RE: [fw-wiz] Worms, Air Gaps and Responsibility

From: Dana Nowell (DanaNowell_at_cornerstonesoftware.com)
Date: 05/18/04

  • Next message: Adam Shostack: "Re: [fw-wiz] Worms, Air Gaps and Responsibility"
    To: Frank Knobbe <frank@knobbe.us>, Dana Nowell <DanaNowell@cornerstonesoftware.com>
    Date: Tue, 18 May 2004 09:29:01 -0400
    
    

    At 11:06 PM 5/17/2004 -0500, Frank Knobbe wrote:
    [snip]
    >
    >Perhaps for viruses, but not for worms as these devices tend not to be
    >permanently wired or reachable.
    >

    Yup. So imagine a case where you have an internal worm/virus outbreak and
    you clean up. Next day it is back, you scour your network and clean up
    everything. Next day it's back, eventually you find some guy syncing his
    Palm to his desktop or an intermittently connected wireless iPaq is the
    root cause, chase that one down.

    As a general case, I'm whining about intermittently connected devices
    having direct access to the internal network. We talk about all sorts of
    restrictions on home PC connections, what about the 'next generation'
    (based on roll-out not technology) wireless devices (bluetooth, WiFi,
    802.11)? Assume you have a PDA like device in your pocket and are walking
    down the street. Guy with an infected phone walks past and BAM, welcome to
    the nightmare. Is that today, no. Is that within say 5 years, possibly.
    Show me YOUR plans for firewall protection of bluetooth, wireless USB, and
    similar connections (yes some stuff is/can be built in by design but buffer
    overflows and other exploits can be built in by accident;).

    But hey, that's not real today so no short term pain no short term
    solution. Eventually I'm pretty sure it will become a short term issue
    with some level of pain.

    >Several years ago, the folks from Phenoelit were presenting exploits on
    >Cisco routers and HP printers. I had $20 on a worm that spreads through
    >printers since there are frighteningly many printers directly connected
    >to the Internet (after all, it's just a printer, right? :)
    >Likewise, a worm ripping through Cisco routers gives me the creeps, but
    >luckily these are often setup with a decent or secure enough
    >configurations. (I don't recall there actually being a printer worm.)
    >
    >But what about Cable modems or DSL routers? Any component that is not a
    >computer, or has services open, tends to be ignored/dismissed too
    >quickly. Once we were shown that laser printers can be converted to do
    >thy bidding in the form of password brute forcing and other... uhm...
    >non-paper related tasks. Who would have thought...
    >

    I don't connect printers directly to the net so I hadn't thought of that.
    Cable/DSL modems are an issue but since they're on the outside of my
    'router' they are considered 'red zone' devices anyway.

    >But you are right... It seems I'm dismissing cell phones and PDAs here,
    >and I shouldn't be doing that.

    I don't think cell phones are a real big issue now but convergence between
    cell phones and PDAs with wireless connectivity and a VPN thrown in is a
    scary concept. As people have said for awhile now the days of Red and Blue
    zones are over, unfortunately most people lack the
    skills/intelligence/money/clout to bury the corpse.

    -- 
    Dana Nowell     Cornerstone Software Inc.
    Voice: 603-595-7480 Fax: 603-882-7313
    email: DanaNowell_at_CornerstoneSoftware.com
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Adam Shostack: "Re: [fw-wiz] Worms, Air Gaps and Responsibility"

    Relevant Pages

    • RE: [fw-wiz] Worms, Air Gaps and Responsibility
      ... Cisco routers and HP printers. ... I had $20 on a worm that spreads through ...
      (Firewall-Wizards)
    • Re: Lose Printers Deployed by Group Policy
      ... If there is no data here, there are no connections to be created for the ... Windows Printing Team ... I am deploying the printers via workstation instead of by user. ... correct policy listed under GPO name. ...
      (microsoft.public.win2000.printing)
    • Re: Help - Port 80 being targeted
      ... > connections [you could double-check this in the IIS MMC in the section on ... but you can attempt to keep a worm ... > IIS, especially the parts about deleting unnecessary files. ... >> I have a webserver running on Port 80. ...
      (comp.security.firewalls)
    • Re: Lose Printers Deployed by Group Policy
      ... Our Windows Admin believes this is dns related. ... wait about 3 days for the printers to decide they want to show up again. ... If there is no data here, there are no connections to be created for the ... I am deploying the printers via workstation instead of by user. ...
      (microsoft.public.win2000.printing)
    • Re: Network connections with MCE
      ... installing an MCE system onto my existing LAN of 4 computers and 3 printers. ... you're still limited to 10 network connections. ... >> MCE and want to use it as a printer/scanner server and a server to back up ...
      (microsoft.public.windows.mediacenter)