[Dshield] Firewall Analogy

John Holmblad jholmblad at aol.com
Mon Feb 9 16:03:22 GMT 2004


Andy,

the analogies are a good way to get the point across. I have found that 
most users want to get it right, the problem is that the IT industry 
uses so much mumbo jumbo that the industry fails miserably to properly 
inform and educate them. Given the fact that multiple protocols & ports 
can be open on a system, I prefer to use the hotel/hotel owner analogy:, 
that is,  a different kind of  "house" with potentially lots of doors 
open (which is why a smart appliance like a firewall that can guard many 
entrances at the same time is needed on the PC in the first place) of  a 
few major kinds: TCP, UDP, ICMP. For small businesses I even advocate 
turning on such firewalls (whether ICF or third party) when the PC is 
inside of the perimeter defenses, the so called defense in depth strategy.

You might also want to mention in your document that Microsoft Windows 
XP has an integrated stateful firewall product called the  "Internet 
Connection Firewall"  that can be enabled on a network interface by 
network interface basis. It can be set to open  pre-configured specific 
protocol/port combinations and additional protocol/port combinations can 
be added by the user if they understand how to do this. It also supports 
supports connection logging logging. Starting with the next Service Pack 
from Microsoft (SP2) for Windows XP,  the ICF will be enabled by 
default. It does NOT, however, perform filtering on outbound TCP 
connection requests or UDP packets.

Another useful general suggestion for Microsoft Windows systems is to 
always remove the binding of the "Client for Microsoft Networks" and 
"File and Printer Sharing for Microsoft Networks" from the TCP/IP 
properties of any connection on a Microsoft Windows computer that is 
used to access the Internet, thereby putting into practice the policy of 
turning off unneeded services or, shall we say, welding the unused doors 
shut!
-- 

Best Regards,

 

John Holmblad

 

Televerage International

 

(H) 703 620 0672

(M) 703 407 2278

(F) 703 620 5388

 

www page:                      www.vtext.com/users/jholmblad

primary email address: jholmblad at aol.com

backup email address:  jholmblad at verizon.net

 

text email address:         jholmblad at vtext.com




More information about the list mailing list