Yo!

>> Sure-- but remember- [...] Regarding the RAS adapter dialing into the
>> Internet, in that case, F&P would not be bound in the first place
>> (when the connection was created).
>
> I guess that's a well deserved black eye for me to take for not
> realizing that this default does treat interfaces as ...uhm... not
> equal. I shall concede that point to you.
>
> (BTW: How are existing RAS interfaces treated during upgrades? Are F/P
> bindings removed?)

No black eye intended ;) AFA the bindings, they are not changed-- the
existing configuration of the adapters (bindings/services/clients) is not
affected. But let's make sure we're saying the same thing-- When SP2 is
installed, the firewall is indeed applied to all existing interfaces-in that
regard, they are treated "equal." However, when a network connection is
being created, be it a VPN into your company, a dial-up, or broadband
connection via an existing LAN connection, they *are* treated differently:

Any connection created that uses a modem will not have F&P bound to the
interface. Any connection created where you connect to the internet (or any
PPP/PPPoE type connection) will not have F&P bound to the interface. The
only time a remote connection will have F&P bound to the interface when
created is when you specifically create a VPN connection (PPTP or LT2P).
Though the install of SP2 applies the FW to all interfaces without regard to
type, when created, the default bindings are indeed based on the "use" of
the interface.

>> Not really "multiple policies" conflicting... It is an updated policy
>> replacing existing policies at install time-- there aren't 2 at the same
>> time... It's very easy to check out what settings are implemented for the
>> FW
>> in general, and for each individual adapter...
>
> hmm... I'm confused. But perhaps I should drive the car before junking
> it. I don't have XP around to see how these two policies present
> themselves to the user. My concern is that there are settings in one
> place and settings in another, but no means to see the effective,
> combined settings in a single dialog. All too often offer systems
> immense capabilities for configuration (may I use the word
> configurability) only to leave the operator/user lost in all those
> choices. As I was saying, a simple and coherent configuration model
> helps security greatly.

You know, when I was replying to your post, I was thinking to myself, "Self,
it doesn't sound like Frank has actually looked at this, or he would not
have put it like that." So, maybe the black eye *was* deserved! :-p

No, it's all in one place. No "settings in one place, and settings in
another." However, it is important to realize that there is indeed a
difference between the FW configuration interface in SP2 and the ICF
interface in pre-SP2 installs. (BTW, it is called Windows Firewall in SP2,
and Internet Connection Firewall in pre-) ICF was a per-adapter config. You
configured it at the adapter level (protecting the adapter) and each
adapter's config was separate and self-contained.

WF is different- it first gives you "global" options (protect the computer,
not the adapter), allowing you to set "global" exceptions. It then allows
you to select specific exceptions (or turn WF on or off) for each adapter.
I've talked to people who have been used to the ICF environment that have
been thrown off by this a bit. It may seem a little counter-intuitive (as
most of us are used to adapter-based configs), but it is important to
understand why it was done this way in SP2 -- and that's because of Group
Policy. Group Policy allows us to completely control the configuration of
WF for all of our clients from a centralized base. I can create a single
policy element that is pushed out to all of my clients (or whichever one's I
want) that will apply WF along with any customized exceptions that suit my
environment. I think that is an incredibly strong option for
administrators-- enabling a host-based FW enterprise-wide... Out of
curiosity (knowing you're a *nix guy), what do you guys use to push out
global client security configurations enterprise-wide?

> Perhaps you, Tim, could send me a screen shot with the dialog box that
> shows the current FW policy settings on an interface (or a link to a
> demo version of XP). Until then I only concede half a point ;)

Ah, I see... Grubbin' for a free copy of XP, huh? We'll talk.

>
>> I really should have been more clear about that- it sounds like
>> "mitigating
>> factors" junk..
>> I wasn't trying to sugar coat it-- I was directly responding to the
>> claims
>> in the article where they said "world readable, no password access"
>> etc...
>
> Oh, okay. I didn't know the article was talking about accessing the
> systems. I thought the issue was that the ports are unfiltered and
> exposed. Perhaps I need to re-read that article.

Yeah, they talk about accessing documents on the internet, "some with a
blank password." Of course, they don't say how they got into the other
systems that didn't have a blank password, or how they knew they were SP2
systems.

>> There is only one policy- everything is blocked, and you open what you
>> need.
>> I think some of the other posts may have confused that, but it really is
>> pretty easy...
>
> Ah, I see. Good. Easy is good. Not just for lamers like me :) but if a
> system is made easy to configure and use, then there are less threats to
> the security of that system. I'll make sure I have a copy of XP in front
> of me before I yell again... ;)

Yeah, I think that actually working with and using a system does indeed
increase one's insight into its operation, particularly if critical opinions
regarding its design are to be offered. (Sorry dude, I *had* to!! ;)

Later man... ;)

> Later dude.
> Frank

T

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

[ reply ]