RE: [fw-wiz] terminal services

From: Paul D. Robertson (proberts@patriot.net)
Date: 01/28/03 

From: "Paul D. Robertson" <proberts@patriot.net>
To: "R. DuFresne" <dufresne@sysinfo.com>
Date: Tue Jan 28 18:32:00 2003

On Tue, 28 Jan 2003, R. DuFresne wrote:

> the last time M$-SQL was hit. Other discussions in various lists the past
> few days have folks claiming they had no prior warning that port 1434 was
> a point of caution deserving incomong and outgoing blocks. Though, as

It's an ephemeral port- just blocking it may make random stuff not work in
some situations (like say DNS...)

It takes someone who's thought it out to do the filtering correclty.

Unfortunately, in my experience that's not going to happen in response to
a worm.

> someone in one of those discussions mentioned, often the information made
> available on a threat, often gets read and interpreted in far too strict
> and narrow a sense to deal with a potential threat in a decisive manner
> the first time out.

The worst part is that this is blockable at the host on Win2k- if we had
host-based default deny, we'd be looking at a better landscape for sure.

I can say that for every firewall I've set up, this wouldn't have gotten
in or out that way. I can also assure you that folks who're doing a good
job of default deny at their border routers didn't get it from the
Internet at large. Steve's right on that score- firewalls work fine for
ensuring that primary infection vectors are killed. Wes is right too,
that leaves secondaries like VPNs. You're still better off with a
properly configured perimeter though, no matter what else you've got.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation