Re: [fw-wiz] IPv6 support in firewalls

On Mon, 27 Aug 2007, Behm, Jeffrey L. wrote:

I feel I could have substantiated it a few years ago.

Example: I had built a linux box for a network class
I was teaching at a local university, so I could show
them telnet, ssh, DNS, ftp, http, samba, etc.

I quickly (and stupidly (i.e. didn't harden it at all
and didn't put it behind a NAT device)) threw the box
together, and put it out on a routable IP address
outside my NAT device on my home network the morning
before the night class. Even before I even made it
to class, it was owned (via an RPC hack). Had I put it
behind a NAT device, and only allowed those services
I wanted to access, I would bet that it wouldn't have
been owned in less than 12 hours.

Speed of compromise is different than compromise or not. I remain
steadfastly convinced that obscurity does change the rate of compromise,
especially in terms of target of opportunity attacks.

It seems to me that those writing the mal-code are on
to the idea that NAT devices are in place more and more
often, so they aren't wasting time trying to get code
past them.

It's more than that, for malcode that involves user action, you're already
inside the trust boundary, and you're not as reliant on quickly patched
bugs. It's easy to fix the network, it's much more difficult to fix the
user.

Stupid users, who click on an unknown .exe are a good
enough vector to exploit, as you are seeing today...

Which is why I'm convinced those users should not be in charge of their
own security.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."
http://www.fluiditgroup.com/blog/pdr/

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: suggestions on router w/firewall
    ... >I will not trust my networks to a simple NAT device at any time. ... >network and rejecting anything that is not set in a rule. ... I will never consider them to be firewalls. ... NAT router to the firewall with application proxies. ...
    (comp.security.firewalls)
  • Re: [fw-wiz] IPv6 support in firewalls
    ... I had built a linux box for a network class ... and didn't put it behind a NAT device)) threw the box ... outside my NAT device on my home network the morning ... Can you substantiate that? ...
    (Firewall-Wizards)
  • Re: suggestions on router w/firewall
    ... >>I will not trust my networks to a simple NAT device at any time. ... >>network and rejecting anything that is not set in a rule. ... > NAT router to the firewall with application proxies. ... and not all firewalls have application proxies... ...
    (comp.security.firewalls)
  • Re: Remote Desktop
    ... a NAT device (Network Address Translation). ... as the client and contact the desktop; ...
    (microsoft.public.windowsxp.general)
  • Fwd: CERT Advisory CA-2003-08 Increased Activity Targeting Windows Shares
    ... poorly protected file shares. ... Intruders have been able to leverage poorly ... The network scanning associated with this activity is widespread but ... W32/Deloder attempts to compromise the Administrator ...
    (Bugtraq)