Yes, this article suggests not using a firewall. Its a bit scary, I know. The article states: “In many cases a large number of unnecessary and insecure services are running on the network, but are only hidden by a firewall.” Aha, so true, something we’ve discussed a lot in the past. Someone tested this theory, and guess what, they are doing okay (at least as far as they know). Guess what? They used systems hardening? Guess what? They used simple and easy to manage protocols and stayed away from proprietary stuff. Configuration management is important. If you spent more time on configuration management, and borrowed time from firewall management, you’d have a more secure network. If you had a baseline system, and re-imaged systems that did not meet the baseline, you’d have a more secure network.
We have discussed this from a mental-exercise perspective on the show a number of times in the past. While we look at this as an effective mechanism for thinking about attacks and defenses, it is not something we at PaulDotCom recommend. Rather, we have another approach. Anytime someone says, “A firewall/AV/IPS will protect us,” they get one free punch in the face. I know what your thinking, “We cant give punches in the face away for free!!” And, I understand. However, I think in the long run it will start to reshape the day you think about securing your applications and systems. And maybe, just maybe people will stop saying security technologies will save them.
So, here’s your homework: Take a group of systems that exist on your network, figure out what they do, configure them as such, then monitor for changes. Organizations that can do this well will be “resilient to 0day attacks” and “catch the latest malware”, with very little help from vendor products. Marcus Ranum tells a great story about the CSO of a major retailer. They use imaging software on all their cash registers. They know exactly what files are created and what behavior is normal. If one falls out of that, makes a random connection or creates new files or processes, its re-imaged immediately.
At the very least, you will be alerted to the change quickly… And that counts for something.. Right?
PaulDotCom and John Strand
Originally discussed during episode 238
John Strand will be teaching SANS 660 Advanced Network Penetration Testing and Metasploit for Penetration testers This April in Reston, VA April 15 – 23.