Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' networ k

From: Paul Robertson (proberts_at_patriot.net)
Date: 05/29/03

  • Next message: Sutantyo, Danny: "RE: [fw-wiz] PIX-Firewal1 VPN" 
    To: Crispin Cowan <crispin@immunix.com>
Date: Thu, 29 May 2003 10:43:16 -0400 (EDT)

    On Wed, 28 May 2003, Crispin Cowan wrote:

    > Some of the best real-time tech support for various open source software
    > is available through public IRC channels:

    Once again, the bulk of small office/home office users don't need this.
    [That was the original context, stretching the context to fit the answer
    you want is a no go at this station.]
      
    In fact, the bulk of corporate users don't need this. Given the number of
    trojaned hosts on botnets, it's just not a good thing to let IRC out
    except under the most controlled circumstances.

    When I IRC from work, I do it though a machine that's at a colo, not
    directly from my desktop, and I don't lose functionality, but neither
    does our firewall.

    It's not a game of "Can I possibly come up with a legitimate reason to use
    this service?" It's "Is this risk worth the company taking?" I again
    assert that for 99.9% of companies, the answer is "Heck no!" when it comes
    to IRC from the desktop- even in companies where IRC is a necessary part
    of the business.

    You don't *need* IRC to get support, and you don't *need* to allow access
    to #plug_my_product_here by default to every desktop in a corporation.
    You don't *need* 6667/tcp from the desktop to get on IRC either.

    Several hundred thousand trojaned machines are DDoSing, password guessing,
    and causing other mayhem _every_single_day_. That needs to be *fixed*,
    and firewall admins should be part of the solution, not part of the
    excuses for not doing better brigade.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    proberts@patriot.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Sutantyo, Danny: "RE: [fw-wiz] PIX-Firewal1 VPN"

    Relevant Pages

    • Re: [fw-wiz] stopping bots from phoning home
      ... well it works fine on my dsl connection! ... the majority of support calls that we receive are from the very ... > with the newer IM clients that do IRC. ... that having a firewall on the box that can see which program is trying to ...
      (Firewall-Wizards)
    • sending out spam through IRC server ?
      ... IRC connections ... firewall is not allowing incoming SMTP connections ... sending spam. ... was the first thing I did after receiving first complain. ...
      (Incidents)
    • Re: How to get through iptables/NAT, reality and risk calculation
      ... IRC and the like allowed in your intranet is quite a risk. ... Your firewall could be easily fooled if the connection starts from the ... Basically you can not rely on the assumption that a connection initiated ...
      (Security-Basics)
    • Re: Security
      ... I browse, email with gmail, use utorrent, don't use irc. ... NAT router. ... 3a) use several overlapping antispyware applications. ... I don't have a firewall nor antivirus. ...
      (alt.computer.security)
    • Re: Work Firewall?
      ... >>Is there anyway to get around the firewall to hit things like IRC servers, ... interface of the chat server I go to, so she can get in without her admins ...
      (comp.security.firewalls)