Re: 99.9 % of Software/Hardware Firewalls DO-NOT.....

From: whoever (whoever@wherever.com)
Date: 12/29/01 

From: "whoever" <whoever@wherever.com>
Date: Fri, 28 Dec 2001 18:33:15 -0600

I'm highly curious about items #2 and #3. For example, since MAC addresses
are a layer 2 issue (i.e., a LAN issue) and not layer 3 (i.e., IP routing),
I'm curious how anyone could be exposed to this from the outside, where a
firewall is presumably protecting you. If you're saying that MAC address
spoofing is possible, I agree. Even so, it can be greatly minimized by
proper security on LAN switches. However, it is NOT POSSIBLE on the
Internet, because MAC ADDRESSES ARE A LAN issue, not a WAN issue. I implore
you to find anyone's MAC address by sniffing packets on any Internet router
around. Do you know what? You won't find any, because there aren't any.
Therefore, you're supposition about #2, from the standpoint of an outside
hacker looking to get in, is absurd.

Concerning ICMP and DOS attacks in general. Have you not read about the
latest invention in prevention? It is called an ACL. It's a wonderful tool
that has only been in existence since the first Cisco router. It allows you
(or better yet, your ISP) to selectively block traffic destined to a port,
or to an address, from a port, or from an address, or any combination of the
four. If I have a single connection to the Internet, and my ISP blocks ICMP
(or whatever, it could be simple SYN packets to a web server) from a
specific address, group of address, or to a specific port, the DOS issue is
gone. Period. End Game. Done. Am I making myself clear?

As for #1, I'm sure anyone who subscribes to this list, and who has ever
configured a router, will tell you that one of the first commands to install
is NO IP REDIRECTS. With that, #1 is fixed. Done. Period. End Game.

"Most firewalls do not come preconfigured to block Private Addresses, nor
IANA, or the Experimental IP Addresses from 239.000.000.000 -
255.255.254.255"? Read the second paragraph concerning ACLs. Done.
Period. End Game.

"Most firewalls are not smart enough to block UNKNOWN PROTOCOLS, because
their Operating Systems either are not configured to use them, or don't know
how to handle them properly. This is especially true for installed
software/hardware on computers using their own "CUSTOM ROLLED PROTOCOLS",
thus, bypassing the firewall, or, as a techy term, TUNNELING through the
firewall behind your back"? Bull***. In the world of ZA, BID, and NIS,
maybe. But not in the world of FW-1, or Gauntlet. Get your facts straight.

"...gain entry via DNS UDP, or worse yet, DNS TCP for Zone Transfers"? Do
you even know how DNS operates? If I request the address for
www.whatthefuckeveryourludicrousmindthinks.com, how am I supposed to get
that address? Do you think that DNS UDP might be necessary for such a
conversation to take place? Do you know that every piece of DNS software on
the market has a setting to allow transfers from/to only certain IP
addresses? Do you know that most commercial firewalls can help alleviate
this problem you attempt to squawk about, much like chicken little ran
around exalting "the sky is falling, the sky is falling"?

"Contact your State Representatives in order to get some serious Bills
passed to REGULATE Firewall Companies, IDS companies, or any company that
boasts protecting people while they
surf the web, or do business via the Internet". From the organization that
brought us Bill Clinton, Gary Condit, and Al Gore, you want to entrust the
security of every private company's data? You, sir, are an idiot.

"Sick&Tired" <lililmanlilii@yahoo.com> wrote in message
news:e85c6e9a.0112262006.577013f0@posting.google.com...
> 99.9 % of Software/Hardware Firewalls DO-NOT cover the below
> Vulnerabilities/Exploits that Hackers use to get into Public
> or Private Servers, or Public PC's used by citizens when
> accessing the Internet:
>
> 1. ARP/RARP (Used to Circumvent Routers via redirtects)
> 2. MAC Addresses (Man-in-the-Middle MAC Spoofs)
> 3. ICMP (Denial of Service and many more)
>
> The above is just 3 examples on how nasty people can use
> firewalls against itself, or, at the very least, not cover
> the important features that need to be blocked, by DEFAULT,
> in order to help stop the insanity on the World Wide Web.
>
> Here are some other examples that most Software/Hardware
> firewalls do not block or even have a clue on what to
> do with itself:
>
> Most firewalls do not come preconfigured to block Private
> Addresses, nor IANA, or the Experimental IP Addresses from
> 239.000.000.000 - 255.255.254.255. Typically called
> IP Spoofs.
>
> Most firewalls are not blocking, or even asking to permit
> most Protocols that are assigned....properly.
>
> Most firewalls are not smart enough to block UNKNOWN
> PROTOCOLS, because their Operating Systems either are
> not configured to use them, or don't know how to handle
> them properly. This is especially true for installed
> software/hardware on computers using their own "CUSTOM
> ROLLED PROTOCOLS", thus, bypassing the firewall, or,
> as a techy term, TUNNELING through the firewall behind
> your back.
>
> ------------------------------------------------------------
> Some firewalls even permit DOMAIN Exploits by using
> your DNS.....for IT'S OWN PURPOSE, BEHIND OUR BACKS.
>
> Speaking of DNS: Did you know that the (#1) way to get
> into your computer is through DNS? Yes, that is correct
> pilgrim. Disgruntled workers at your ISP, and even hackers
> that bust your ISP to gain entry via DNS UDP, or worse
> yet, DNS TCP for Zone Transfers.
> -------------------------------------------------------------
>
> Mix this in with Operating System Exploits, and one would
> get a feeling that we have been at war since the Digital Age,
> but blinded by Technology, for Easyology, in our daily lives.
>
>
> Remember......these are just a FEW examples.
>
>
> Let's all start 2002 on a good note. Contact your State
> Representatives in order to get some serious Bills
> passed to REGULATE Firewall Companies, IDS companies, or
> any company that boasts protecting people while they
> surf the web, or do business via the Internet.
>
>
> Let's start by making 2002 more safer, shall we?
>
>
> Sick&Tired