RE: [fw-wiz] MSBlast circumventing host firewall
From: Paul Robertson (proberts_at_patriot.net)
To: Paul Matuszewski <email@example.com> Date: Mon, 18 Aug 2003 08:14:41 -0400 (EDT)
On Mon, 18 Aug 2003, Paul Matuszewski wrote:
> The reason you're seeing this is because of the actual use of winproxy.
> It'll dot the job at firewalling (per say) things to the inside interfaces,
> but it still hasn't taken care of the actual ports on the machine itself.
> You'll have to patch those bad boys up right away. Fixing the issue with
Let's not forget that there's an alternative to patching in this case (as
there was with Slammer for a lot of systems...)
Turning off DCOM on a host that doesn't need it is a good idea, and likely
more protective than patching. Now, obviously that means that the
software on the box can't require DCOM, and I don't know what Winproxy
uses, it's name puts it right out of the universe of things I'd use ;)
> the open ports can be taken care of by remove windows networking and the
> related services to the port. However, you might run into trouble with
> WinProxy failing because of it, not too familar with the software here.
> That's why people use inline firewalls/filtering routers... just so you
[Ah ha! One of my favorite soapboxes...]
At this stage in the game, I'd go so far as to say that every border
router an organization owns should have filtering on it. Anti-spoofing
for sure, per-protocol allows for necessary protocols, and then per-port
or stateful rules if you can get away with it.
Back when I had to secure a large enterprise for a living, and didn't want
to try to put Firewall Feature Set on my borders, I put two stateful
packet fitlers between the firewalls and the routers, just to add an
additional layer of protection- two relatively quick dual-NIC PCs in
parallel cost about USD $1200 each at that point in time, now you could do
it for half that for both. Any of the free *nix OS' with their default
packet filtering software would work (OpenBSD/pf, FreeBSD/ipfw or
ipfilter, NetBSD/ipfilter, Linux/ipchains or iptables) If you're really
stuck for strangeness, some of the combinations will also do bridge-mode
Obviously, there are a multitude of commerical products that would also
fit the bill here, but the firewall itself is likely to be one of those,
and I'm a big fan of hetrogeneous networking.
 I've got nothing against FFS (in fact, I like it,) but back then it
was new, and new doesn't go into my security infrastructure very often. I
also had an issue with rate of change on the borders, which were taking
the load for the largest node of our biggest Web site, so adding filters
to the corporate side of that equation made the most sense.
Paul D. Robertson "My statements in this message are personal opinions
firstname.lastname@example.org which may have no basis whatsoever in fact."
email@example.com Director of Risk Assessment TruSecure Corporation
firewall-wizards mailing list