Wed, Dec 1 2004 19:30
So like how many #$%# firewalls do we need?
The question was asked again in the newsgroup today --
“Do I need the XP sp2 firewall enabled on the workstations inside my network when I have a firewall on the outside?”
First off some background. In your computer, in any computer there are over 64,000 ports... tcp/udp ports that are used to talk to one another. Sometimes there is an application that is loaded up and “listening“ on a port. Kinda like it's sitting on your computer going “I'm ready! I'm here!“. For bad things to happen a couple of things have to align in the cosmos.
First you would have to have this open port with an application that is “listening“. Then you would have to have a vulnerable application, something that you didn't patch. Now knowing that I'd wack you guys upside the head for not patching, that's probably not going to happen, but let's pretend, shall we? Then there would have to be a way inside your network.
If a bad guy knows that behind that open port [think of it as an open door] that application “X“ is waiting and ready to go, they can build a worm that attacks that “listening application“ that specifically targets that open port. Now we all know that all we need to be absolutely positively 100% safe is a firewall, right?
Wrong. A firewall is only as good as the ports you have closed. Furthermore, its only as good if there's absolutely no other way to get inside your network. In order to do “normal“ business, we MUST open ports. Think of it this way, in order to do your job you must take the risk of driving a car. You must get in the car and drive on the road or highway to get to your destination. Thus you have opened yourself up to risks. In a typical firm you probably have some ports opened up all the time:
- Port 443 - the SSL port that SBS 2003 needs for secure access to RWW and OWA
- Port 25 - needed for email
On port 25 in particular [the email port] spammers are trying to “hang off your nice IP address“ and do what is called an SMTP authorization attack. They will attempt to “crack“ the password on that port and try to authenticate on the Administrator's account. Keep in mind that the “attacker“ doing this... I wouldn't call an “attacker“. It's a “bot“ a machine just trying to add another victim to it's lair. There's no human “hacker“ on the other end of your rj45 connection manually trying to crack password, it's more likely that it's an automated program trying to get into your system.
This by the way is the “finagle“ vulnerability that was discussed by USAToday... aka stupid cracked passwords...a “don't do that“ event as Jason out of Mothership Charlotte would say.
Okay lets discuss historical events in history that would have been prevented if a firewall had been on the inside of a network shall we?
SQL slammer would not have been as damaging for one - right now my file and printer sharing ports, my Trend listening ports and nothin' else are open on this workstation. Thus 1433/1434 the MSDE/SQL server ports are not open. Now if I had something like an application [like the new 2005 Lacerte will do] that has MSDE installed on the desktop, I can sleep easier knowing that that application is protected.
Remember too that the other way you got nailed was when you had unpatched machines, a firewall on that outside peremeter and somone remoted in/VPN'd into the network and infected the unprotected/unpatched network. Most of us probably are not running with VPN quarantine features running as it's not quite SBSized, so unless you can guarantee that all your salesmen have nice, clean, protected machines as they remote into the network, you probably need to think about firewalls on the INSIDE of your network.
Steve Riley will be including this in an upcoming book, but the gist is that the concept of the DMZ is dead.
So why do you need a firewall on the inside of your network when you have a perfectly good one on the outside? Because stuff happens. That's why. And it's another layered defense to have on our side.
Speaking of patching... for those people that are 100% borg [aka SBS 2003 and Windows XP sp2.... there is no patching needed today whatsoever]
Filed under: Security, XP2
Microsoft Windows XP Service Pack 2
Microsoft Windows XP 64-Bit Edition Version 2003
Microsoft Windows Server 2003