Slashdot Mirror
Are Desktop Firewalls Overkill?
Barence writes "Should you be running firewalls on your desktop and server machines? PC Pro's Jon Honeyball argues the case for switching off Windows firewalls and handing over responsibility for security to server-based solutions. 'I'd rather have security baked right into my network design than scattered willy-nilly around my desktops and servers,' Honeyball argues. 'It seems to me that there's much sense in concentrating your security into a small number of trusty gatekeepers rather than relying on a fog of barely managed faux security devices. Of course, it puts your eggs into fewer baskets, but it does mean these gatekeepers are easier to control and manage: monitoring them in real-time becomes routine.'"
why not both?
I'll give him the benefit of the doubt in that the use of the term "desktop" means just that and excludes mobile devices that might be connected up to uncontrolled and potentially insecure networks, but even so this is still dumb. There are plenty of security applications out there, on all OS platforms, that allow centrally managed security policies to be pushed out to clients, so why wouldn't you use one if you have the budget and know how? For instance, if you know the IPs of your IT/management workstations (you did put them all in the same subnet, right?), then why on earth wouldn't you lock down access to your client based remote admin tools to just that subnet? Equally, why would you want your desktops to be able to connect to any other key server (DNS, SMTP, Proxy...) other than the official ones?
Oh, right. You want to have a major clean up operation and all the business disruption that entails on your hands the next time some worm using a 0-day exploit manages to get inside your network and runs rampant. That's an approach that is (allegedly) working out real well for the techs at Iran's Bushehr nuclear plant right now...
UNIX? They're not even circumcised! Savages!
Not to mention network attacks that originate inside your NAT. For example: that dumb ass down the hall who keeps clicking on viagra links in his emails.
What are you going to do? Put a hardware firewall on every cord?
Kind of like Wolverine? Cool!
which is totally what she said
Server-based and gatekeeper solutions are useless when the compromise comes from other systems on the same network. Especially when the guy next to you clicks on a genuine-looking link in a forged email :-P
I hold it, that a little rebellion, now and then, is a good thing. -- Thomas Jefferson
Maybe there are cases where running host based Firewalls and/or IPS is overkill. But you _never_ pretend that you've got security 100% covered. It's great to think you have security locked down, but threats come from _all_ angles.
Case in point, I don't care how good your external firewall/IPS is if John in Sales decides to try and break into a server on the LAN. Hence, Defense in Depth. Multiple layers of security all the way down to the OS. Sure, that desktop over there might contain _no_ critical data whatsoever. That doesn't mean it won't end up becoming a SPAM bot or have a backdoor installed for easy LAN access.
"Here’s a contentious topic to chew on, but before I go any further let me make something crystal clear – I’m not advocating that you try this, I’m not saying it’s a good idea, and I’m not saying I would do it on my own networks."
Frankly, it sounds like he just wants to write an article with an absurd title to get clicks, nothing of value to see here
Putting the firewall on the machine its meant to protect is like wearing a bulletproof vest inside your body.
That's really not true. The firewall on the machine is an effective part of an overall strategy. It helps protect your systems from rogue nodes, for example. To have them non-firewalled is foolish. Why expose ports unnecessarily?
The desktop firewall is completely necessary. It is, however, also inadequate.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
It doesn't. And that's why enterprise computers are so good at spreading worms; as soon as one PC behind the firewall gets infected they all fall.
Seems like a rather silly article, as most medium-large business I've encountered already shut off desktop firewalls since the hassle of managing a firewall on every machine often outweighs the risks.
How can I believe you when you tell me what I don't want to hear?
A machine firewall does what...it protects the computer from the listening ports that the OS allowed ITSELF to open.
A simple correspondence list of listening port to application would have killed this issue dead at the beginning. Of course, then people would ask why so much crap needs to be open by default on Microsoft operating systems. For added hilarity, the OS now allows applications to insert their own machine firewall exceptions.
And before I hear about pf and iptables, you do not need to run those. A well managed system on those platforms needs a firewall like it needs trepanning.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
In order to get a terminal which does something as simple as read all websites, it has to support a ton of bloated technologies, which more or less forces you to run some expensive bloaty OS, with a bunch of other protections. Gigabytes of support libraries to display a page. Websites are supposed to be universally readable. Thankfully now mobile devices are popular and low-powered, perhaps now the universal-readable concept and argument will gain more strength over the most-visual-selling argument.
Build your own energy sources from scratch. http://otherpower.com/
The article has the kernel of an interesting point, namely the trade-off between the cost of managing firewalls on all the workstations in an enterprise, versus their inevitable half-assed-ness and tendency to get in the way, thereby consuming support hours.
But, where I work, we have a standard config that gets pushed out to all the systems, and I suspect that's pretty standard. Half-assedness arises when individual users open (or close) random ports on their own firewalls, but that case by definition doesn't necessarily consume support time if it's the users doing it, and not the support team.
Our operating theory is that of defense in depth. The boundary routers have fixed routing tables and firewalls. The servers have firewalls and white-lists of allowed clients. Clients have firewalls and intrusion-detection systems. Network traffic is monitored for suspicious patterns. And machines with special network needs are in a firewall DMZ and separately managed.
It's not perfect by any means, and I sometimes wish we could be more flexible, but I'm not ready to pre-emptively exclude any of these tools.
2*3*3*3*3*11*251
The most important "desktops" are the laptops that get hauled around airports by the powers that be. Relying exclusively on your servers/switches to isolate your "desktops" doesn't work in a Beijing hotel.
This really is too obvious to be worth mentioning. Anyone indulging this non-debate is a liability.
Lurking at the bottom of the gravity well, getting old
I was given that very advice recently while strapping on the seat-belt.
From a nurse, no less.
And I wish I had a dime every time someone told me "You don't need the seatbelt - there are no cops around here/I know the cops around here/it's just couple of minutes down the road."...
Mit der Dummheit kämpfen Götter selbst vergebens
Seriously? There's a reason we have this thing called defense in depth. Sure - you may have a reasonably secure network, hardware firewall, policies, etc... but that doesn't mean you start removing other bits to make up for it.
Quo usque tandem abutere, Nimbus, patientia nostra?
In your experiences with corporate IT, your corporate IT staff have thus been incompetent.
Windows firewall is configuration via group policy, with multiple profiles for both inside and outside of your network. Your perimeter firewall will NOT save your network from some arse-clown plugging in an infected box. It will NOT save your laptop from being infected whilst in use at a wifi hotspot.
It will also not protect your network from some idiot plugging in an unsecured Wifi access point, or for that matter hopping onto a machine left logged in and unlocked.
The perimeter firewall mitigates the bulk of the threats to your corporate network sure, but if you have nothing else to protect your internal hosts, you're leaving yourself open to getting screwed, big time.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
When the person who sits next to you gets infected, your desktop firewall still defends against his machine attempting to infect yours.
The Slashdot user name "BadAnalogyGuy" is already taken ... and at the risk of being modded down, might I suggest learning about computer security before pretending you understand it on Slashdot?
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
.
As many others here have mentioned, computer security is multi-level. Per-computer firewalls have as much of a place in security plans as do network edge firewalls.
Maybe the next thing than Mr. Honeyball will be advocating is that PC programs and operating systems do not need to be secure because the network is protected by a firewall.
I know that ZoneAlarm is obnoxious but on a desktop the best "firewall" isn't a port & address based filter, but instead an application layer firewall that can say "Hey, the officially installed web browser can go out on port 80, but not some random malware you just downloaded" While this doesn't protect you from everything (like the browser itself being hijacked) it can make a big difference in stopping any old program that wants to go to a random website. One of my biggest issues with Linux is that this type of security isn't even possible short of using some of the more arcane features in SELinux that normal desktop users are never going to configure.
AntiFA: An abbreviation for Anti First Amendment.
The whole point of a firewall is blocking connections. I don't know about anyone else, but I make a point to not run services that I don't want people to connect to on my machine. How hard is that?
An outgoing firewall though is immensely valuable. I love seeing everything that every little shareware app or office suite tries to phone home with. When doing local web development, I've even been surprised to find a number of open source CMS/frameworks phoning home with more info than I care to share.
Many networks are exactly as the article describes, no firewalls on desktops or individual servers and instead relying entirely on the border firewall connecting the company lan to the internet...
What this means however, is that a single rogue employee, rogue wireless access point, mobile device or laptop, or an exploit which penetrates the border firewalls (browser based, email based etc) results in a catastrophic breach as it becomes trivial to compromise everything once you get behind the main firewalls.
Now don't get me wrong, desktop firewalls are a nasty crutch too - desktop machines should _NEVER_ be offering services to the network, especially by default, and therefore shouldn't need a firewall to block access to these services... The fact that windows comes with several services listening by default on a workstation configuration (msrpc, smb, etc) is just stupid, the fact these services are a pain to disable even more so, and the fact people would rather hide these services behind a firewall instead of turning them off is just laughable - if noone needs to access them they shouldn't be running at all, not hiding behind a firewall.
Ideally your network should have a secure and well monitored gateway to the internet, as well as a secure and well monitored gateway between servers and workstations (and if possible treat the workstations as totally untrusted and make them use a vpn)...
The workstations themselves should expose no services to the network, or at most expose a single admin service which can only be reached from a predefined management network.
The firewalls should be for logging rather than filtering, on the basis that if a service doesnt need to be accessed it shouldnt be listening, not relying on a firewall to block it.
Servers should only expose their intended services to the client lan, admin services should be separated from client services.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
As was stated earlier, those ports should just be closed to begin with. The only thing it really does is prevent outgoing traffic. As long as the ports are not open there is nothing on the outside that can open the ports. The way things would get infected would be by traveling through a port that is already open on all systems, thus a firewall is useless because that port already allows traffic and there would be a corresponding rule in the firewall to allow this traffic. Unless you are doing packet inspections for viral traffic it's not going to prevent it.
"All tyranny needs to gain a foothold is for people of good conscience to remain silent." [Thomas Jefferson]
... and that's precisely why it's dangerous.
You and I might know enough to find TFA's assertions ridiculous, possibly even amusing in how wrong they are. But you and I don't control corporate policy (assuming that the reader of this is not a PHB). Any media spouting non-news raises the risk that someone will take that non-news for reality and begin making decisions based on that view. Even obvious parody like the Onion has caused its share of kerfuffling among the confused and less-informed, and let's not forget War of the Worlds. The danger is even greater with media like PC Pro that has at least some semblance of being real news (including in this category the opinion statements of apparent experts, as Honeyball here is presented by PC Pro).
Cheers,
"What in the name of Fats Waller is that?"
"A four-foot prune."
(Now, I didn't read TFA.) It's important that devices on a network have some form of resiliency. A firewall will certainly prevent DDOSes and can help prevent malicious behavior from entering a network, but there's so many ways to get around a firewall that it just can't be the only solution. For example, "anti-virus" on a firewall might block sites known to spread viruses, but it still won't prevent someone from downloading a random zip file with a virus.
No, I will not work for your startup
...The firewall on the machine is an effective part of an overall strategy...The desktop firewall is completely necessary. It is, however, also inadequate.
That was my entire point. That's why I said "inadequate" and not "useless".
It drives me nuts that Microsoft will put a goddamn HTML rendering engine in the kernel, but apparently decent packet filtering is better left to the likes of *hock-ptooey* ZoneAlarm et al.
My plan is to run downstairs, get a bucket and fill it with water. Then I'll balance it on my door. Then I go back downstairs and bake a pie. After it cools, I take it upstairs and find a good place to attack from. When the intruder comes in the bucket of water will soak him head to toe, and that's when I hit him in the face with the pie. My pies are AWESOME so when he stops to eat the pie, I sneak around him and run out the front door naked. Someone is bound to see me naked and call the cops on me. When they show up I can explain that I'm naked because I didn't have time to pull on some shorts and also bake a pie. I had to choose just one thing to save my life.
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
Ahhh yes, the ol' Goldberging of home protection.
All the tasks you listed are generally complementary with the exception of the "regular psychological evaluation" for lucidness upon a sudden awakening. That's just unadulterated FUD. The pets thing is pretty rich too.
My guess is that your firearms experience is limited to watching "24" reruns.
For the record, I do not consider rolling off the bed and loading a firearm stored there as a solid home protection tactic. Unloaded firearms are pretty much worthless.
Not to totally invalidate your second point but, home invasions and robberies happen even in the nicest of neighborhoods. Although I do not have a citation, common sense says that the nicer neighborhood you live in, the bigger target you become. The OP might live in a gated community with a full time security patrol for all we know.
The reason you view my plan comment as specious is that you likely have no efficient means of protecting yourself, property and/or loved ones. Thus, planning for the unthinkable is outside of your comprehension (and probably scares you a little too).
All that aside and making an assumption about you, I support your "It'll never happen to me" opinion and wish you the best of luck.
Cheers!
Scream in a girlish manner "Do anything you want to the girl, just don't hurt me!"
You can tell the difference?
Unloaded firearms are pretty much worthless.
you likely have no efficient means of protecting yourself, property and/or loved ones.
One of the _very_ best ways of protecting your loved ones is not having loaded guns easily available.