Re: 99.9 % of Software/Hardware Firewalls DO-NOT.....

From: Sick&Tired (lililmanlilii@yahoo.com)
Date: 12/29/01 

From: lililmanlilii@yahoo.com (Sick&Tired)
Date: 29 Dec 2001 07:03:01 -0800

"whoever" <whoever@wherever.com> wrote in message news:<3c2d0f3a$1_3@nopics.sjc>...
> I'm highly curious about items #2 and #3. For example, since MAC addresses
> are a layer 2 issue (i.e., a LAN issue) and not layer 3 (i.e., IP routing),
> I'm curious how anyone could be exposed to this from the outside, where a
> firewall is presumably protecting you. If you're saying that MAC address
> spoofing is possible, I agree. Even so, it can be greatly minimized by
> proper security on LAN switches. However, it is NOT POSSIBLE on the
> Internet, because MAC ADDRESSES ARE A LAN issue, not a WAN issue. I implore
> you to find anyone's MAC address by sniffing packets on any Internet router
> around. Do you know what? You won't find any, because there aren't any.
> Therefore, you're supposition about #2, from the standpoint of an outside
> hacker looking to get in, is absurd.
>
> Concerning ICMP and DOS attacks in general. Have you not read about the
> latest invention in prevention? It is called an ACL. It's a wonderful tool
> that has only been in existence since the first Cisco router. It allows you
> (or better yet, your ISP) to selectively block traffic destined to a port,
> or to an address, from a port, or from an address, or any combination of the
> four. If I have a single connection to the Internet, and my ISP blocks ICMP
> (or whatever, it could be simple SYN packets to a web server) from a
> specific address, group of address, or to a specific port, the DOS issue is
> gone. Period. End Game. Done. Am I making myself clear?
>
> As for #1, I'm sure anyone who subscribes to this list, and who has ever
> configured a router, will tell you that one of the first commands to install
> is NO IP (^?)S. With that, #1 is fixed. Done. Period. End Game.
>
> "Most firewalls do not come preconfigured to block Private Addresses, nor
> IANA, or the Experimental IP Addresses from 239.000.000.000 -
> 255.255.254.255"? Read the second paragraph concerning ACLs. Done.
> Period. End Game.
>
> "Most firewalls are not smart enough to block UNKNOWN PROTOCOLS, because
> their Operating Systems either are not configured to use them, or don't know
> how to handle them properly. This is especially true for installed
> software/hardware on computers using their own "CUSTOM ROLLED PROTOCOLS",
> thus, bypassing the firewall, or, as a techy term, TUNNELING through the
> firewall behind your back"? Bull***. In the world of ZA, BID, and NIS,
> maybe. But not in the world of FW-1, or Gauntlet. Get your facts straight.
>
> "...gain entry via DNS UDP, or worse yet, DNS TCP for Zone Transfers"? Do
> you even know how DNS operates? If I request the address for
> www.whatthefuckeveryourludicrousmindthinks.com, how am I supposed to get
> that address? Do you think that DNS UDP might be necessary for such a
> conversation to take place? Do you know that every piece of DNS software on
> the market has a setting to allow transfers from/to only certain IP
> addresses? Do you know that most commercial firewalls can help alleviate
> this problem you attempt to squawk about, much like chicken little ran
> around exalting "the sky is falling, the sky is falling"?
>
> "Contact your State Representatives in order to get some serious Bills
> passed to REGULATE Firewall Companies, IDS companies, or any company that
> boasts protecting people while they
> surf the web, or do business via the Internet". From the organization that
> brought us Bill Clinton, Gary Condit, and Al Gore, you want to entrust the
> security of every private company's data? You, sir, are an idiot.
>
> "Sick&Tired" <lililmanlilii@yahoo.com> wrote in message
> news:e85c6e9a.0112262006.577013f0@posting.google.com...
> > 99.9 % of Software/Hardware Firewalls DO-NOT cover the below
> > Vulnerabilities/Exploits that Hackers use to get into Public
> > or Private Servers, or Public PC's used by citizens when
> > accessing the Internet:
> >
> > 1. ARP/RARP (Used to Circumvent Routers via redirtects)
> > 2. MAC Addresses (Man-in-the-Middle MAC Spoofs)
> > 3. ICMP (Denial of Service and many more)
> >
> > The above is just 3 examples on how nasty people can use
> > firewalls against itself, or, at the very least, not cover
> > the important features that need to be blocked, by DEFAULT,
> > in order to help stop the insanity on the World Wide Web.
> >
> > Here are some other examples that most Software/Hardware
> > firewalls do not block or even have a clue on what to
> > do with itself:
> >
> > Most firewalls do not come preconfigured to block Private
> > Addresses, nor IANA, or the Experimental IP Addresses from
> > 239.000.000.000 - 255.255.254.255. Typically called
> > IP Spoofs.
> >
> > Most firewalls are not blocking, or even asking to permit
> > most Protocols that are assigned....properly.
> >
> > Most firewalls are not smart enough to block UNKNOWN
> > PROTOCOLS, because their Operating Systems either are
> > not configured to use them, or don't know how to handle
> > them properly. This is especially true for installed
> > software/hardware on computers using their own "CUSTOM
> > ROLLED PROTOCOLS", thus, bypassing the firewall, or,
> > as a techy term, TUNNELING through the firewall behind
> > your back.
> >
> > ------------------------------------------------------------
> > Some firewalls even permit DOMAIN Exploits by using
> > your DNS.....for IT'S OWN PURPOSE, BEHIND OUR BACKS.
> >
> > Speaking of DNS: Did you know that the (#1) way to get
> > into your computer is through DNS? Yes, that is correct
> > pilgrim. Disgruntled workers at your ISP, and even hackers
> > that bust your ISP to gain entry via DNS UDP, or worse
> > yet, DNS TCP for Zone Transfers.
> > -------------------------------------------------------------
> >
> > Mix this in with Operating System Exploits, and one would
> > get a feeling that we have been at war since the Digital Age,
> > but blinded by Technology, for Easyology, in our daily lives.
> >
> >
> > Remember......these are just a FEW examples.
> >
> >
> > Let's all start 2002 on a good note. Contact your State
> > Representatives in order to get some serious Bills
> > passed to REGULATE Firewall Companies, IDS companies, or
> > any company that boasts protecting people while they
> > surf the web, or do business via the Internet.
> >
> >
> > Let's start by making 2002 more safer, shall we?
> >
> >
> > Sick&Tired

Your MODEM, be it Cable/xDSL has a MAC ADDRESS exposed before any Firewall
which is also displayed in your packets via IP.

Cisco Routers are overplayed, not secure enough, and their falling stocks
this year prove that.

FW-1 and Gauntlet have been broken in the past, and your point, well, there is
no point is there?

No, you do not know how DNS works....obviously.

I love chicken......