Re: 99.9 % of Software/Hardware Firewalls DO-NOT.....

From: Patrick Farrell (grimlock@xnet.com)
Date: 12/30/01 

From: Patrick Farrell <grimlock@xnet.com>
Date: Sat, 29 Dec 2001 17:16:24 -0600

I'll take a guess that your dialup mac address is 00-53-45-00-00-00 :)

I think windows gives that number to all dialup adapters.

whoever wrote:
>
> "Sick&Tired" <lililmanlilii@yahoo.com> wrote in message
> news:e85c6e9a.0112290703.b1c3b42@posting.google.com...
> > "whoever" <whoever@wherever.com> wrote in message
> news:<3c2d0f3a$1_3@nopics.sjc>...
> > > I'm highly curious about items #2 and #3. For example, since MAC
> addresses
> > > are a layer 2 issue (i.e., a LAN issue) and not layer 3 (i.e., IP
> routing),
> > > I'm curious how anyone could be exposed to this from the outside, where
> a
> > > firewall is presumably protecting you. If you're saying that MAC
> address
> > > spoofing is possible, I agree. Even so, it can be greatly minimized by
> > > proper security on LAN switches. However, it is NOT POSSIBLE on the
> > > Internet, because MAC ADDRESSES ARE A LAN issue, not a WAN issue. I
> implore
> > > you to find anyone's MAC address by sniffing packets on any Internet
> router
> > > around. Do you know what? You won't find any, because there aren't
> any.
> > > Therefore, you're supposition about #2, from the standpoint of an
> outside
> > > hacker looking to get in, is absurd.
> > >
> > > Concerning ICMP and DOS attacks in general. Have you not read about the
> > > latest invention in prevention? It is called an ACL. It's a wonderful
> tool
> > > that has only been in existence since the first Cisco router. It allows
> you
> > > (or better yet, your ISP) to selectively block traffic destined to a
> port,
> > > or to an address, from a port, or from an address, or any combination of
> the
> > > four. If I have a single connection to the Internet, and my ISP blocks
> ICMP
> > > (or whatever, it could be simple SYN packets to a web server) from a
> > > specific address, group of address, or to a specific port, the DOS issue
> is
> > > gone. Period. End Game. Done. Am I making myself clear?
> > >
> > > As for #1, I'm sure anyone who subscribes to this list, and who has ever
> > > configured a router, will tell you that one of the first commands to
> install
> > > is NO IP (^?)S. With that, #1 is fixed. Done. Period. End Game.
> > >
> > > "Most firewalls do not come preconfigured to block Private Addresses,
> nor
> > > IANA, or the Experimental IP Addresses from 239.000.000.000 -
> > > 255.255.254.255"? Read the second paragraph concerning ACLs. Done.
> > > Period. End Game.
> > >
> > > "Most firewalls are not smart enough to block UNKNOWN PROTOCOLS, because
> > > their Operating Systems either are not configured to use them, or don't
> know
> > > how to handle them properly. This is especially true for installed
> > > software/hardware on computers using their own "CUSTOM ROLLED
> PROTOCOLS",
> > > thus, bypassing the firewall, or, as a techy term, TUNNELING through the
> > > firewall behind your back"? Bull***. In the world of ZA, BID, and
> NIS,
> > > maybe. But not in the world of FW-1, or Gauntlet. Get your facts
> straight.
> > >
> > > "...gain entry via DNS UDP, or worse yet, DNS TCP for Zone Transfers"?
> Do
> > > you even know how DNS operates? If I request the address for
> > > www.whatthefuckeveryourludicrousmindthinks.com, how am I supposed to get
> > > that address? Do you think that DNS UDP might be necessary for such a
> > > conversation to take place? Do you know that every piece of DNS
> software on
> > > the market has a setting to allow transfers from/to only certain IP
> > > addresses? Do you know that most commercial firewalls can help
> alleviate
> > > this problem you attempt to squawk about, much like chicken little ran
> > > around exalting "the sky is falling, the sky is falling"?
> > >
> > > "Contact your State Representatives in order to get some serious Bills
> > > passed to REGULATE Firewall Companies, IDS companies, or any company
> that
> > > boasts protecting people while they
> > > surf the web, or do business via the Internet". From the organization
> that
> > > brought us Bill Clinton, Gary Condit, and Al Gore, you want to entrust
> the
> > > security of every private company's data? You, sir, are an idiot.
> > >
> > > "Sick&Tired" <lililmanlilii@yahoo.com> wrote in message
> > > news:e85c6e9a.0112262006.577013f0@posting.google.com...
> > > > 99.9 % of Software/Hardware Firewalls DO-NOT cover the below
> > > > Vulnerabilities/Exploits that Hackers use to get into Public
> > > > or Private Servers, or Public PC's used by citizens when
> > > > accessing the Internet:
> > > >
> > > > 1. ARP/RARP (Used to Circumvent Routers via redirtects)
> > > > 2. MAC Addresses (Man-in-the-Middle MAC Spoofs)
> > > > 3. ICMP (Denial of Service and many more)
> > > >
> > > > The above is just 3 examples on how nasty people can use
> > > > firewalls against itself, or, at the very least, not cover
> > > > the important features that need to be blocked, by DEFAULT,
> > > > in order to help stop the insanity on the World Wide Web.
> > > >
> > > > Here are some other examples that most Software/Hardware
> > > > firewalls do not block or even have a clue on what to
> > > > do with itself:
> > > >
> > > > Most firewalls do not come preconfigured to block Private
> > > > Addresses, nor IANA, or the Experimental IP Addresses from
> > > > 239.000.000.000 - 255.255.254.255. Typically called
> > > > IP Spoofs.
> > > >
> > > > Most firewalls are not blocking, or even asking to permit
> > > > most Protocols that are assigned....properly.
> > > >
> > > > Most firewalls are not smart enough to block UNKNOWN
> > > > PROTOCOLS, because their Operating Systems either are
> > > > not configured to use them, or don't know how to handle
> > > > them properly. This is especially true for installed
> > > > software/hardware on computers using their own "CUSTOM
> > > > ROLLED PROTOCOLS", thus, bypassing the firewall, or,
> > > > as a techy term, TUNNELING through the firewall behind
> > > > your back.
> > > >
> > > > ------------------------------------------------------------
> > > > Some firewalls even permit DOMAIN Exploits by using
> > > > your DNS.....for IT'S OWN PURPOSE, BEHIND OUR BACKS.
> > > >
> > > > Speaking of DNS: Did you know that the (#1) way to get
> > > > into your computer is through DNS? Yes, that is correct
> > > > pilgrim. Disgruntled workers at your ISP, and even hackers
> > > > that bust your ISP to gain entry via DNS UDP, or worse
> > > > yet, DNS TCP for Zone Transfers.
> > > > -------------------------------------------------------------
> > > >
> > > > Mix this in with Operating System Exploits, and one would
> > > > get a feeling that we have been at war since the Digital Age,
> > > > but blinded by Technology, for Easyology, in our daily lives.
> > > >
> > > >
> > > > Remember......these are just a FEW examples.
> > > >
> > > >
> > > > Let's all start 2002 on a good note. Contact your State
> > > > Representatives in order to get some serious Bills
> > > > passed to REGULATE Firewall Companies, IDS companies, or
> > > > any company that boasts protecting people while they
> > > > surf the web, or do business via the Internet.
> > > >
> > > >
> > > > Let's start by making 2002 more safer, shall we?
> > > >
> > > >
> > > > Sick&Tired
> >
> >
> > Your MODEM, be it Cable/xDSL has a MAC ADDRESS exposed before any Firewall
> > which is also displayed in your packets via IP.
>
> Oh, really? What is my MAC address? I have DSL. Post my MAC address, of
> either the DSL gateway or my PC. I don't care which. Just post it. Then,
> if there is truly a security issue, do something with that information.
> Anything. I've got a software firewall. If you can do something with that
> MAC address and use it to "penetrate" my firewall, I'll sue the manufacturer
> and split the proceeds with you. Promise.
>
> Besides, if I was a dial-up user, rather than Cable/DSL, what would my MAC
> address be? After all, I wouldn't have a NIC. Then, would government
> regulation of firewall producers be unnecessary? My God, come to think of,
> you might have an answer to all our security problems. Let's get rid of all
> permanent internet connections and make them all dial-up. In fact, since
> MAC addresses are evil, let's get rid of LANs as we know them. Let's put
> modems in every device and have them call in to giant access servers to
> share files locally. After all, we'd be insulated from the "MAC address
> boogeymen" then, wouldn't we?
>
> My Cisco routers at work have MAC addresses on the Ethernet ports. Can you
> tell me those? What about the serial ports? Do you think those ports have
> MAC addresses?
>
> One of those routers is a gateway router to the Internet. Can you give me
> its MAC address? Please do so and enlighten us as to your bizarre
> assertions. Have you tried running ARP across the Internet?
>
> >
> > Cisco Routers are overplayed, not secure enough, and their falling stocks
> > this year prove that.
>
> As opposed to what telecom and/or tech-hardware manufacturer company's stock
> price this year? Would you propose Nortel? Any hardware/software
> combinatioin is a secure as you, or, in your case, someone more talented
> than you, make it.
> >
> > FW-1 and Gauntlet have been broken in the past, and your point, well,
> there is
> > no point is there?
>
> "Most firewalls are not smart enough to block UNKNOWN PROTOCOLS, because
> their Operating Systems either are not configured to use them, or don't know
> how to handle them properly", was, I believe the original context.
>
> What UNKNOWN PROTOCOLS? Do you mean "IPX", "PPTP", "GRE", "L2TP", "serial
> port protocols", "ATM protocols", "IGRP", "EIGRP", "AppleTalk", "HDLC",
> "BGP", or any of the thousands that I could readily name, and, while
> obviously UNKNOWN to someone with your intellect, are definitely not UNKNOWN
> to the rest of the working IT community. Please enlighten us with an
> example of an UNKNOWN PROTOCOL that a firewall can't handle properly.
> >
> > No, you do not know how DNS works....obviously.
>
> Oh yes, my friend, I do.
> >
> > I love chicken......
> WTFC?