Re: [fw-wiz] Re: Setting up H323 IP telephony etc

From: Mike Hoskins (
Date: 08/29/03

  • Next message: Mike Hoskins: "[fw-wiz] Re: Setting up H323 IP telephony etc"
    Date: Thu, 28 Aug 2003 17:20:35 -0700 (PDT)

    Date: Tue, 26 Aug 2003 20:58:46 -0400
    From: Barney Wolff <>
    To: "Marcus J. Ranum" <>
    Subject: Re: [fw-wiz] Re: Setting up H323 IP telephony etc
    On Tue, Aug 26, 2003 at 05:07:46PM -0400, Marcus J. Ranum wrote:
    > Sorry - I'm feeling extremely curmudgeonly today.

    story of my life.

    > various worms in the last week. Why's that? On the surface, the
    > answer is "RPC bug" but the REAL answer is "people should not
    > be connecting mission-critical networks to the Internet - even with
    > firewalls." A small handful of us have been singing this song quietly
    > in the corner for about 12 years, now. Is anyone going to ever "get
    > it"??

    probably not. i've come to realize part of our job as 'security people'
    is to keep singing the same things over and over. oh, i don't _like_
    that fact, but it does seem to be true. now more than ever (due to the
    market or whatever you blame), business people just have to cite 'business
    drivers' and the technies shutup out of fear of loosing their jobs.

    unfortuneately things are so out-of-wack that no one stops to realize
    that allowing a 'mission-critical' network to be taken offline (werd to
    the Navy on that one) due to a worm circulating on a public network IS a
    much better reason for loosing your job.

    > Alas, for the latest round merely being not Internet connected would
    > not have been good enough. An infected immigrant laptop is enough to
    > take down any isolated net.
    > For a sufficiently rich and motivated org, I'd advocate changing the
    > Ethertype of IP from 800, just to make it harder to connect conventional
    > equipment by accident. Does even NSA do anything like that?

    you let random people plug-in, get an address, and snoop around? that's
    OK, but you shouldn't do that on a 'mission-critical' network. if
    you do, the org should re-define 'mission critical'. VLANs, ACLs, MAC
    tables... there are lots of ways to ensure only acceptable hosts connect
    to the network that are cheaper/easier than low-level network bits. of
    course, that works too. ;) but i think the real issue is that people go
    around touting 'mission critical' WAY too friggen much. if it is really
    'mission critical', then people need to remember that convenience comes
    with a cost -- reduced security. furthermore, if the business people
    review the org's security policy and accept that before the incident --
    then they have no one to blame but themselves when their 'mission
    critical' network goes offline. that's why policy has to be top-down.


    From: "Spam Catcher" <>
    Do NOT send email to the address listed above or
    you will be added to a blacklist!
    firewall-wizards mailing list

  • Next message: Mike Hoskins: "[fw-wiz] Re: Setting up H323 IP telephony etc"

    Relevant Pages

    • Re: AGLOCO
      ... 2007 start New Network Business. ... Bush because he is a crony of Halliburton and big business interests & ... Halliburton and big business interests & we hate George W. Bush & ...
    • RE: [fw-wiz] Firewalls v. Router ACLs
      ... people to take in consideration in network design and layout. ... here and the old firewalls list often emphasized an approach that avoided ... The logging alert features alone turn this layer into a IDS as ... > An appropriately sized router will not have any performance problems. ...
    • [fw-wiz] IDS/IPS and LOGS
      ... nasty behavior is happening on your network (where your network is ... easily turn your IPS into a big denial of service attack. ... My guess is that most of the Worlds firewalls and IDS/IPS only have half ... I noticed that there is a big emphasis on log parsing while there should ...
    • Re: Establish persistant outbound connection for covert application
      ... which firewalls are running etc.) and then communicate its ... the actual network layer. ... They do have 2 network interfaces in case I want to chain them between a PC ... They also have a wireless interface so I can hook into the machine if I am ...
    • Re: NAT vs Firewall
      ... > business is the correct approach. ... (I'm assuming that any business info you have on your home network ... >> Your NAT router might do this already as it may have other coding to see ...