Re: [despammed] RE: SQL Slammer doing the rounds again?
From: whiplash (whiplash_at_despammed.com)
Date: 11/14/03
- Previous message: David LeBlanc: "RE: SQL Slammer doing the rounds again?"
- In reply to: Jim Harrison (ISA): "RE: SQL Slammer doing the rounds again?"
- Next in thread: Thompson, Jimi: "RE: SQL Slammer doing the rounds again?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 14 Nov 2003 00:51:04 +0100 To: incidents@securityfocus.com
Jim Harrison (ISA) wrote:
> Unfortunately, there are many folks who have queried the ISA newsgroups
> and other ISA lists about how (not why) to allow inbound SQL connections
> because many web designers haven't quite caught up to the idea that the
> Internet isn't the friendly little sandbox that they seem to believe it
> is.
And what did you answer, actually?
The only answer I could give 'em could be "You must not".
And if they really do need to have a "distributed web app"
I'd answered "do use IPSEC in communications between
web servers and application servers".
> Consequently, they deploy distributed web apps that expect to have
> direct access to a SQL server across whatever network they're installed
> in. This often leaves the network admins with one choice; open external
> access to the SQL server.
I'm a net admin: my answer to such a ridicolous request could be "go
and do learn how to work, mr. clueless-web-developer: I'll never leave
a sql server wide open on the internet".
> While it's true that you can IP-restrict that traffic,
Wow: impressive, isn't it?
> there's also IP spoofing to contend with.
Come on: let's try to be serious.
(I've never seen a worm trying blind spoofing attacks
in modern times: have you?)
The problem is the total leak of a real security culture between
certain web application developers.
The problem is that certain net admins say "Yup: sure" to
what these developers ask them.
The problem is the existence of very poor security-oriented
architectures.
You simply cannot consider ipothetic blind-spoofig attack
(have you ever tried a blind-spoofing against modern TCP/IP
stacks, btw? <g>) as a real threat, in such a scenario.
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------
- Previous message: David LeBlanc: "RE: SQL Slammer doing the rounds again?"
- In reply to: Jim Harrison (ISA): "RE: SQL Slammer doing the rounds again?"
- Next in thread: Thompson, Jimi: "RE: SQL Slammer doing the rounds again?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
