3:08 PM -- Having just finished the book "Linux Firewalls" and read a recent mailing list thread, I’ve been talking with some of my sysadmin friends about the idea of host-based firewalls on servers within "trusted networks."
The idea of defense-in-depth, or layered security, has been preached for years. In fact, it’s hard for most security folk not to think about security without having that mindset. But not everyone thinks that way.
Working in a highly segregated IT organization where one group manages the network, another group handles security, and several other groups deal with system administration, I see how the security group will often make recommendations (like host-based firewalls) and the sysadmins will say it’s unnecessary because the networking group manages the firewall and router rules that protect their hosts.
The security folks will chime in that layered security is "good," and people make mistakes (like accidentally wiping out firewall rules). But they still don’t think firewalls on the hosts themselves are necessary.
Now, I’m not disparaging all sysadmins, because this certainly isn’t true for all of them. But I do see situations where some IT workers don’t feel comfortable operating outside their specific job duties and will negate any attempts at getting them to go a little further in making something more secure.
In one situation I've seen, there was a subnet of servers that was running varying operating systems and being managed by different people within the sysadmin group. A recommendation was made that each system have its respective firewall enabled to prevent unnecessary communications with other hosts on the local network -- in case one was compromised and used to attack others. After a lengthy explanation, the sysadmins asked what ports needed to be enabled.
A security-aware IT pro should know what ports the servers (and services) need to interoperate within the local network and provide services to the outside world. Unfortunately, there are sysadmins out there that simply put up machines, enable services and expect the security and network people to make sure they don’t get hacked. Or they assume they won’t get hacked, because they patch regularly.
Stephen Covey says, "Seek first to understand, then to be understood." If you’re making a recommendation and getting pushback, step back and find out why -- instead of attempting to beat the individual with a clue-bat in order to see your point. In the end, you’ll likely come to an agreeable solution that works for both of you and you’ll wind up with better security.
– John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading