptop to work and home etc, it may be in their (and your) best interest to install a desktop firewall, but I reiterate that I wasn't discussing these types of machines.
 

chsh1ca

Golden Member
Feb 17, 2003
1,179
0
0
Originally posted by: spidey07
That's a good point oaf,

Unfortunately it happens in a lot of companies. One of the most annoying vulnerabilities is tunneling over HTTP or HTTPS because this effectively disables any edge firewalls. Consultant comes in for a few weeks of work, fires up a VPN tunnel to his work place to get some e-mail - the firewall has been effectively bypassed. The traffic is now encrypted in HTTPS meaning no amount of IDS can "see" the traffic. Consultant now has free rain of any application. Hopefully you can contain that activity incase he gets some kind of worm or backdoor. With all your personal firewalls in place, all with a central policy and all with central logging gives you incredible visibility into any suspicous activity that may occur. The overhead to run such a centrally managed policy really almost runs itself, similar to a good virus or software distribution package.
See, that's the kind of situation where the consultant should be put on an untrusted network. You have no guarantees what can be accessed. Also, you can neuter tunnelling by using an HTTP only proxy, can you not?

But our discussion leads down a critical path -

There are MANY ways to do security, one of which includes personal firewalls that supplement other best practices. They support each other and are not completely mutually exclusive.

I agreed with this statement earlier, and I still do.

 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Another good point about putting consultants in a bastion network. But with 100s or thousands of LANs spread all over the world that quickly becomes impractical.
 

Oaf357

Senior member
Sep 2, 2001
956
0
0
Originally posted by: chsh1ca
Originally posted by: spidey07
That's a good point oaf,

Unfortunately it happens in a lot of companies. One of the most annoying vulnerabilities is tunneling over HTTP or HTTPS because this effectively disables any edge firewalls. Consultant comes in for a few weeks of work, fires up a VPN tunnel to his work place to get some e-mail - the firewall has been effectively bypassed. The traffic is now encrypted in HTTPS meaning no amount of IDS can "see" the traffic. Consultant now has free rain of any application. Hopefully you can contain that activity incase he gets some kind of worm or backdoor. With all your personal firewalls in place, all with a central policy and all with central logging gives you incredible visibility into any suspicous activity that may occur. The overhead to run such a centrally managed policy really almost runs itself, similar to a good virus or software distribution package.
See, that's the kind of situation where the consultant should be put on an untrusted network. You have no guarantees what can be accessed. Also, you can neuter tunnelling by using an HTTP only proxy, can you not?

But our discussion leads down a critical path -

There are MANY ways to do security, one of which includes personal firewalls that supplement other best practices. They support each other and are not completely mutually exclusive.

I agreed with this statement earlier, and I still do.

He is right Spidey07.

If you have consultants in and out they should have a very limited ability to traverse your mission critical network infrastructure. They shouldn't even be able to get to your network at all from the network you put them on. I would even tell them to go pound sand unless they were very trusted consultants and tell them that their hotel is a good place to access the Internet.
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Maybe if I give a little background it would help...

Over the last few years we have seen an explosion in the "mobile enterprise" and "anytime/anywhere access". VPNs and ready internet access have enabled it.

VPN technology is very mature now adays and can be easily deployed to enable the mobile enterprise where users need only a hotel internet connection, airport or wireless net to access corporate resources and applications. I think we would all agree that most if not all good sized enterprises use VPNs to allow users to connect to internal resources.

So when I started tackling this trend 4 years ago there was always one nagging concern. "How can I protect all these 1000s of roaming laptops that are attaching to the internet/hostile networks and prevent them from disrupting service?"

And so the personal firewall was born and has been maturing at a good pace.

I still fail to see how a personal firewall is not needed (or at the very least not investigated) in today's environment. If I had complete and perfect control over every single PC and node on a network then possibly it could be avoided. But I've never seen such a network.

As an FYI - I'm starting to address the consultant and unauthorized user on our LANs with the use of 802.1x. Don't have a certificate or good user/pass? Then you don't get no IP and you no talky-talky. :)
 

Oaf357

Senior member
Sep 2, 2001
956
0
0
And no one is saying that with the roaming laptops they wouldn't use a software firewall. But, in turn, what permissions do those users with the roaming laptops have on those laptops when they're roaming? That is one problem I see.

The other problem I see is that they would never really be behind a hardware firewall making your point even more valid. But making the point of you addressing this as your key reason for using software firewalls behind hardware firewalls rather point-less, unless their roaming laptop is their not roaming desktop when that use isn't roaming. But, then they would be behind the well administered firewall on the well administered network.

Might be confusing to read but the idea is accurate, yes?
 

chsh1ca

Golden Member
Feb 17, 2003
1,179
0
0
Originally posted by: spidey07
Maybe if I give a little background it would help...

Over the last few years we have seen an explosion in the "mobile enterprise" and "anytime/anywhere access". VPNs and ready internet access have enabled it.

VPN technology is very mature now adays and can be easily deployed to enable the mobile enterprise where users need only a hotel internet connection, airport or wireless net to access corporate resources and applications. I think we would all agree that most if not all good sized enterprises use VPNs to allow users to connect to internal resources.

So when I started tackling this trend 4 years ago there was always one nagging concern. "How can I protect all these 1000s of roaming laptops that are attaching to the internet/hostile networks and prevent them from disrupting service?"

And so the personal firewall was born and has been maturing at a good pace.

I still fail to see how a personal firewall is not needed (or at the very least not investigated) in today's environment. If I had complete and perfect control over every single PC and node on a network then possibly it could be avoided. But I've never seen such a network.

I didn't say it shouldn't be investigated, I simply said I don't see its use on the desktops you could consider 'trusted'. Laptops are another beast entirely. Luckily I have to deal with a minimum of these, and I don't let the roaming force have remote access. We have encrypted webmail for access to their emails, and anything that they need they get sent to them. Fortunately I'm in a situation where I can be as much of a dictator as I choose. Other places aren't as fortunate (like when I worked at the university).

As an FYI - I'm starting to address the consultant and unauthorized user on our LANs with the use of 802.1x. Don't have a certificate or good user/pass? Then you don't get no IP and you no talky-talky. :)

Good solution. :) I can see 802.1x becoming more and more popular.

The more and more we discuss this and hammer out exactly what the other person is trying to say, the more and more I think we were really arguing about two separate issues.