Can it end now? \rant
-
@zuphzuph said in Can it end now? \rant:
@scottalanmiller I came in today to find a production web server my boss built had the windows firewall on and was stopping all messages from RabbitMQ for one of our apps. Just a back week overall. Thanks though duder!
Firewall on: good.
Firewall misconfigured: bad. -
@zuphzuph What does not kill you will look great on a resume! Keep up the good fight man.
-
@scottalanmiller said in Can it end now? \rant:
@DustinB3403 said in Can it end now? \rant:
@zuphzuph said in Can it end now? \rant:
@scottalanmiller I came in today to find a production web server my boss built had the windows firewall on and was stopping all messages from RabbitMQ for one of our apps. Just a back week overall. Thanks though duder!
Why is the production web server using Windows, and more importantly, Windows Firewall?
Once you are using Windows, why would you ever disable the Windows firewall?
We disable it (for internal-only machines, domain only. Public and private are active) because there are many other layers of security in place. Having it on and risking compromise is outweighed by the added headaches of figuring out why the firewall is blocking something. Anything external facing has maximum security though (web servers/etc).
So I guess reading back through @zuphzuph's comment about it being on and it's a web server, it should be on and configured properly.
-
@BBigford said in Can it end now? \rant:
We disable it (for internal-only machines, domain only. Public and private are active) because there are many other layers of security in place. Having it on and risking compromise is outweighed by the added headaches of figuring out why the firewall is blocking something. Anything external facing has maximum security though (web servers/etc).
You know that one of the most dangerous attack vectors is the one from within your network? No more IDS/IPS or UTM to pass, it's the free wild. I would leave it on, better some protection than no protection. Adding a new rule for a webserver is a one-liner.
-
@BBigford said in Can it end now? \rant:
@scottalanmiller said in Can it end now? \rant:
@DustinB3403 said in Can it end now? \rant:
@zuphzuph said in Can it end now? \rant:
@scottalanmiller I came in today to find a production web server my boss built had the windows firewall on and was stopping all messages from RabbitMQ for one of our apps. Just a back week overall. Thanks though duder!
Why is the production web server using Windows, and more importantly, Windows Firewall?
Once you are using Windows, why would you ever disable the Windows firewall?
We disable it (for internal-only machines, domain only. Public and private are active) because there are many other layers of security in place. Having it on and risking compromise is outweighed by the added headaches of figuring out why the firewall is blocking something. Anything external facing has maximum security though (web servers/etc).
So I guess reading back through @zuphzuph's comment about it being on and it's a web server, it should be on and configured properly.
It only exists for internal only (that's why it was made) because internal machines should always have a firewall. There is no other layer that protects what the system firewall does. Without it, you rely on "LAN security."
-
@scottalanmiller said in Can it end now? \rant:
@BBigford said in Can it end now? \rant:
@scottalanmiller said in Can it end now? \rant:
@DustinB3403 said in Can it end now? \rant:
@zuphzuph said in Can it end now? \rant:
@scottalanmiller I came in today to find a production web server my boss built had the windows firewall on and was stopping all messages from RabbitMQ for one of our apps. Just a back week overall. Thanks though duder!
Why is the production web server using Windows, and more importantly, Windows Firewall?
Once you are using Windows, why would you ever disable the Windows firewall?
We disable it (for internal-only machines, domain only. Public and private are active) because there are many other layers of security in place. Having it on and risking compromise is outweighed by the added headaches of figuring out why the firewall is blocking something. Anything external facing has maximum security though (web servers/etc).
So I guess reading back through @zuphzuph's comment about it being on and it's a web server, it should be on and configured properly.
It only exists for internal only (that's why it was made) because internal machines should always have a firewall. There is no other layer that protects what the system firewall does. Without it, you rely on "LAN security."
We put our servers on their own vlan among other things. But unfortunately that's not my call even if I wanted to change it. I brought it up my first couple weeks and was told nope, not gonna happen.
-
@thwr said in Can it end now? \rant:
@BBigford said in Can it end now? \rant:
We disable it (for internal-only machines, domain only. Public and private are active) because there are many other layers of security in place. Having it on and risking compromise is outweighed by the added headaches of figuring out why the firewall is blocking something. Anything external facing has maximum security though (web servers/etc).
You know that one of the most dangerous attack vectors is the one from within your network? No more IDS/IPS or UTM to pass, it's the free wild. I would leave it on, better some protection than no protection. Adding a new rule for a webserver is a one-liner.
Valid point. I was told not to enable any of them. So maybe they are going based on trust.
-
@BBigford said in Can it end now? \rant:
@scottalanmiller said in Can it end now? \rant:
@BBigford said in Can it end now? \rant:
@scottalanmiller said in Can it end now? \rant:
@DustinB3403 said in Can it end now? \rant:
@zuphzuph said in Can it end now? \rant:
@scottalanmiller I came in today to find a production web server my boss built had the windows firewall on and was stopping all messages from RabbitMQ for one of our apps. Just a back week overall. Thanks though duder!
Why is the production web server using Windows, and more importantly, Windows Firewall?
Once you are using Windows, why would you ever disable the Windows firewall?
We disable it (for internal-only machines, domain only. Public and private are active) because there are many other layers of security in place. Having it on and risking compromise is outweighed by the added headaches of figuring out why the firewall is blocking something. Anything external facing has maximum security though (web servers/etc).
So I guess reading back through @zuphzuph's comment about it being on and it's a web server, it should be on and configured properly.
It only exists for internal only (that's why it was made) because internal machines should always have a firewall. There is no other layer that protects what the system firewall does. Without it, you rely on "LAN security."
We put our servers on their own vlan among other things. But unfortunately that's not my call even if I wanted to change it. I brought it up my first couple weeks and was told nope, not gonna happen.
Uhm, that's bad. Always hard to see people misunderstanding VLAN as a security feature - it's not. It helps in organizing your network, but it adds not much - if any - security.
-
@BBigford said in Can it end now? \rant:
@thwr said in Can it end now? \rant:
@BBigford said in Can it end now? \rant:
We disable it (for internal-only machines, domain only. Public and private are active) because there are many other layers of security in place. Having it on and risking compromise is outweighed by the added headaches of figuring out why the firewall is blocking something. Anything external facing has maximum security though (web servers/etc).
You know that one of the most dangerous attack vectors is the one from within your network? No more IDS/IPS or UTM to pass, it's the free wild. I would leave it on, better some protection than no protection. Adding a new rule for a webserver is a one-liner.
Valid point. I was told not to enable any of them. So maybe they are going based on trust.
Well, ... uhm, just make sure that no one points at you when things go south.
-
@BBigford said in Can it end now? \rant:
Valid point. I was told not to enable any of them. So maybe they are going based on trust.
By someone working in an IT department? If someone told me that I'd ask a manager to look into if they were socially engineering me. That sounds like someone testing you.