Title should be:

WINDOWS -> Software Firewalls: Made of Straw?

To myself and many others a software firewall is one that is run on/with an operating system when said operating system is not setup to be a standalone, firewalling, natting only style,(maybe email virus/spam filter also) gateway.

Hence the only Software firewalls your article appears to pertain to is WINDOWS... and anyone with half a clue knows Windows bites for security and even if your users in a corporate world require it for one reason or another,.. What the hell are you,(ANYONE) using IIS as a server for!? .. The users don't require it, there are compatible programs on Nix* based systems for almost anything a IIS system would be used for I'd imagine and without all the security issues associated with such a half assed attempt at creating a server platform.

I'm on FreeBSD and so I started reading your article since I don't run a dedicated only hardware firewall system, or a broadband dsl/cable firewall & router combo, or even a firewall only hardware product and it wasn't until "winsock" and ... WTF, Windows!? .. Apart from typing this, you just caused me to waste another part of my life due to Windows and it's pathetic design & MS philosophy/mantra of FLUFF,(bells & whistles) over security & performance,(includes real required/useful features aswell as speed).

At the VERY least, can someone please rename the title of this story as it seeks via it's title to make all people not running dedicated equipment feel uneasy until they read Winsock and then if they be on a nix* based system just wanna hurl at the thought they wasted their time reading such an article.

=====================

Another thing worth noting in the article are these following passages:

"We have a corporate network, properly protected by a secure gateway, that exposes a public HTTP web server to the public. The web server is fully patched and secured; it has a local software firewall that has closed all ports except port 80. Only the HTTP server process has permissions to listen on port 80. Now, say this machine becomes infected with a custom-made LSP level Trojan, or a modified version of an existing one such as Trojan.Riler.D or Daqa.A ..."

UMmm... "The web server is fully patched and secured;" ???

Re-reading above about the machine becomming infected I think you need to hire a more competent admin, don't you!! [Wondering what game, or new piece of uber supposedly wiz-bang software the admin found on the internet that sparked thier curiousity & decided to install on the working & initially secure corporate server... LOL]

FROM: "A real-life example: IIS compromise results in a stealthy LSP Trojan installed"

"The attacker has developed a tweak of an existing IIS exploit, which will result in system level access."

So much for IIS dreams like: "The web server is fully patched and secured;"

Exploits can happen when a server is FULLY PATCHED,(all patches *released/available* applied) but like Microsoft, not all vulnerablities are ever seemingly, or realistically addressed ;) [And when they have been, the delay between knowing of the exploit & releasing a patch or realistic workaround, can be many months, or maybe even longer in some cases].

=====================

Now getting back to case in point of why I initially posted a comment here ..... I FEEL VIOLATED :(

Windows,(in any form of network/server environment).... Ewww, time for another shower!!

SIGNED: Truly Patched, Secured, Protected & Always TIMELY advised when that might not be the case,[FreeBSD, Portaudit, Chkrootkit & Rkhunter with a nice dose of IPFW etc.] - From temporarily minorly insecure to fully secure again, most often in mere minutes to days... Not months to years ;)

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/infocus/1840/600#600