Are Desktop Firewalls Overkill? 440
Barence writes "Should you be running firewalls on your desktop and server machines? PC Pro's Jon Honeyball argues the case for switching off Windows firewalls and handing over responsibility for security to server-based solutions. 'I'd rather have security baked right into my network design than scattered willy-nilly around my desktops and servers,' Honeyball argues. 'It seems to me that there's much sense in concentrating your security into a small number of trusty gatekeepers rather than relying on a fog of barely managed faux security devices. Of course, it puts your eggs into fewer baskets, but it does mean these gatekeepers are easier to control and manage: monitoring them in real-time becomes routine.'"
stating the obvious... (Score:5, Insightful)
Re:stating the obvious... (Score:5, Informative)
Exactly. It's called multi-level security. Desktop firewalls are not meant to replace server-based solutions but complement them.
Re: (Score:2)
Layers are good, but desktop firewalls are the wrong solution. Instead of blocking ports, just don't open them in the first place.
Re: (Score:2)
Layers are good, but desktop firewalls are the wrong solution. Instead of blocking ports, just don't open them in the first place.
So then, how do I allow a few of the Linux machines on my network to access my server and none of the Windows machines? I either put another firewall box between the server and the network or I put a firewall on the server.
Re: (Score:2)
tcpwrappers
Re: (Score:2)
TFA agrees: "I don't recommend you do this, but it's useful to know that you can should you decide to install some third-party protection scheme... Even so, and this is the big issue, I'm a total advocate of the layerd-onion approach to security within a company..."
Re:stating the obvious... (Score:5, Insightful)
Yes, this is why I lock the doors on my automobile but I leave the ignition key on the dashboard, and leave the glove compartment open and unlocked!
Finally someone who sees things as I do!
Also, first car analogy.
Re: (Score:3, Funny)
Re: (Score:3)
Re:stating the obvious... (Score:5, Funny)
my girlfriend sleeps with her bedroom door locked, even with the front door to her house locked down.
I think this says more about you than about Windows and firewalls.
Re:stating the obvious... (Score:5, Funny)
Re:stating the obvious... (Score:5, Interesting)
Unfortunately, my knowledge and experience with guns is very limited. If possible, I would prefer to position myself in a direction where any missed shots would be least likely to hit neighbors after passing through the walls. I wonder if shooting from behind a water bed would protect me from handgun bullets or not? Perhaps the distinctive sound of a pump type shotgun loading a shell into the chamber would discourage the intruders from continuing to try to break down the bedroom door.
Unfortunately, all I have ever had, anywhere I have ever lived, is flimsy hollow core exterior doors and hollow core bedroom doors.
Late at night, a few years ago, I had a minor encounter with a burglar who was trying to open the front door. I looked through the window in the front door and there was his face on the other side of the glass about two feet away from my face. We both started each other. There I was, unarmed and face to face with some guy who was covered with prison tattoos. As he took off, I noticed that there was also another guy who had been hiding in the bushes along side the building.
Perhaps, looking through the door's window face to face with the burglar was not the brightest thing to do, but it did scare them off. A sheriffs deputy later examined the minor damage to one window on the side of the building, and also the minor damage both the front and rear door frames and one striker plate. He wrote up a report.
Re:Dude... (Score:5, Funny)
My plan is to run downstairs, get a bucket and fill it with water. Then I'll balance it on my door. Then I go back downstairs and bake a pie. After it cools, I take it upstairs and find a good place to attack from. When the intruder comes in the bucket of water will soak him head to toe, and that's when I hit him in the face with the pie. My pies are AWESOME so when he stops to eat the pie, I sneak around him and run out the front door naked. Someone is bound to see me naked and call the cops on me. When they show up I can explain that I'm naked because I didn't have time to pull on some shorts and also bake a pie. I had to choose just one thing to save my life.
Re: (Score:3, Informative)
Unloaded firearms are pretty much worthless.
you likely have no efficient means of protecting yourself, property and/or loved ones.
One of the _very_ best ways of protecting your loved ones is not having loaded guns easily available.
Re:stating the obvious... (Score:5, Interesting)
Keeping workstation firewalls on behind network level firewalls is like locking the door of each room of your house as you pass through it. Unlock, open, go through, shut, and lock. Suddenly, the security measures outweigh their usefulness.
That depends: Do you live in a neighborhood where someone jiggles your front door handle every few seconds? Do you live in an apartment with roommates? Are the roommates close friends of yours, or only real-estate associates? Do your roommates bring over people you don't know? Do your roommates or roommates' friends jiggle your bedroom door handle occasionally to see if they can steal something? This would be more close to the computer analogy.
Re:stating the obvious... (Score:4, Funny)
Do you live in a neighborhood where someone jiggles your front door handle every few seconds?
No, but I wish I did! My "front door handle" has gone without jiggling for a while...
Re: (Score:3, Funny)
You can tell the difference?
Re: (Score:3, Interesting)
You seem to be talking about having "desktop firewalls" and "server firewalls" running on the same machine, i.e. two firewall systems on the same machine, which is of course only going to lead to problems.
An important distinction to make clear because it sounded like you thin
Re:stating the obvious... (Score:5, Insightful)
Well, most corporate networks are a lot more like those garages at some apartments. I have my own garage door. I can lock it. But, there is no wall between my car and my neighbors car.
If I can absolutely trust everyone of my neighbors (current and future and maybe past, if they kept a key), I don't need to lock my car.
Re:stating the obvious... (Score:5, Insightful)
There is often-times a lot of overlap, so that the desktop filters are made redundant.
This is only true if your company never has anybody bring in a USB Flash Drive which could have potentially been infected on their home computer or on another company's system.
Re:stating the obvious... (Score:4, Informative)
It does help block the spread of a myriad of things internal to the network though.
Personally I have seen the damage done to the office network at work due to a worm that came in through usb-sticks...
While antivirus didnt detect the bugger the thing couldnt spread to other machines due to the firewalls on individual machines blocking the vulnerable service.
Re: (Score:2)
I have not seen any windows firewall protect the office pc's from an exploit that came in on a thumbdrive. If it can infect the machine it's running on, then it can infect all the others because it's using a 0day or other unpatched exploit that is getting past all the windows firewalls anyways.
Sally inserts thumbdrive and infects her machine, she then sends an email that BYPASSES ALL THE FIREWALLS and infects every single person that opens it.
The only use for per machine firewalls is to protect against a
Re: (Score:2)
There is a lot of overlap due to 'one size fits all' mentality of desktop firewall providers. A lot depends on the size of your network.
For a small network (home, soho)
If you have a firewall at your network gateway there isn't a big need for a desktop firewall to block inbound traffic. Even NAT on a cheap router does a decent job of that. But you still need outbound blocking. Unless you're comfortable with printer drivers notifying vendors every time you print a document.
On
Re: (Score:2)
what this really points out is that desktop firewalls are not very effective. Although that's not what the article says, that's what it really boils down to.
I wouldn't argue to get rid of firewalls, but what can you do when a real actual good firewall will run you at least 10 grand?
Re:stating the obvious... (Score:5, Insightful)
There is no such thing as a secure perimeter, especially when the majority of attacks come with in "secure perimeters". Jon Honeyball is an idiot, and PC Pro just dropped another notch. His heavily caveated article doesn't have the common sense that God gave to a goose.
Each and every device that's connected in a network is potentially infected, rogue, and looking for others to maim. Every machine needs to be evaluated separately for its risk profile, as he mentions-- but you simply can't remove device security in the belief that other firewalls or services will do the unerring job of controlling the safety of a network. Run, don't walk, away from the concept of secure perimeters.
Re: (Score:3, Informative)
PC Pro was useless and irrelevant years ago. The only people that pay attention to that rag is PHB's or really really dumb executives.
Warning klaxons sounding: (Score:4, Insightful)
... and that's precisely why it's dangerous.
You and I might know enough to find TFA's assertions ridiculous, possibly even amusing in how wrong they are. But you and I don't control corporate policy (assuming that the reader of this is not a PHB). Any media spouting non-news raises the risk that someone will take that non-news for reality and begin making decisions based on that view. Even obvious parody like the Onion has caused its share of kerfuffling among the confused and less-informed, and let's not forget War of the Worlds. The danger is even greater with media like PC Pro that has at least some semblance of being real news (including in this category the opinion statements of apparent experts, as Honeyball here is presented by PC Pro).
Cheers,
Re:stating the obvious... (Score:5, Insightful)
Seconded. This was going to be my exact comment.
It's like saying "We don't need seatbelts anymore - we have airbags!"
Funny you should mention that... (Score:5, Insightful)
I was given that very advice recently while strapping on the seat-belt.
From a nurse, no less.
And I wish I had a dime every time someone told me "You don't need the seatbelt - there are no cops around here/I know the cops around here/it's just couple of minutes down the road."...
Re: (Score:2)
With the way I drive, I feel insecure not having a seatbelt. Hell, I should get a 5point harness...
At least I've never done this with my pathfinder
http://www.youtube.com/watch?v=qvDBWX8-iB0 [youtube.com]
Re: (Score:2)
add a helmet and a head-hook... I've seen you drive.
Re: (Score:2)
Indeed. I actually have a high standard of driving, but I also prefer my passengers to wear their seatbelts ;)
No matter how well someone drives, it only takes some other idiot who can't drive to cause an accident. If you are observant then hopefully you can reduce the risk of any accident actually being serious, but still, the risk is always there. This is why I don't have a motorbike.
Re:Funny you should mention that... (Score:5, Insightful)
Indeed. I actually have a high standard of driving, but I also prefer my passengers to wear their seatbelts ;)
No matter how well someone drives, it only takes some other idiot who can't drive to cause an accident. If you are observant then hopefully you can reduce the risk of any accident actually being serious, but still, the risk is always there. This is why I don't have a motorbike.
Seatbelts also serve a secondary purpose to preventing injury. They keep you in a position to still operate the vehicle.
Accident occurs no seatbelt: The driver will probably be thrown from the seat, or jarred from the proper driving position. As a result, the vehicle is out of control from the moment that the driver lost contact with the wheel. This could increase the number of vehicles involved in the accident, injure others, or further damage the driver's vehicle if a secondary impact occurs.
Prior to accident no seatbelt: In attempting to avoid an accident, the driver could be forced from their seat during a swerve, as a result, they may not be able to avoid the accident at best, at worst they could exacerbate the accident as they are now out of control of their vehicle.
Re:Funny you should mention that... (Score:5, Funny)
But in the event of an accident, those people who are not belted in will be thrown free of the car to relative safety whereas those belted in will be strapped into a deathcage which could easily catch fire!!!
Re: (Score:2)
Great points. It's often overlooked that a seat belt also keeps the driver secured in the seat in case of sudden stops, swerves, etc. This keeps them in control of the vehicle when they may otherwise be thrown around the cabin. This protects not only the driver and their passengers but others on the road.
Likewise, a properly configured firewall does more than simply block incoming worms. They can help prevent an infection from spreading beyond the local machine as well as other network management, depen
Re: (Score:2)
They do, but some devices inside your network may not be capable of running their own firewall.
At work we do generally rely on a firewall on the main router rather than on individual machines, but that means that if a device behind the firewall is compromised then it basically has free reign on the whole network, which isn't the best situation.
Re: (Score:3, Insightful)
Re: (Score:2)
They are a necessity in a scenario where the most active threat is actually sitting at the computers in question.
Desktops, regardless of their type, should be on their own networks with means to filter/actively block traffic, if at all possible. They should also have individual firewalls which inhibit any incoming connections and block unapproved traffic going out.
With as easy as it has become for a Windows workstation to be infected, doing anything else is asking for infosec breaches.
Re: (Score:2, Insightful)
Re: (Score:2)
Re: (Score:3, Insightful)
Because the typical computer USER doesn't know squat about network or system security.
Defense in depth (Score:5, Insightful)
The most important "desktops" are the laptops that get hauled around airports by the powers that be. Relying exclusively on your servers/switches to isolate your "desktops" doesn't work in a Beijing hotel.
This really is too obvious to be worth mentioning. Anyone indulging this non-debate is a liability.
Re: (Score:2, Informative)
I had to search for "defense in depth". No one else mentions this at this point.
It's obvious, the more obstacles for an attack, the better.
Desktop firewalls have evolved from only being packet filters. Some have stateful inspection, some have HIDS functionality (e.g. allow firefox.exe with md5sum "X" from being executed) and are now increasingly combined with Antivirus/antimalware software.
Depending on them is dangerous, but all together from a layering of defense mechanisms that either stop or slow down an
Re: (Score:2)
Maybe this is a good argument for having NICs that have hardware firewalling. This way, Windows can be left wide open, but unless the hardware configuration utility is explicitly run to open ports on the NIC, nothing will be able to get in, except perhaps ping, and if done right, the hardware card would handle that [1], and not let that touch the OS at all. Couple this with an outgoing rule to block port 25 out so if the laptop does get rooted, it won't turn into a spam server, and that is a decent securi
Re: (Score:3, Insightful)
Re: (Score:3, Funny)
The most important "desktops" are the laptops that get hauled around airports by the powers that be. Relying exclusively on your servers/switches to isolate your "desktops" doesn't work in a Beijing hotel.
This really is too obvious to be worth mentioning. Anyone indulging this non-debate is a liability.
Don't be silly. Haven't you heard of the Great Firewall of China? Clearly, it is completely unnecessary to worry about a laptop getting infected in Beijing, as it has been behind a firewall the whole time.
Re:stating the obvious... (Score:5, Interesting)
The article started to address this, but failed miserably.
One group will undoubtedly be saying "there's no harm in running both client- and server-side firewalls, so why even contemplate the heresy of turning off the built-in Windows firewall?" You would of course be right, except for one thing - it's actually quite hard to turn off the built-in firewall
Ah, what? The reason for not turning off the firewall is that it is hard to turn off the firewall? That makes no sense at all. It also doesn't seem too hard to me. In Win7, type firewall into the start menu search box and click on Windows Firewall. From there, choose "turn firewall on or off".
The reason for leaving the firewall on is to give a last line of defence if someone gets around the server protection. It also acts as a barrier when idiots decide to add an unauthorised wireless access point onto the network.
Re: (Score:2)
The problem lies with the fact that dial-up users were getting owned. People on broadband were able to rely on the firewall in their cable/DSL modem.
What Microsoft should have done is have a security policy where the firewall is turned on and off with a dial up connection.
Re: (Score:2)
And the gain on top of your point-of-entry firewall is only marginal.
Re: (Score:3, Funny)
I prefer using desktop traffic to restrict ports 1-65535 tcp/udp outbound on the client machines. It helps keep them focused.
Hardly Overkill (Score:2)
I prefer the phrase "completely inadequate."
Putting the firewall on the machine its meant to protect is like wearing a bulletproof vest inside your body.
Re: (Score:2)
Huh?
So I shouldn't turn on my firewall when I am in a coffee shop? Assuming I only use ssh and ssl, theoretically with my firewall in place I couldn't care less what kind of nastiness is floating all around me.
Re: (Score:3)
Kind of like Wolverine? Cool!
Re: (Score:2)
Putting the firewall on the machine its meant to protect is like wearing a bulletproof vest inside your body.
So it's a second layer of defense for your internal organs? That's a bad thing, how?
Re:Hardly Overkill (Score:5, Insightful)
Putting the firewall on the machine its meant to protect is like wearing a bulletproof vest inside your body.
That's really not true. The firewall on the machine is an effective part of an overall strategy. It helps protect your systems from rogue nodes, for example. To have them non-firewalled is foolish. Why expose ports unnecessarily?
The desktop firewall is completely necessary. It is, however, also inadequate.
Re: (Score:3, Insightful)
...The firewall on the machine is an effective part of an overall strategy...The desktop firewall is completely necessary. It is, however, also inadequate.
That was my entire point. That's why I said "inadequate" and not "useless".
It drives me nuts that Microsoft will put a goddamn HTML rendering engine in the kernel, but apparently decent packet filtering is better left to the likes of *hock-ptooey* ZoneAlarm et al.
Re: (Score:2)
The Slashdot user name "BadAnalogyGuy" is already taken ... and at the risk of being modded down, might I suggest learning about computer security before pretending you understand it on Slashdot?
I guess he's not heard of defense-in-depth then... (Score:5, Insightful)
Oh, right. You want to have a major clean up operation and all the business disruption that entails on your hands the next time some worm using a 0-day exploit manages to get inside your network and runs rampant. That's an approach that is (allegedly) working out real well for the techs at Iran's Bushehr nuclear plant right now...
It also means... (Score:2)
...that you have uninterrupted flow of shared network resources on your network. Unless, of course, permissions are set up to prevent that.
I run a hard firewall and gateway at home as well as MAC address access so I can keep others off of my wired and wireless networks without having to compromise the ease of use a home network should allow. It's nice being able to have a media center with data files, and attached carousel drives so I can actually watch any movie or listen to any music from any spot in my h
Re: (Score:2)
No, I don't make it seem that way. You have a different solution in place and take exception to my comments and are projecting your thoughts on me. I said it makes it easier to not have to deal with it. I am happy with my level of protection on my network with the method I employ. What makes it easier is not only that I don't have to deal with any errors or connectivity problems between network resources over conflicting firewalls but I also do not have to deal with updating and maintaining every single sof
Desktop firewalls are necessary (Score:5, Insightful)
Re: (Score:2)
Re: (Score:3, Insightful)
And then the virus disables the desktop firewall so it can spread. What's your point?
How is a virus on someone else's machine going to disable the firewall on my machine?
Re: (Score:2)
Server-based and gatekeeper solutions are useless when the compromise comes from other systems on the same network.
Also, the server firewall is pretty much unable to deal with filtering outbound traffic in a nice way. The desktop firewall is integrated into the system, and can query the OS for important information. This allows the desktop firewall to know that the IP packet destined for some random IP's port 80 came from firefox rather than some other software which (without the user's consent) is spying and sending data back to it's maker. The desktop based firewall can then pop up a nice prompt to let the user know a
Defense in Depth (Score:5, Insightful)
Maybe there are cases where running host based Firewalls and/or IPS is overkill. But you _never_ pretend that you've got security 100% covered. It's great to think you have security locked down, but threats come from _all_ angles.
Case in point, I don't care how good your external firewall/IPS is if John in Sales decides to try and break into a server on the LAN. Hence, Defense in Depth. Multiple layers of security all the way down to the OS. Sure, that desktop over there might contain _no_ critical data whatsoever. That doesn't mean it won't end up becoming a SPAM bot or have a backdoor installed for easy LAN access.
"Here’s a contentious topic to chew on, but before I go any further let me make something crystal clear – I’m not advocating that you try this, I’m not saying it’s a good idea, and I’m not saying I would do it on my own networks."
Frankly, it sounds like he just wants to write an article with an absurd title to get clicks, nothing of value to see here
Comment removed (Score:5, Interesting)
Re: (Score:2, Insightful)
Sure it does that, but it does a lot more. For example, I might want to allow ssh access from one, a few, or all systems on my internal LAN, but block them from the other side of the DMZ. Just how do you propose to do that without a firewall local to the machine.
Re: (Score:2)
Do they still make these? And what would be the reason for not spending the extra $5 and getting an ethernet switch [wikipedia.org]?
Re: (Score:2)
And before I hear about pf and iptables, you do not need to run those. A well managed system on those platforms needs a firewall like it needs trepanning.
pf on my desktop may be overkill, but then again, there's no kill like overkill.
Might be overkill (Score:2)
If you can control every network connection behind your main firewall, and every machine, and can verify they are all always patched and malware free at all times. Of course laptops that travel around and places where anything can be plugged in pretty much make this impossible.
Whatever, it just doesn't work. (Score:4, Interesting)
idiot journo doesn't understand network security (Score:2)
seriously.
Defense in depth (Score:5, Informative)
The article has the kernel of an interesting point, namely the trade-off between the cost of managing firewalls on all the workstations in an enterprise, versus their inevitable half-assed-ness and tendency to get in the way, thereby consuming support hours.
But, where I work, we have a standard config that gets pushed out to all the systems, and I suspect that's pretty standard. Half-assedness arises when individual users open (or close) random ports on their own firewalls, but that case by definition doesn't necessarily consume support time if it's the users doing it, and not the support team.
Our operating theory is that of defense in depth. The boundary routers have fixed routing tables and firewalls. The servers have firewalls and white-lists of allowed clients. Clients have firewalls and intrusion-detection systems. Network traffic is monitored for suspicious patterns. And machines with special network needs are in a firewall DMZ and separately managed.
It's not perfect by any means, and I sometimes wish we could be more flexible, but I'm not ready to pre-emptively exclude any of these tools.
Re: (Score:2)
Working in the process control industry I can attest to firewalls sometimes being a pain in the ass...
But I am more than willing to live with having to open a port every leap year.. I've done it once in 2 years and the firewall is not that permissive of stuff...
And I run all kinds of crud on the machine.. ModbusTCP simulators, serial server connections on odd ports, PLC programming tools over tcp/ip and various other odds and ends.. Most of it is whitelisted already, but on the odd chance that it isnt I whi
A complete solution with a caveat (Score:2)
Generally, I view the software firewall as adding a final all around security strategy to the protection afforded by your hardware firewall, but there's a catch. Hardware firewall is there for prevention and mostly to block "bad stuff " from coming in and occasionally from going out. The software firewall is more of an alert system. Generally, I find it more useful for being alerted to opening up potential attack vectors than anything. If you run a program that opens up some ports you are alerted to it and
Err, what? (Score:5, Informative)
Seriously? There's a reason we have this thing called defense in depth. Sure - you may have a reasonably secure network, hardware firewall, policies, etc... but that doesn't mean you start removing other bits to make up for it.
Journalists... (Score:2)
And this, ladies and gentlemen, is why John Honeyball is writing about IT, rather than actually solve any problems with it.
That, or possibly the other way around. It's hard to judge cause and consequences.
But, lest anybody be confused, there is no single point where security is not a concern. The only way to reach adequate (heh) security is to stop all components from doing more than they need, rather than just one. A functioning such approach pretty much obsoletes the need for specific "security devices" s
Re: (Score:2)
In defence of John H, he does puport to do other IT Sysadmin stuff other than just write about it all the time.
That said, this article has lost any credability he once have in my eyes.
Sure have multi level firewalls to protect the nasties from getting in.
Are you then going to stop every laptop, every wifi connectable device being bought onto your premises by visitors from connecting to your network?
Ok, a lot of companies already do this by conficating all Mobiles but that is mostly to stop people with camer
Hasn't changed since Walls were invented (Score:2)
Ever since man invented the wall, first around his own house, then around the village and eventually around an entire city, they have still kept locks on their doors (where available)
If something penetrates the outer defence you need to keep yourself secure in your own dwelling, and you also need to have some security against a threat from within.
Firewalls should be on every PC capable of storing information separate from the server (so, a dumb terminal needs no security beyond logon scripts etc)
The End.
Part of the problem with PC security.... (Score:5, Insightful)
.
As many others here have mentioned, computer security is multi-level. Per-computer firewalls have as much of a place in security plans as do network edge firewalls.
Maybe the next thing than Mr. Honeyball will be advocating is that PC programs and operating systems do not need to be secure because the network is protected by a firewall.
Defense-in-Depth (Score:2)
Other posters have pointed out the obvious. What if your LAN firewall is breached? What if there's a rogue computer brought into your network? Rogue flash drive? Or just Rogue? She could absorb all your powers and then you wouldn't be IT. You'd be just. like. everyone. else.
One of our departments runs egress filtering on their desktops -- only certain applications and external ports can be accessed: 80, 22, 443, etc. If a computer gets infected by a new virus, it can't jump from computer to computer
Desktop Firewalls are Useless (Score:2)
short answer? (Score:2)
YES.
There are all sorts of nasty things that can be done unless incoming IP access is filtered. Worms are spread in this way.
If you aren't using a door, leave it closed.
How about an application level firewall... (Score:5, Insightful)
I know that ZoneAlarm is obnoxious but on a desktop the best "firewall" isn't a port & address based filter, but instead an application layer firewall that can say "Hey, the officially installed web browser can go out on port 80, but not some random malware you just downloaded" While this doesn't protect you from everything (like the browser itself being hijacked) it can make a big difference in stopping any old program that wants to go to a random website. One of my biggest issues with Linux is that this type of security isn't even possible short of using some of the more arcane features in SELinux that normal desktop users are never going to configure.
crunchy outside gooey inside (Score:2)
between the dos/os2 to windows95/os2 warp days network security environments were referred to as "crunchy on the outside gooey on the inside". i don't want to go back.
Outgoing firewall: Yes. Incoming firewall: why? (Score:5, Insightful)
The whole point of a firewall is blocking connections. I don't know about anyone else, but I make a point to not run services that I don't want people to connect to on my machine. How hard is that?
An outgoing firewall though is immensely valuable. I love seeing everything that every little shareware app or office suite tries to phone home with. When doing local web development, I've even been surprised to find a number of open source CMS/frameworks phoning home with more info than I care to share.
Stupid... (Score:4, Insightful)
Many networks are exactly as the article describes, no firewalls on desktops or individual servers and instead relying entirely on the border firewall connecting the company lan to the internet...
What this means however, is that a single rogue employee, rogue wireless access point, mobile device or laptop, or an exploit which penetrates the border firewalls (browser based, email based etc) results in a catastrophic breach as it becomes trivial to compromise everything once you get behind the main firewalls.
Now don't get me wrong, desktop firewalls are a nasty crutch too - desktop machines should _NEVER_ be offering services to the network, especially by default, and therefore shouldn't need a firewall to block access to these services... The fact that windows comes with several services listening by default on a workstation configuration (msrpc, smb, etc) is just stupid, the fact these services are a pain to disable even more so, and the fact people would rather hide these services behind a firewall instead of turning them off is just laughable - if noone needs to access them they shouldn't be running at all, not hiding behind a firewall.
Ideally your network should have a secure and well monitored gateway to the internet, as well as a secure and well monitored gateway between servers and workstations (and if possible treat the workstations as totally untrusted and make them use a vpn)...
The workstations themselves should expose no services to the network, or at most expose a single admin service which can only be reached from a predefined management network.
The firewalls should be for logging rather than filtering, on the basis that if a service doesnt need to be accessed it shouldnt be listening, not relying on a firewall to block it.
Servers should only expose their intended services to the client lan, admin services should be separated from client services.
Bad idea (Score:3, Insightful)
(Now, I didn't read TFA.) It's important that devices on a network have some form of resiliency. A firewall will certainly prevent DDOSes and can help prevent malicious behavior from entering a network, but there's so many ways to get around a firewall that it just can't be the only solution. For example, "anti-virus" on a firewall might block sites known to spread viruses, but it still won't prevent someone from downloading a random zip file with a virus.
Re: (Score:2)
Re:Flash drives, tarballs, &c. (Score:5, Informative)
Re:Flash drives, tarballs, &c. (Score:4, Insightful)
As was stated earlier, those ports should just be closed to begin with. The only thing it really does is prevent outgoing traffic. As long as the ports are not open there is nothing on the outside that can open the ports. The way things would get infected would be by traveling through a port that is already open on all systems, thus a firewall is useless because that port already allows traffic and there would be a corresponding rule in the firewall to allow this traffic. Unless you are doing packet inspections for viral traffic it's not going to prevent it.
Re: (Score:2)
It doesn't. That would be the point of an antivirus/malware scanner.
Re:Flash drives, tarballs, &c. (Score:5, Informative)
What are you going to do? Put a hardware firewall on every cord?
Re: (Score:2)
No, but you could put one in every switch. I suspect that this is the kind of solution being advocated. If every packet is virus-scanned/filtered/etc by the switch, then the risk of an outbreak is much lower.
The problem comes with wireless users who roam - I think that PC-based solutions make sense there.
Re: (Score:3, Insightful)
It doesn't. And that's why enterprise computers are so good at spreading worms; as soon as one PC behind the firewall gets infected they all fall.
Seems like a rather silly article, as most medium-large business I've encountered already shut off desktop firewalls since the hassle of managing a firewall on every machine often outweighs the risks.
Re: (Score:2)
Most medium-large business IT staff are idiots. That doesn't make them right.
Re: (Score:2)
Really a well-segmented network does it best though. Managing machine firewalls is a pain, especially when you want file/print sharing to work because (surprise) Windows needs RPC for working enterprise management.
What you do instead is put a firewall at every subnet. Everywhere there's a router, ... the router is a firewall too. Generalize your network traffic. HTTP only has to aim as far as the proxy or Internet, depending which you use; and to your internal intranet servers. RPC, RDP, and SSH to c
Re: (Score:2)
You don't have to worry about tarballs. If you get one of those, BP will pay to have it removed. Or rather our government 'heavy' will lean on BP until something is done about it...
Re:Been doing that since day one. (Score:4, Informative)
In your experiences with corporate IT, your corporate IT staff have thus been incompetent.
Windows firewall is configuration via group policy, with multiple profiles for both inside and outside of your network. Your perimeter firewall will NOT save your network from some arse-clown plugging in an infected box. It will NOT save your laptop from being infected whilst in use at a wifi hotspot.
It will also not protect your network from some idiot plugging in an unsecured Wifi access point, or for that matter hopping onto a machine left logged in and unlocked.
The perimeter firewall mitigates the bulk of the threats to your corporate network sure, but if you have nothing else to protect your internal hosts, you're leaving yourself open to getting screwed, big time.
Re: (Score:2)
The only time I don't set up a firewall group policy is for micro-domains. If you have under 3 workstations but several servers. (Very small hosting company, SQL, Mail, Web x 3, File, lots of contractors, almost no in-house users).
Just because it's easy to use Windows wrong, doesn't mean you get to blame Microsoft, the system is a tool, use it properly.