Re: [fw-wiz] terminal services

From: Steven M. Bellovin (smb@research.att.com)
Date: 01/28/03 

From: "Steven M. Bellovin" <smb@research.att.com>
To: "Noonan, Wesley" <Wesley_Noonan@bmc.com>
Date: Tue Jan 28 17:53:01 2003

In message <B6200F7A96BCD211864900A0C9D8173814C5453E@es01-hou.bmc.com>, "Noonan
, Wesley" writes:
>I am not trying to pick on anyone here, but I have some
>comments/observations inline.
>
>Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
>Senior QA Rep.
>BMC Software, Inc.
>(713) 918-2412
>wnoonan@bmc.com
>http://www.bmc.com
>
>
>> -----Original Message-----
>> From: Steven M. Bellovin [mailto:smb@research.att.com]
>> Sent: Tuesday, January 28, 2003 15:02
>> To: natfirewall@netscape.net
>> Cc: firewall-wizards@honor.icsalabs.com
>> Subject: Re: [fw-wiz] terminal services
><snip>
>>
>> Note -- I'm *not* saying that just because it's Microsoft. Rather, I'm
>> pointing out the danger of opening extra holes in your firewall. Ask
>> yourself this: how did Microsoft (and others) get the infection on the
>> *inside* of its firewall?
>
>Through things like VPN connections in many cases. In others, you are
>certainly correct that opened ports didn't help anything. My point is simply
>that a VPN is a hole in the firewall, albeit generally a mitigated hole,
>which carries many of the same risks as if someone was just punching holes
>through the firewall anyway.

Right -- it's mitigated. You need defense in depth.
>
>> The issue isn't just that people inside
>> didn't patch their machines (though by my analysis, to a first
>> approximation virtually every machine they own was likely to be
>> vulnerable)
>
>I actually disagree here. The issue with slammer/sapphire is precisely that
>people didn't patch their machines.

If every user and every system administrator were to run their machines
absolutely locked-down -- with unused services turned off, all software
fully patched, and allowable services using strong authentication (and
perhaps crypto) to ensure than only authorized clients connected, we
wouldn't need firewalls. The purpose of a firewall is to provide a
more scalable solution -- a barrier that (helps to) protect networks
when people don't do those things.

Sure, people should patch their software. It's not going to happen
universally. Sometimes, it's sloppy administration. That was
certainly one factor here. Sometimes, it's because the patch is hard
to install (MS-SQL SP3 was easy to install, but that was only a week
old; the six-month-old patch was very difficult to install. Sometimes
it's because you're crazy to install a random patch on a production
machine until you've tested it -- patches tend to be buggier than
release code, and tend to break other software. In that case, you've
committed a denial of service attack on yourself. Sometimes, you don't
know about the hole or the patch. Given how many Microsoft products
could install the code, I dare say that many people didn't even know
they were running an SQL server. (Office XP included it as an optional
component. Would you have guessed that? I sure wouldn't have.)

We can point fingers at Microsoft for not understanding the severity of
the hole, and hence not giving the patch grade-A service, i.e.,
something that's handled automatically by Windows Update. But as I
said, my response has nothing whatsoever to do with Microsoft.

I personally can secure, to my rather high standards, a few machines.
I can't do that for every machine in the company -- even a small
company. All it takes is one random new machine to be plugged in and
you're much more vulnerable than you were. *That's* why we have
firewalls -- as one more layer of defense.

                --Steve Bellovin, http://www.research.att.com/~smb (me)
                http://www.wilyhacker.com (2nd edition of "Firewalls" book)

Relevant Pages

  • Re: [Full-Disclosure] The good worm from HP
    ... The 'good worm' from HP ... > machines to patch them. ... In order to patch through a hole like that you ...
    (Full-Disclosure)
  • Re: [fw-wiz] terminal services
    ... >I am being asked to open port 3389 on our Corporate firewall and direct incomi ... pointing out the danger of opening extra holes in your firewall. ... didn't patch their machines (though by my analysis, ... it's that there was a hole. ...
    (Firewall-Wizards)
  • Re: Norton 2005 Int Security, Trend PCcillin or Zone Alarm ???????
    ... > I want security I can run on both machines. ... System overhead is higher than standard firewall applications. ... Symantec products do not remove (uninstall) well. ... Micro Trends PC-Cillan is very good (possibly the best in home network ...
    (alt.computer.security)
  • Automatically patching machine with hotfix KB824146 using mbsafu.
    ... I didn't want to spend as many hours patching machines with KB824146 exploit ... Mbsafu is an automatic remote patching tool that applies Security updates ... Download and install mbsa. ... Setup a network share with full privileges for the account you will patch ...
    (NT-Bugtraq)
  • Re: install
    ... You just need to set up your network correctly. ... start by running the Network Setup Wizard on all machines (see ... Problems sharing files between computers on a network are generally caused ... by 1) a misconfigured firewall or overlooked firewall (including a stateful ...
    (microsoft.public.windows.vista.installation_setup)
Loading