Re: [Full-Disclosure] Microsoft urging users to buy Harware Firewalls

From: William Warren (hescominsoon_at_adelphia.net)
Date: 08/14/03

  • Next message: L G: "RE: [Full-Disclosure] NAV (or any AV tool) and MSBlast" 
    Date: Thu, 14 Aug 2003 10:49:08 -0400

    I have a 5 machine LAN here at home and I have Astaro Security Linux
    setup on it..I have it doing NAT..at default anything not allowed is
    denied..the outside is left like that..and will be...on the outgoing
    side everything form the internal network is allowed to go outside...i
    am slowly but surely locking down things that are not needed..like
    netbios..this rpc stuff..and by watching and analyzing the logs i am
    writing rules for closing down more protocols and ports. It takes
    time..most are not willing to take this kind of time to be sure...but i
    am..<G>

    Thilo Schulz wrote:

    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > On Thursday 14 August 2003 02:04, Richard M. Smith wrote:
    >
    >>I agree with Microsoft's recommendation for a hardware firewall on all
    >>home PCs. A Linksys NAT router box is selling for only $40 at Amazon as
    >>we speak. Besides protecting against the MSBlaster worm, a hardware
    >>firewall blocks those annoying Windows pop-up spam messages which have
    >>become so common lately. A hardware firewall also protects a shared
    >>Windows directory from being accessed from the Internet. My only
    >>question is why aren't NAT routers built into all cable and DSL modems.
    >
    >
    > This is ridiculous. Before long, you get millions of windows private users
    > complaining, why netmeeting, or their nice game server is not accessible
    > anymore. Nice - of course you also disabled the potentially "evil" services
    > now. Then the user finds about port forwarding, and as soon as the user has
    > done this, the computer is suddenly vulnerable again to flaws in the service
    > that is being provided to the outside! who would have thought that?
    > Also - the principle of masquerading is, that inbound connection attempts land
    > at the router and cannot get to the computers in the local network. By
    > default the router approves all connections from the inside to the outside.
    > To be honest, I have preferred this solution in my home LAN, I would not want
    > anything else to be set up.
    > Trojans/worms that connect from inside the lan to a control channel in IRC or
    > something like that are not hindered at all by the router/hardware
    > firewall...
    > - From the point of the user - one has bought some new hardware router and now
    > has trouble with configuring the firewall (to make it possible for onself to
    > host games or something like that), or doing all the portforwarding stuff -
    > all of it requiring time. Furthermore, I have seen many routers enough, that
    > were unable to do some decent connection tracking, especially for UDP based
    > games .. if the user has not put that hardware he bought into the trash can
    > yet, he has some basic security. With port 135 and 139 and all the like
    > closed and secure.
    > What is wrong with this picture?
    >
    > How about not opening these ports in question _AT_ALL_ on the private home
    > machine?
    > I mean - what the hell has a oversized bloated super server behind the port
    > windows opens by default got to look for on a home computer? The popup spam
    > is only a minor example ... I simply ask _why_ open the ports to the internet
    > at all? I can understand if this is needed for file shares, etc... but why
    > not leave the configuration of these matters in the hands of the users and
    > only start to listen on these ports if the user explicitly tells windows to
    > do so?
    > If a user *really* wants these services be available to the world wide web and
    > has a hardware firewall, he will do port forwarding, and we'd be back again
    > where we started.
    > If Microsoft's general concept of "secure by default" installations is not
    > going to change radically, we will face a vulnerability soon enough again.
    >
    > CodeRed
    > Nimda
    > SQL slammer
    > Remote DoS against FileSharing
    > RPC ....
    >
    > I think history speaks for itself. I want to annotate, that I am not happy
    > either regarding the policy of many Linux distributions.
    > But that microsoft expects home users to buy additional hardware to make up
    > for microsoft's own faults is an outrage.
    >
    > - --
    > - Thilo Schulz
    >
    > My public GnuPG key is available at http://home.bawue.de/~arny/public_key.asc
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.2.2 (GNU/Linux)
    >
    > iD8DBQE/Ou0oZx4hBtWQhl4RAlobAJ9Hrah8kwAEOA18ah+vBJUTVmCcKwCfejC6
    > TvBeDU5k3bOcrR1qYn4n7N4=
    > =dhyh
    > -----END PGP SIGNATURE-----
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html
    > 

    -- 
May God Bless you and everything you touch.
My "foundation" verse:
Isaiah 54:17 No weapon that is formed against thee shall prosper; and 
every tongue that shall rise against thee in judgment thou shalt 
condemn. This is the heritage of the servants of the LORD, and their 
righteousness is of me, saith the LORD.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: L G: "RE: [Full-Disclosure] NAV (or any AV tool) and MSBlast"

    Relevant Pages

    • Re: Remote desktop & Netgear router
      ... if you can connect to the PC from another PC using the "private LAN IP address" over your ... local LAN then Remote Desktop is obviously setup right and working. ... The issue then is the port forwarding on the router. ...
      (microsoft.public.windowsxp.work_remotely)
    • Re: [Full-Disclosure] Microsoft urging users to buy Harware Firewalls
      ... > I agree with Microsoft's recommendation for a hardware firewall on all ... Besides protecting against the MSBlaster worm, a hardware ... Then the user finds about port forwarding, and as soon as the user has ... at the router and cannot get to the computers in the local network. ...
      (Full-Disclosure)
    • Re: Remote desktop & Netgear router
      ... you can get that quite easily by going to either of these sites from a PC on the LAN ... In your case it would be the IP address of the WAN port of the Netgear router. ...
      (microsoft.public.windowsxp.work_remotely)
    • Re: how do I contact a pc behind a router
      ... my home LAN... ... I also use a non-default port for SSH connections into my ... > One way is you can open multiple ports on the router, ie. one to each PC, ... > through the tunnel. ...
      (microsoft.public.windowsxp.work_remotely)
    • Re: RDP thru a router
      ... if your testing from another PC on your private LAN use the LAN IP. ... Its possible your ISP is blocking the IIS port, ... Can you test using the normal Remote Desktop client, ie. not the web based method, from both another ... >I have a Linksys router and I wish to enable RDP on a PC behind a router. ...
      (microsoft.public.windowsxp.work_remotely)