Re: Microsoft Worm

From: Leythos (void_at_nowhere.com)
Date: 08/17/03 

Date: Sun, 17 Aug 2003 03:35:20 GMT

In article <20030817002624.V53407@nova.baldrick>,
chris@^nospam^.baldrick.org says...
> On Sat, 16 Aug 2003, Leythos wrote:
>
> > You've got it wrong - the real question is why don't ISP's provide a NAT
> > device or personal firewall for ANYONE connecting to their services?
> >
> > The MS Bashers seem to forget the weekly vulnerabilities found in Linux
> > and the others found in non-MS OS's.
> >
> > If the ISP's were to provide some instruction and blocked ports that
> > don't need to be exposed to the internet for the common OS's it would
> > prevent most of the problems. Blame the ISP's, not MS - if every ISP
> > would block ports 135~139 and a hand full of others, the net would be a
> > much nicer place.
>
> Perhaps you forget the ISP's customers who have actually have a clue about
> securing their machines and who require full access to the internet. If
> every provider imposed NAT on their customers and started blocking ports,
> then the net rapidly becomes unusable for many network developers, users
> of certain type of tunnels/VPNs (or more crucially many games and
> applications), software developers, or anyone with an interest in any
> networking beyond simple web browsing and email collection.
>
> Regarding vunerabilities found in non-M$ OS's, most of these are not the
> OS's themselves, but the server software run on those OS's. This software
> is usually quickly fixed but, unfortunatly, often left unpatched by the
> users. Is there really a need to restrict the use of this software
> (through blocking of ports) due to a few careless admins/users?

Nope, I didn't forget about them - I just know that there is a lot of
ways to limit exposure without limiting services that are available to
most users and businesses.

Case in point - VPN's - blocking ports 135~139 does not impact any VPN
and it doesn't stop you from doing anything else. I've seen people
complain about how they can't connect without 135 and such, but it's not
that they can't connect, it's that they built a solution on something
that was FLAWED to begin with - IT WAS THE WRONG WAY TO DO IT.

As for NAT, I've always had a NAT system on my home internet connection
- it never stopped me from running servers, games, etc... It always
stopped the probes into my network for ports that were not forwarded to
an internal IP.

I would hazard a guess that more than 90% of the windows machines
connected directly to the internet would not be impacted in any way by
imposing NAT and that it would save us from about 98% of the cracks out
there.

The Net does not become unusable due to NAT, in fact, the Net lives on
NAT - NAT does not mean you can't get port access to machines. I have a
group of IP's and a firewall appliance running in NAT mode, each IP can
have many rules to forward the external traffic to internal IP's. I
never expose the OS level stuff to the external interfaces - if that's
needed I create a VPN path for the user and give them access through it.

Again, nothing is lost by blocking 135~139. I write code in a dozen
languages, design services that run at the OS level, and also design
networks and firewall solutions - I've never found a development project
that could not live through a VPN solution that was working on an open
connection.

So, unless you can show me something that must have exposed public
access for ports 135~139 I will firmly continue to tell people they are
implementing bad solutions when they do that.

I have clients all over the country that were NOT impacted in any way by
the worm or the ISP's blocking 135 - their solutions were designed the
correct way and the secure way.

Don't take this wrong, but as I said before, "Just because you found a
way to do something and it works for you does not make it the correct
way to do it".

Sincerely,
Mark

  

-- 
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

Relevant Pages

  • Re: NAT on SBS2003 not working
    ... brass tacks after the first failed attempt at NAT. ... > Deal with only your Internet Connection... ... All PCs and server were succesful ...
    (microsoft.public.windows.server.sbs)
  • Re: Port Forwarding Not Working
    ... NAT and FirewallTroubleshooting Windows NAT issues. ... To connect a windows 2000/2003 network to the Internet, you may use one of two methods: ... In the RRAS manager, under Nat/Basic Firewall, WAN Internet Connection ...
    (microsoft.public.windows.server.networking)
  • Re: Microsoft Worm
    ... >> Perhaps you forget the ISP's customers who have actually have a clue about ... >> securing their machines and who require full access to the internet. ... >> every provider imposed NAT on their customers and started blocking ports, ... connection from an ISP should be just that - a connection to the internet ...
    (alt.computer.security)
  • Re: SBS 2003 Single NIC firewall settings
    ... Then run the CEICW wizard from the Server management console ... > make a RAS VPN connection or access the company web site (which, ... > Internet and RRAS/VPN. ... > find where I go to open ports. ...
    (microsoft.public.windows.server.sbs)
  • RE: Norton Antivirus 2005 blocks Nortel Contivity IPsec VPN client - workaround
    ... The connection attempt proceeds normally, but stalls at the "looking for banner text" message before giving up 15-20 seconds later with a message that the secure connection was lost. ... The connection attempt succeeds if the router is bypassed, and the computer is connected directly to the cable or DSL modem using its public IP address. ... The problem occurs because Contivity uses UDP NAT traversal to establish IPsec connections for one or more users sitting behind a NAT router. ... The problem can be temporarily worked-around by disabling protection against internet worms. ...
    (alt.comp.anti-virus)