Okay I’m in a mood….

On October 23, 2004, in Rants, Security, by

Fredly posted in the newsgroup asking a question about Watchgard versus ISA and where ever he crossposted to responded back that he had gotten another response that said this:

“The best thing you can do is to get a firewall as Watchguard or another box
and remove the ISA. Its never any good ide to run a firewall on the same as
your production server. I cant think off any explanation why MS dont removed
the ISA when they removed the TS on SBS2003, its a bad ide to have firewall
on your production server, very bad. But if you have the Watchguard you will
be safe, and then you only need one network card. But if you only are runing
ISA, DHCP and DNS and not excahnge or other stuff, then you can use your SBS
as a stand alone firewall and thats ok, but maybe a litle overkill to have a
SBS box for that and not only a standard server with  ISA.”

To whom it may concern that posted that:  The best thing you can do is to understand that right now my vulnerabilties, my threats, my weaknesses are not my ISA on my domain controller but the fact that many of my line of business apps want local administrator.  Having a firewall on our little boxes is not where my security threats are coming in from, dude.  It’s my blasted desktops that cause me my grief.  A firewall is a speed bump.  A Watchgard firewall is also just “software on a box“.  And right now with my Shavlik, I have a patch tool for my firewall.  Watchgard needs patching just like anything else. 

As long as you are running Windows 98 or XP’s in local administrator mode, the number of NICs, the position and make/brand etc of your firewall is irrelevant. 

My threats are not attacking my domain controller.  They are attacking my desktops

As long as we don’t understand where our true vulnerabilities are…. we will be arguing while the house burns down in flames behind us.

UPDATE:  Bruce Schneider has a blog post on this subject:


“Again and again, it tells customers that they must buy a certain product to be secure. Again and again, they buy the products — and are still insecure.

Firewalls didn’t keep out network attackers — in fact, the notion of “perimeter” is severely flawed. Intrusion detection systems (IDSs) didn’t keep networks safe, and worms and viruses do considerably damage despite the prevalence of antivirus products.

The key to network security is people, not products.”


2 Responses to Okay I’m in a mood….

  1. Slav says:

    It’s amazing – some people still think that physical separation will add security. If they have integrity, they must insist on single-user, single-task systems.

  2. Ron says:

    Rant mode on:

    The key is more than just people.

    Spyware, malware, and other "services" come in both from "safe" sites like MSN, google, and from pernicious ones like those taht po-up when you mistype a URL.

    It is getting to the point that I almost want to fight fire with fire with dns attacks against the sites and INTERNET PROVIDERS that put up this crapware.

    Face it,

    1/4 users are competant

    1/4 users are blither morons, barely capable of using a computer

    1/4 have some knowledge, just enough to wreak havoc as they play or consider themselves above listening to an admin

    1/4 will load or do any thing that any website, pop-up screen, newpaper, or e-mail tells them to do.

    There is only so much a sys admin can do when the users don’t give a wit about security, don’t care to learn how to keep things secure, or don’t know the meaning of the word.

    Rant off: