RE: [fw-wiz] MSBlast circumventing host firewall

From: Paul Robertson (
Date: 08/18/03

  • Next message: Martin Peikert: "Re: [fw-wiz] Blocking MS Blaster"
    To: Paul Matuszewski <>
    Date: Mon, 18 Aug 2003 08:14:41 -0400 (EDT)

    On Mon, 18 Aug 2003, Paul Matuszewski wrote:

    > Aye,
    > The reason you're seeing this is because of the actual use of winproxy.
    > It'll dot the job at firewalling (per say) things to the inside interfaces,
    > but it still hasn't taken care of the actual ports on the machine itself.
    > You'll have to patch those bad boys up right away. Fixing the issue with

    Let's not forget that there's an alternative to patching in this case (as
    there was with Slammer for a lot of systems...)

    Turning off DCOM on a host that doesn't need it is a good idea, and likely
    more protective than patching. Now, obviously that means that the
    software on the box can't require DCOM, and I don't know what Winproxy
    uses, it's name puts it right out of the universe of things I'd use ;)

    > the open ports can be taken care of by remove windows networking and the
    > related services to the port. However, you might run into trouble with
    > WinProxy failing because of it, not too familar with the software here.
    > That's why people use inline firewalls/filtering routers... just so you
    > know.

    [Ah ha! One of my favorite soapboxes...]

    At this stage in the game, I'd go so far as to say that every border
    router an organization owns should have filtering on it. Anti-spoofing
    for sure, per-protocol allows for necessary protocols, and then per-port
    or stateful rules if you can get away with it.

    Back when I had to secure a large enterprise for a living, and didn't want
    to try to put Firewall Feature Set[1] on my borders, I put two stateful
    packet fitlers between the firewalls and the routers, just to add an
    additional layer of protection- two relatively quick dual-NIC PCs in
    parallel cost about USD $1200 each at that point in time, now you could do
    it for half that for both. Any of the free *nix OS' with their default
    packet filtering software would work (OpenBSD/pf, FreeBSD/ipfw or
    ipfilter, NetBSD/ipfilter, Linux/ipchains or iptables) If you're really
    stuck for strangeness, some of the combinations will also do bridge-mode

    Obviously, there are a multitude of commerical products that would also
    fit the bill here, but the firewall itself is likely to be one of those,
    and I'm a big fan of hetrogeneous networking.
    [1] I've got nothing against FFS (in fact, I like it,) but back then it
    was new, and new doesn't go into my security infrastructure very often. I
    also had an issue with rate of change on the borders, which were taking
    the load for the largest node of our biggest Web site, so adding filters
    to the corporate side of that equation made the most sense.
    Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation

    firewall-wizards mailing list

  • Next message: Martin Peikert: "Re: [fw-wiz] Blocking MS Blaster"

    Relevant Pages

    • Re: How good is Comodo Internet Security?
      ... Filtering traffic with a firewall means that you're not ... they migth catch some types of outbound malware traffic. ... that) the scanner detect an infection later on (because the signatures ...
    • Re: Help! Can I do this for under $400?
      ... >filtering, is missing. ... According to the FAQ of a firewall group, ... >destination addresses and port numbers. ... We have 3 web servers on the LAN ...
    • Re: Help! Can I do this for under $400?
      ... >firewall, and I have being so dissappointed about the crap they sell at ... >stores like Best Buy CANNOT do address filtering. ... >> B. Public to access any of the web servers using only port 80 or SSL ...
    • Re: Help with finding hardware firewall that acts like software firewall
      ... >level but do not truly control things as per specific program executable. ... >They are basically filtering the application data within the packets. ... >And your other firewall functionality will far surpass what any of these ... >> specific port or ports. ...
    • Re: [Full-Disclosure] Re: Empirical data surrounding guards and firewalls.
      ... The firewall is not content filtering, thus does not stop bad requests ... connection to a webserver. ... carrying an illegal object (an illegally formed request). ...