Re: [fw-wiz] Re: Setting up H323 IP telephony etc

From: Mike Hoskins (
Date: 08/29/03

  • Next message: Mike Hoskins: "[fw-wiz] Re: Setting up H323 IP telephony etc"
    Date: Thu, 28 Aug 2003 17:20:35 -0700 (PDT)

    Date: Tue, 26 Aug 2003 20:58:46 -0400
    From: Barney Wolff <>
    To: "Marcus J. Ranum" <>
    Subject: Re: [fw-wiz] Re: Setting up H323 IP telephony etc
    On Tue, Aug 26, 2003 at 05:07:46PM -0400, Marcus J. Ranum wrote:
    > Sorry - I'm feeling extremely curmudgeonly today.

    story of my life.

    > various worms in the last week. Why's that? On the surface, the
    > answer is "RPC bug" but the REAL answer is "people should not
    > be connecting mission-critical networks to the Internet - even with
    > firewalls." A small handful of us have been singing this song quietly
    > in the corner for about 12 years, now. Is anyone going to ever "get
    > it"??

    probably not. i've come to realize part of our job as 'security people'
    is to keep singing the same things over and over. oh, i don't _like_
    that fact, but it does seem to be true. now more than ever (due to the
    market or whatever you blame), business people just have to cite 'business
    drivers' and the technies shutup out of fear of loosing their jobs.

    unfortuneately things are so out-of-wack that no one stops to realize
    that allowing a 'mission-critical' network to be taken offline (werd to
    the Navy on that one) due to a worm circulating on a public network IS a
    much better reason for loosing your job.

    > Alas, for the latest round merely being not Internet connected would
    > not have been good enough. An infected immigrant laptop is enough to
    > take down any isolated net.
    > For a sufficiently rich and motivated org, I'd advocate changing the
    > Ethertype of IP from 800, just to make it harder to connect conventional
    > equipment by accident. Does even NSA do anything like that?

    you let random people plug-in, get an address, and snoop around? that's
    OK, but you shouldn't do that on a 'mission-critical' network. if
    you do, the org should re-define 'mission critical'. VLANs, ACLs, MAC
    tables... there are lots of ways to ensure only acceptable hosts connect
    to the network that are cheaper/easier than low-level network bits. of
    course, that works too. ;) but i think the real issue is that people go
    around touting 'mission critical' WAY too friggen much. if it is really
    'mission critical', then people need to remember that convenience comes
    with a cost -- reduced security. furthermore, if the business people
    review the org's security policy and accept that before the incident --
    then they have no one to blame but themselves when their 'mission
    critical' network goes offline. that's why policy has to be top-down.


    From: "Spam Catcher" <>
    Do NOT send email to the address listed above or
    you will be added to a blacklist!
    firewall-wizards mailing list

  • Next message: Mike Hoskins: "[fw-wiz] Re: Setting up H323 IP telephony etc"