RE: [fw-wiz] Worms, Air Gaps and Responsibility

From: Dana Nowell (
Date: 05/18/04

  • Next message: Adam Shostack: "Re: [fw-wiz] Worms, Air Gaps and Responsibility"
    To: Frank Knobbe <>, Dana Nowell <>
    Date: Tue, 18 May 2004 09:29:01 -0400

    At 11:06 PM 5/17/2004 -0500, Frank Knobbe wrote:
    >Perhaps for viruses, but not for worms as these devices tend not to be
    >permanently wired or reachable.

    Yup. So imagine a case where you have an internal worm/virus outbreak and
    you clean up. Next day it is back, you scour your network and clean up
    everything. Next day it's back, eventually you find some guy syncing his
    Palm to his desktop or an intermittently connected wireless iPaq is the
    root cause, chase that one down.

    As a general case, I'm whining about intermittently connected devices
    having direct access to the internal network. We talk about all sorts of
    restrictions on home PC connections, what about the 'next generation'
    (based on roll-out not technology) wireless devices (bluetooth, WiFi,
    802.11)? Assume you have a PDA like device in your pocket and are walking
    down the street. Guy with an infected phone walks past and BAM, welcome to
    the nightmare. Is that today, no. Is that within say 5 years, possibly.
    Show me YOUR plans for firewall protection of bluetooth, wireless USB, and
    similar connections (yes some stuff is/can be built in by design but buffer
    overflows and other exploits can be built in by accident;).

    But hey, that's not real today so no short term pain no short term
    solution. Eventually I'm pretty sure it will become a short term issue
    with some level of pain.

    >Several years ago, the folks from Phenoelit were presenting exploits on
    >Cisco routers and HP printers. I had $20 on a worm that spreads through
    >printers since there are frighteningly many printers directly connected
    >to the Internet (after all, it's just a printer, right? :)
    >Likewise, a worm ripping through Cisco routers gives me the creeps, but
    >luckily these are often setup with a decent or secure enough
    >configurations. (I don't recall there actually being a printer worm.)
    >But what about Cable modems or DSL routers? Any component that is not a
    >computer, or has services open, tends to be ignored/dismissed too
    >quickly. Once we were shown that laser printers can be converted to do
    >thy bidding in the form of password brute forcing and other... uhm...
    >non-paper related tasks. Who would have thought...

    I don't connect printers directly to the net so I hadn't thought of that.
    Cable/DSL modems are an issue but since they're on the outside of my
    'router' they are considered 'red zone' devices anyway.

    >But you are right... It seems I'm dismissing cell phones and PDAs here,
    >and I shouldn't be doing that.

    I don't think cell phones are a real big issue now but convergence between
    cell phones and PDAs with wireless connectivity and a VPN thrown in is a
    scary concept. As people have said for awhile now the days of Red and Blue
    zones are over, unfortunately most people lack the
    skills/intelligence/money/clout to bury the corpse.

    Dana Nowell     Cornerstone Software Inc.
    Voice: 603-595-7480 Fax: 603-882-7313
    firewall-wizards mailing list

  • Next message: Adam Shostack: "Re: [fw-wiz] Worms, Air Gaps and Responsibility"