RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)
From: R. DuFresne (dufresne_at_sysinfo.com)
Date: 06/01/04
- Previous message: Marcus J. Ranum: "RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
- In reply to: Ben Nagy: "RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
- Next in thread: Jim Seymour: "RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Ben Nagy <ben@iagu.net> Date: Tue, 1 Jun 2004 13:04:42 -0400 (EDT)
[SNIP]
>
> [...]
> > I have never had a worm or virus since I got interested in security.
> > NEVER. And I use Windows as my primary desktop platform.
>
> Because you have one machine to take care of, plus you have some idea what
> you are doing maybe?
>
And yet it's not that hard, in 5 years with a teen and sometimes two teens
on their desktops, 8 windows boxen and a few SUNS <running open BSD> and a
few intel systems running various levels of slackware, all behind an old
archaaic gateway, that is mostly open, but, knows the bad windows related
ports and the few unix related ports that can be hit with nasties, only
one system has suffered a virus infection out of the hoard that has been
spewed in the past 5 years. That system was infected due to a teen
trusting other teens and getting a /dcc download of nasty. Course the
virus remained isolated from the rest of the windows boxen due to they AV
sigs being up to date.
The point is, certain windows related ports should not be passed from
outside in, nor vice versa. M$ has not gotten that right and perhaps
never will, so one has to institute measures to ensure that, since the M$
packet filtering FW is so bogus as to work only one way, then put
something either in front of the widows box that can block inside out as
well as outside in, or replace the windows packet filter with something
that does know ingress as well in egress.
Rather then trying to beat the vendor into submission, why not sidestep
the vendors toys with decent safe replacements and be done with it?
Thanks,
Ron DuFresne
<this has been a great thread, and if Ben will allow me, I may scarf up
his little green men and the anal whatch-a-ma-callits line for use later
with mgt>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Marcus J. Ranum: "RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
- In reply to: Ben Nagy: "RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
- Next in thread: Jim Seymour: "RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
