Re: [fw-wiz] how prevelant

• Previous message: Kevin: "Re: [fw-wiz] how prevelant"
• In reply to: Jason Lewis: "Re: [fw-wiz] how prevelant"
• Next in thread: ArkanoiD: "Re: [fw-wiz] how prevelant"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Jason Lewis" <jlewis@packetnexus.com>, "R. DuFresne" <dufresne@sysinfo.com>
Date: Tue, 12 Oct 2004 08:22:11 +0100

Hello

Due to the rapid development of exploits against Windows OS (often all
over the same few ports), and the tendency of script kiddies to run
Windows attack tools, I tend to suggest that if you open your firewall up
to allow the 'Windows' ports, then you probably aren't getting much
benefit from the firewall. An example attack would be the automated
attack tools that simply port scan for the Windows ports and then unleash
all tools available against the box, leaving a shell behind if they work,
and then simply moving on. If you have the Windows ports exposed then it
should only be a matter of time (and a function of probability) until your
box gets hit. If it's not patched up-to-date then it will probably get
owned by the bad guys.

I accept that there can be lots of other benefits a firewall can provide,
but if you have a Windows domain, an untrusted domain, and a firewall
between them, one has to question any security policy that allows those
ports through. Even if you are at the forefront of patch management, I
don't believe it is possible to patch a system where patches are simply
not available (as is often the case).

Of course, Samba on *nix is just as dangerous if you give everyone free
reign.

As an aside, providing Windows port access internal to large organisations
is a risk that often has to be managed; internal hacks are common and
these ports often suffice. Do you really want to increase that risk by
giving the same level of access to everyone on the Internet?

Kev

> I had a job interview a while back and during the interview they were
> explaining the network configuration to me. When the interviewer was
> done, he asked why I had such a stunned look on my face. I said I found
> it amazing they were passing domain information across the internet. His
> response was that they had a firewall, so it was ok.
>
> I explained that firewalls are worthless if you are passing your
> important information across the internet without some kind of
> encryption.
>
> I ended up not taking the job, because they actually argued with my free
> advice on how to immediately fix the problem. (Setup an IPSEC tunnel
> between the sites.)
>
> I think it is VERY common, because there is a lack of understanding.
>
> You say tightfisted, I say intelligent.
>
> jas
>
> R. DuFresne wrote:
>> how common is it for a company to have it's NT domain and novell
>> athentication pass openly across the internet, and have this be the
>> requirement to access VPN tunnel rights from outside into the company?
>> The firewalls I manage keep all windows related protocols in the
>> 135-139,
>> 445 and 5000 ports arenas internal only, none f this traffic passes
>> outside the firewalls, none is allowedto pass outside, unltess tunneled.
>> Is this not a standard practise with any org with half a clue of
>> security,
>> or am I being more tightfisted with access and control then is the norm?
>> Thanks,
>> Ron DuFresne
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>

-- 
Kevin Sheldrake MEng MIEE CEng CISSP
Electric Cat (Bournemouth) Ltd
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Kevin: "Re: [fw-wiz] how prevelant"
• In reply to: Jason Lewis: "Re: [fw-wiz] how prevelant"
• Next in thread: ArkanoiD: "Re: [fw-wiz] how prevelant"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]