Re: [fw-wiz] Firewalls that generate new packets..



I ran into a situation at a client a year ago in which a bots weren't
infecting a client workstation - they were infecting a piece of
manufacturing equipment making "Really Important and Delicate Stuff"
that was installed by a vendor. The interface was built on top of
Windows 2000. This machine managed to infect a nearby oscilloscope
who's OS also happened to be Windows 2000. Combine that with their
"default outbound policy", the company was DDoSing itself and whoever
the intended target was for that day. These two machines out of the
tens of thousands connected to this network network would effectively
take out the primary and the backup firewalls at random times during
the day. The mitigation had nothing to do with firewalls but involved
changes in network architecture, increased monitoring, changes in
process and bitch slapping a few people. I would of found the whole
situation amusing if I wasn't crying.


On Nov 27, 2007, at 11:07 PM, Darren Reed wrote:

Paul D. Robertson wrote:

On Tue, 27 Nov 2007, Paul Melson wrote:



in both directions. State tables allow your firewall to have a
deny-all
default inbound policy and an allow-all default outbound policy.
They allow



With today's proliferation of Trojans and Spyware, anyone with a
Windows user population above three who has an allow-all default
outbound
policy is an idiot and populations of one to three are likely
candidates
for the club if not associate members.



To give you an idea of how bad this problem is, I recently did a
fresh install of Microsoft Windows XP + Service pack 2 (I hadn't
caught up with all of the patches yet) and experimented with
surfing the Internet like a normal user - default security settings
for Internet Exploder.

Half a dozen web sites later - no more - and spyware had installed
itself into winlogin. Removal? Safest bet will be a format. How did
it get there? I suspect some popup ad with nasty javascript/activex.

Now what percentage of the Internet population does this represent?

Port 80/443 restrictions mean nothing.

Darren

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Any Way to Run Windows 2000 From Read-Only CD?
    ... Your point regarding infecting the computer during runtime when the disk is ... Now, regarding UNIX versus Windows, I try to have a balanced view. ... administrator can isolate those and secure them. ...
    (microsoft.public.windows.server.security)
  • Tricky Windows Worm Wallops Millions [Telecom]
    ... Tricky Windows Worm Wallops Millions ... infected laptop plugged into a vulnerable corporate network can ... But the worm also has methods for infecting systems that are already ...
    (comp.dcom.telecom)
  • Re: messenger signing in and out and sending messages by itself
    ... Once open, the virus automatically downloads, infecting your computer. ... worm file stores itself in the computer's memory and sends new infected ... messages every few minutes to all contacts in your Windows Messenger's ... Microsoft MVP - Windows Live Messenger/MSN Messenger/Windows Messenger ...
    (microsoft.public.windowsxp.messenger)
  • Re: What a M$ security manager has to say about infected Windows PCs
    ... It's hardly just a Windows problem. ... than attempt to fix (after duplicating the disk for forensic ... advice for Windows users they are hardly likely to mention Linux Live ... and thereby potentially infecting a second machine. ...
    (uk.comp.homebuilt)