Windows Firewall

WrCombs

At this stage in my employment I was simply wondering, Im trying to learn the most As i possibly can about IT and my current field of POS Support. I am right now reading the "Aloha security Guide" on how to configure and why we do what we do with the Firewalls we use.

Obsolesce

@wrcombs said in Windows Firewall:

I am not a "Junior Admin" Im a support tech for POS across the US in Restaurants.

So, this could be a wide-spread thing across many restaurants in the U.S....

I'd definitely be taking this up the ladder.

WrCombs

From our Guides:

Configuring the Windows Network
• Install an up to date operating system on all computers in the Aloha network, such as Windows
XP, or Windows Server 2003.
• Establish a network firewall that includes a firewall device, such as a router, between the Aloha
network and the Internet. Install firewall software on each computer in the network, or enable
and configure the Windows firewall.

Obsolesce

@wrcombs said in Windows Firewall:

From our Guides:

Configuring the Windows Network
• Install an up to date operating system on all computers in the Aloha network, such as Windows
XP, or Windows Server 2003.
• Establish a network firewall that includes a firewall device, such as a router, between the Aloha
network and the Internet. Install firewall software on each computer in the network, or enable
and configure the Windows firewall.

Bam, it's right there ITFM to use one...

black3dynamite

@scottalanmiller said in Windows Firewall:

@wrcombs said in Windows Firewall:

So it is possible to use Windows Firewall in our system, but instead of going through and creating rules in windows firewall, we just turn it off..

Correct. This is how all firewalls work. If the firewall is mangling packets and has to be turned off, that means that it is broken. If the Windows firewall is broken to that degree, it would mean that your managers believe Windows isn't viable in production and use it anyway. No matter how you look at what they believe, they are doing something knowing it isn't okay to keep moving forward with what they are doing.

This is a bit like someone claiming that their car is broken and refusing to listen to reason. When in fact they are knowingly leaving the garage door closed and using the door being closed as their logic for claiming that the car doesn't work. Obviously there could be something wrong with the car, but we know that they've never even attempted to drive it as they left the door closed.

OS firewall can also be broken because it wasn’t configured correctly. And if Windows Firewall rules is messing things up, it’s easy to reset the firewall back to default.

scottalanmiller

@wrcombs said in Windows Firewall:

I am not a "Junior Admin" Im a support tech for POS across the US in Restaurants.

We didn't think that you were. I thought that he said that your boss was the Junior Admin.

scottalanmiller

@wrcombs said in Windows Firewall:

At this stage in my employment I was simply wondering, Im trying to learn the most As i possibly can about IT and my current field of POS Support. I am right now reading the "Aloha security Guide" on how to configure and why we do what we do with the Firewalls we use.

Absolutely, and wondering is what you should do. Ask the questions, don't let the boss get away with something outright bad or, more importantly, don't let him just lie to you. It's not your place to change the policy, it might not even be your place to bring it up, but it is definitely not your place to accept blatant lies. It's important to know when your boss is doing something wrong. Maybe you can do something about it, maybe you can't, that's another question.

But knowing that he's not qualified to be where he is (or anywhere) is important, at the very least, for you to understand.

scottalanmiller

@obsolesce said in Windows Firewall:

@wrcombs said in Windows Firewall:

I am not a "Junior Admin" Im a support tech for POS across the US in Restaurants.

So, this could be a wide-spread thing across many restaurants in the U.S....

I'd definitely be taking this up the ladder.

I would consider this only because if there were to be a breach, and someone knew that you knew, you might end up culpable.

Dashrender

@obsolesce said in Windows Firewall:

@wrcombs said in Windows Firewall:

I am not a "Junior Admin" Im a support tech for POS across the US in Restaurants.

So, this could be a wide-spread thing across many restaurants in the U.S....

I'd definitely be taking this up the ladder.

Could be? LOL most definitely IS!

scottalanmiller

@wrcombs said in Windows Firewall:

From our Guides:

Configuring the Windows Network
• Install an up to date operating system on all computers in the Aloha network, such as Windows
XP, or Windows Server 2003.
• Establish a network firewall that includes a firewall device, such as a router, between the Aloha
network and the Internet. Install firewall software on each computer in the network, or enable
and configure the Windows firewall.

That's a pretty bad guide and STILL better than what the boss said, lol.

Dashrender

@scottalanmiller said in Windows Firewall:

@wrcombs said in Windows Firewall:

I am not a "Junior Admin" Im a support tech for POS across the US in Restaurants.

We didn't think that you were. I thought that he said that your boss was the Junior Admin.

I was calling Wr a junior admin because I had no clue what his title was.

scottalanmiller

@dashrender said in Windows Firewall:

@scottalanmiller said in Windows Firewall:

@wrcombs said in Windows Firewall:

I am not a "Junior Admin" Im a support tech for POS across the US in Restaurants.

We didn't think that you were. I thought that he said that your boss was the Junior Admin.

I was calling Wr a junior admin because I had no clue what his title was.

OH!!! You responded as if the Junior Admin was his boss, because it was his boss I was questioning. And given his job role, Admin doesn't fit, so it never occurred to me you were implying him.

WrCombs

@scottalanmiller said in Windows Firewall:

@wrcombs said in Windows Firewall:

I am not a "Junior Admin" Im a support tech for POS across the US in Restaurants.

We didn't think that you were. I thought that he said that your boss was the Junior Admin.

The "Job title" held by my boss is Direct supervisor for PoS tech support, it's very much possible that this is set up above him and he never asked questions, I on the other hand, having learned from @Dashrender and my Dad, I thought it was weird we turned windows firewall off, and I ask questions, Hence the post, I don't believe that my boss is knowingly and blanatly cuasing a possibile breach. I think it's a fair assumption that he does what the vendor tells us to do, or he was taught wrong.

My curiosity of why it wouldn't work has now turned into a Much bigger deal than I originally thought it to be. So I thank you for bring it to my attention, definitely will be looking into this more.

Obsolesce

@wrcombs said in Windows Firewall:

I don't believe that my boss is knowingly and blanatly cuasing a possibile breach

It seems like he is... I could ask anyone (outside of IT even) what it means to turn off a firewall or if it's good or bad to do it... and I'm sure most would say it's bad.

I doubt he is 100% clueless given he's a tech support supervisor, so this means not only does he know what it means to have a firewall turned off, he's actively telling people to do it, and ignoring all aspects of it.

scottalanmiller

@wrcombs said in Windows Firewall:

The "Job title" held by my boss is Direct supervisor for PoS tech support, it's very much possible that this is set up above him and he never asked questions....

So this is where we get into a bunch of questions like...

1. Is he responsible for asking questions?
2. Is he responsible for anything involving basic security and practices that put customers at risk?
3. Is breaching PCI and other regulations okay even if you are told to do so?
4. Is repeating a lie as if it were true acceptable, when it is known that it can't reasonably be true?

I think point 4 is the main one. If HE told you the BS reasons for why things are the way that they are, he risks having grabbed hold of the hot potato even if he didn't have it before.

scottalanmiller

@wrcombs said in Windows Firewall:

My curiosity of why it wouldn't work has now turned into a Much bigger deal than I originally thought it to be. So I thank you for bring it to my attention, definitely will be looking into this more.

It's a bit like asking "should these prisoners under the warden's nose" be allowed to run a heroin market?

Um.....

scottalanmiller

@wrcombs said in Windows Firewall:

I think it's a fair assumption that he does what the vendor tells us to do, or he was taught wrong.

Well, working in IT means that doing "what the vendor says" is no excuse. That's like driving over pedestrians and claiming "the car maker said it was okay". That's not how it works, the rules for operating a car have zero dependency on manufacturer statements.

If he was taught wrong, this goes against all industry education, best practices, and common sense. It means he's not been taught up to the most minimal standards and is pretty hard to overlook.

WrCombs

@scottalanmiller said in Windows Firewall:

@wrcombs said in Windows Firewall:

The "Job title" held by my boss is Direct supervisor for PoS tech support, it's very much possible that this is set up above him and he never asked questions....

So this is where we get into a bunch of questions like...

1. Is he responsible for asking questions?
2. Is he responsible for anything involving basic security and practices that put customers at risk?
3. Is breaching PCI and other regulations okay even if you are told to do so?
4. Is repeating a lie as if it were true acceptable, when it is known that it can't reasonably be true?

I think point 4 is the main one. If HE told you the BS reasons for why things are the way that they are, he risks having grabbed hold of the hot potato even if he didn't have it before.

I honestly have no clue. I wish I had a better explanation.
I Just wasnt sure what the reasoning surronding the non use

So even though we provide hardware Firewalls to every site its still a problem?
Im sure that question will come up

scottalanmiller

@wrcombs said in Windows Firewall:

So even though we provide hardware Firewalls to every site its still a problem?

So there are two ways to look at this. But simply, yes.

scottalanmiller

@wrcombs said in Windows Firewall:

So even though we provide hardware Firewalls to every site its still a problem?

First Way:

Network Edge firewalls do almost nothing to protect workloads inside of the company. The majority of network risks originate inside the LAN, not from outside of it. That's not to say that that edge firewall is a bad thing, it's quite good, but it is trivial in importance compared to the ones on the computers because they do the same job that it does, and a lot more. The firewall on the network edge is almost superfluous as it is redundant with the vastly more important system firewalls.

Basically you "need" the Windows Firewall here, the extra network edge firewall is good, but just a "nicety." You can replace the hardware firewall with the Windows firewalls, but not vice versa.

However, the best practice is that you never, ever skip either. It's always both.