Re: A case for windows firewall
- From: "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com>
- Date: Mon, 26 Jan 2009 15:19:38 -0800
Answers in line.
"Cliff Galiher" <cgaliher@xxxxxxxxx> wrote in message
news:16219641-5637-4F63-9DF1-C3487A92C8B0@xxxxxxxxxxxxxxxx
Renewing SAV for definitions on 50 machines is significantly cheaper than
buying a newer version and 50 licenses. But that is really besides the
point. The same could happen with any AV product where the engine is a
few years old.
I stopped using SAVCE a few years ago, but as far as I know, if you renew
the license for definitions, you also have the right to download and install
the new version. That's how it was three years ago.
One of the points I regularly argue, whether it is discussing AV
solutions, why a business should use a *business class* firewall at the
edge, or other similar discussions of a security nature, is balancing risk
with cost.
I absolutely agree!
Technically if I wanted to increase security, I could purchase SAV,
McAfee, Panda, Nod32, and install them all. And then I could update every
single year to the latest and greatest. Plus I could layer a few malware
products on top of that. Purchase the big fancy version of AdAware32,
maybe buy ZoneAlarm's corporate version, etc.
More than likely, you'd bring your systems to a grinding halt if you
installed multiple products trying to do the same thing.
The truth is that I don't believe the cost justifies the expense.
Again, the cost may only be your labor to install the updated version, if
the license renewal includes the right to the newer software.
An AV product should be thought of no differently than an OS or another
server product.
Not true! See below.
Do you go and replace all of your SBS 2k3 servers with SBS 2k8 the day it
ships? Of course not. SBS 2k3 is still a viable solution and will be for
quite some time. Eventually, when MS stops releasing patches for it,
you'll upgrade. Or when you've outgrown your hardware and you'll be
upgrading anyways. When Office 14 ships, will you upgrade each and every
one of your clients immediately as well? Does Exchange 2003 still have a
place in an Exchange 2007 world? IT staff accepts all of these as
perfectly acceptable solutions when newer versions exist. Why should AV
be any different?
By not updating to a newer OS, hardware, or Office version, one may not
**gain** some helpful new functionality, but one does not **lose** anything.
By not keeping AV updated, one may risk losing everything, or at least
having to restore to a previous point in time. I had one client who had a
nine year old NT 4.0 server and used his ISP for POP3 mail. Sure, he wanted
the functionality of SBS 2003, but never spent the money on it. He
eventually went out of business for reasons other than server problems, but
he still has all his data.
I'm not saying a client should stick with SAV v4. But v11 (okay, not SAV
anymore, but still a v11 product) should not be necessary either. MS
releases a new server version approximately every 3 years. Same with
Office. So lets go three years back for Symantec. That puts us on v8.
What did v9 bring to the table? Some added malware support....probably a
worthwhile upgrade. v10? Vista support. So unless you were running
vista, why upgrade? v11? Some reporting changes and better integration
of their firewall product. Again, with windows firewall's very granular
controls, probably not a worthwhile upgrade.
Does the AV version/build/engine from three years ago (or three months ago)
protect against today's threats? If yes, stay where you are. If not, you
should update the AV product. Knowing if it does is the hard part!
So to return to the conversation I have in other threads, what risks are
you mitigating by upgrading. Until this incident, were there *any*
demonstratable viruses that would get by SAV v9 that don't get by v11?
Symantec certainly doesn't publish it if there are. They aren't coming
out and releasing a bulletin saying "if you are still on SAV v9, you *are*
vulnerable to downadup." Am I, as an IT person, going to intentionally
try to infect a machine with every new virus bulletin that shows up? To
be thorough, I'd have to try every potential attack vector too. SAV v9
may protect against downadup attempting to use the SMB vector but fail
against the USB vector. THAT doesn't sound like a wise use of my time
either.
So do I recommend that my clients, whether they are 5 client machines or
75 (the max for SBS, and I do want to stay on point) should all spend
money on the newest version, regardless of cost, and regardless of threat
assessment? Do I tell them that they should drop $5,000 or $10,000 or
$20,000 for new software each and every year because there *may* be a
virus that could potentially get past the older version? That wouldn't be
very thoughtful of their budget concerns either. Again, that goes back to
why I don't purchase 3 or 4 products and run them all. You reach a point
where the costs don't justify the risk you are attempting to minimize.
I always recommend renewing the AV license for my clients. I use Trend Micro
products, which includes the right to new software as long as the license is
current. I recommend that all of them upgrade from CSMS for SMB 3.6 to WFBS
Advanced 5.0 for better protection and speed. I am staying with WFBS 5.0 and
not going to WFBS 5.1 yet due to problems with two installations.
If an AV product is still in the normal product life cycle (which this one
was) and the definitions are up-to-date (which these were) then I have a
reasonable expectation of protection, which I am satisfied. No AV product
will be 100% effective...even brand new. Hell, for all I know, this
attack would succeeded if they were running v10 or v11....again, I didn't
go and do intentional infection tests. As my previous explanation
indicated, my client "probably" would have been better protected. After
all, there is also a reasonable expectation that a newer generation engine
will be more effective. But that doesn't mean I expect the older engine
to be *ineffective.*
I would not expect an older version of the software to protect as well as a
newer version, but as you stated, we must weigh the costs, and it is
possible that even the latest and greatest would not catch it. The friend I
mentioned, if I recall correctly, was using either SAVCE version 9 or 10 (I
think it was 10), and the failure to block the virus was due to not having
the current **build** of that version. It was not a matter of needing to
jump versions, but was within the same version, but an older build of it
that was vulnerable. I just emailed him asking if he remembers it, but he
does not. That was his biggest client, and since then, he updates a little
while after the new build/version comes out (with time to let others find
the bugs!).
So, in cases where it makes sense, I have no problems with a client
running v10, v9, or v8. And I (or they) don't rely on the AV product
alone. Layered security, with a good AV product, a good firewall, good
monitoring (how they detected the problem), good backups, and of course,
centralizing the data with profiles, folder redirection, and finally
normalizing the images of the client machines so they can be quickly
flattened and rebuilt truly does provide sufficient protection against
exactly these sorts of intrusions. I think my client is satisfied paying
me to clean up the mess...even if I had to go so far as flatten and
restore the server...than they would the enormous price tag of new AV
software to replace a package they only bought two years ago. Am I saying
that this is the right approach for every organization or every client?
Not at all, but neither is running the latest and greatest AV either.
If I were the client and you just had to rebuild my server, I would ask if
you had the latest antivirus software installed. If you said yes, then I
would say you had done everything within reason to protect me. If you said
no, then I would question why not, asking if you presented me with the
option, especially if the new software is included in the price of the
license renewal, as it was previously with Symantec. Five years ago on
SAVCE, an upgrade was not that labor intensive, so even my 30-user client
did not mind the cost. After all, I reasoned with them that they paid the
license renewal, why not get the best protection possible from it for a few
hours of labor? I would be embarrassed to tell them that a newer version was
available and could have protected them (if I could prove that it would
have). I have had situations where something got through, and they were OK,
mainly because they were completely current.
And, as indicated, this isn't unique to Symantec. Every AV product is
vulnerable to 'something' and in many cases they don't realize it. So
this isn't an endorsement or reprimand of any particular product...just a
conversation about how much to trust *any* security product. :)
-Cliff
Indeed! I never trust just one thing to protect me.
Gregg Hill
"Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote
in message news:u9f1gY5fJHA.1172@xxxxxxxxxxxxxxxxxxxxxxx
Cliff,
I have a buddy who still uses SAVCE, and he updates it every time a new
build is released, due to virus attacks getting by older builds. I have
seen several cases where older SAVCE engines would not catch a current
virus, in spite of the **definitions** being current.
One has to pay for the renewal license to stay legal anyway, so why not
upgrade, at least to 10, as I heard that SEP 11 has (had?) a lot of
problems?
Gregg Hill
"Cliff Galiher" <cgaliher@xxxxxxxxx> wrote in message
news:70EB0568-8DF1-4A62-A055-F9088C5AF5C1@xxxxxxxxxxxxxxxx
AV definitions were up-to-date, but the AV engine is itself is a few
years old. Downadup *does* try to disable AV if it can, and in this
case its autorun was faster than the AV's bloodhound detection methods.
It was nicely incoherent on the infected machine. As they say, never
trust your AV for 100% protection.
Would the client have been better protected with a more up-to-date AV
engine? Probably in this case, yes. But should a business *have* to
replace SAV 8 with SAV 9, and then a year later replace that with SAV
10, and then a year later replace that with SEP 11? I'd argue that this
is an unreasonable upgrade cycle for any business of legitimate size to
expect when they are spending thousands on client licenses for a
product. The fact that AV makers provide definitions for their older
products would indicate that they "get it" too, and *don't* require the
latest and greatest engine.
So yes, it was there, but in this case it proved inadequate. ...things
happen...
-Cliff
"Gregg Hill" <greggmhill at please do not spam me at yahoo dot com>
wrote in message news:eCuBEq1fJHA.5408@xxxxxxxxxxxxxxxxxxxxxxx
Cliff,
I use the Windows firewall, but I cannot help but ask, "Where was the
antivirus software that should have stopped the virus?"
Gregg Hill
"Cliff Galiher" <cgaliher@xxxxxxxxx> wrote in message
news:E818344F-36AA-4614-A106-786A184E98E3@xxxxxxxxxxxxxxxx
I recall a thread not too long ago discussing the pros and cons of
using group policy to enable the windows firewall in an SBS
environment. For those that don't recall, I, as well as a few others,
took the position that the windows firewall *does* have a place even in
a LAN behind a corporate firewall.
Case in point, I thought I'd relay a situation I just returned from.
A client called me because they were seeing some very strange things
in their emailed reports and wanted some guidance. I'll spare you the
boring details of the troubleshooting process, but the final verdict
was that one of their machines had become infected with
conficker/downadup through its USB drive spreading method. This
machine, in turn, started trying to attack other machines on the
network and was causing account lockouts as it threw passwords out,
and just raising general mischief.
The punchline here is that MS08-067 had *not* been applied to the
client machines. As I am only called in on an "as-needed" basis,
they do their own day-to-day maintenance. As most SBS shops, there is
not a dedicated IT staff, so these duties were directed to one of
their administrative staff. Apparently using WSUS was one of the
trivial tasks that was not properly documented during a staffing
shuffle, so, long story short, the new "sysadmin" was not doing this.
The server, luckily, was updated as she makes it a point to log in
monthly and access windows update directly.
The upshot to this story is that back when I did the initial
deployment, I enabled and configured windows firewall via GP. One of
my standard firewall rules is to deny traffic on ports 139 and 445
(RPC) from any IP *but* the server. This allows SMB and RPC to work
between the client and server, but not between client machines. So
the upshot here is that, although all of the client machines in the
organization would have been vulnerable to this attack, the windows
firewall prevented the virus from spreading beyond the one USB
compromised machine. The server itself, because it *was* patched
(THANK GOD) also remained unaffected.
A real world example of where the windows firewall prevented a virus
from running rampant and where the infection started from a point
where an edge device would not prevent it. It would be very easy to
imagine this scenario in a zero-day exploit where there was no patch
yet.
So I pose this question to any of you who'd like to respond:
Do you use windows firewall in your environment (or client's
environment)? And if not, why?
I'm not trying to trap you. I genuinely want to know and digest some
alternate points of view. Is my example a valid reason to have
windows firewall in place and the added inconvenience it may bring?
Managing firewall rules, editing yet another GPO, and troubleshooting
network related problems? I could see where some people would say no.
So please...share your thoughts. :)
-Cliff
.
- References:
- OT: A case for windows firewall
- From: Cliff Galiher
- Re: A case for windows firewall
- From: Gregg Hill
- Re: A case for windows firewall
- From: Cliff Galiher
- Re: A case for windows firewall
- From: Gregg Hill
- Re: A case for windows firewall
- From: Cliff Galiher
- OT: A case for windows firewall
- Prev by Date: Re: NT Backup does not detect my tape device
- Next by Date: Re: RANT! - SBS2008 - recommended C partition
- Previous by thread: Re: A case for windows firewall
- Next by thread: Re: A case for windows firewall
- Index(es):
Relevant Pages
|
Loading
