Re: 2000 server solution

From: Leythos (void_at_nowhere.com)
Date: 10/21/03 

Date: Tue, 21 Oct 2003 16:23:56 GMT

In article <bn3587$q8$1@news.shlink.de>, wolfgang@shconnect.de says...
> Leythos wrote:
>
> > Filtering allows me to provide services to external users while still
> > ensuring that they are only providing what I want them to provide.
>
> How do you authenticate the external users? By IP? What about spoofing?

There are many ways to authenticate external users - in the case of
development teams we use VPN connections. In the case of web
applications we use user name/passwords that are not part of the OS, but
are part of the application design.

At no time do we provide OS level authentication to services through a
NON-VPN tunnel - that would be plain stupid.

> >> Why don't you simply switch all unwanted services off?
> >
> > Because, in general, just like on any server, you can't switch off the
> > services that are providing public access.
>
> That was my point! If the service is public, it is public, period. OK,
> packet filtering might make sense to limit access to certain services to
> certain IPs/networks, the danger of spoofing attacks remains.

You should really study more on firewall appliances and the features
they offer.

> > Packet filtering provides the ability (on real firewalls) to block sites
> > that make probes before the attack (automated blocks)
>
> In conjunction with an IDS.

Some firewall devices have this ability and don't require additional
IDS, but additional IDS is part of a master solution.

> > the ability to strip attachments out of email's,
>
> You seem to have invented the firewall warp drive, my congratulations, try
> to sell it to Micro$oft, if your warp-firewall is really more than a
> repetition of buzzwords, they'll probably pay you a hell lot money. If you
> can do content filtering on layers 2 or 3 (that is where packet filters
> operate) I'll fly to Mars tomorrow.

The WatchGuard Firebox line of appliances has provided this function for
more than 5 years. You can buy a small WG FB unit for under $800 that
will do this function.

> > the ability to strip items out of the users browser experience, etc...
>
> Once more: You seem to have invented the firewall warp drive, my
> congratulations, try to sell it to Micro$oft, if your warp-firewall is
> really more than a repetition of buzzwords, they'll probably pay you a hell
> lot money. If you can do content filtering on layers 2 or 3 (that is where
> packet filters operate) I'll fly to Mars tomorrow.

Again, there are firewall devices out there that do this - it has
nothing to do with Microsoft and is common for security professionals to
know this type of thing. I can configure my WG FB firewall devices to
strip Active-X controls, cookies, etc... out of the users browser
connection.

> >> > If you expose your server without the router it will be easy to find
> >>
> >> Come on, you are kidding, a machine, that offers a public service, must
> >> be found. Otherwise it cannot offer the service. I really wonder, how far
> >> all the stealth rubbish from Gibson and others has brought us.

No one said you have to make it easy to find. If I have a web server I
can run it on port 80 (or any other port) and don't have to expose any
other ports to the public. Why would anyone want to expose anything
other than the exact service needed to the public? They don't have to be
able to PING a server in order to browse to it.

> > If the machine responds to a PING it will be found quickly -
>
> Laughable. There is nothing wrong with ICMP. Have you ever had the idea that
> something called Internet Control Message Protocol might be called so for
> ^ ^ ^ ^

There is no reason for a server to respond to ICMP. You can access the
features without it. I block ICMP at all clients sites and have never
had a problem getting to them. It all comes down to understanding the
platform and security.

> > my firewall shows that 90% of all probes
>
> Why the hell are you afraid of probes? Do you run insecure services?

Fear has nothing to do with anything - You need to understand security
as it pertains to the systems in question, and once you do you will be
able to secure your systems. You pay attention to ALL forms of
connections to determine where the next threat and where the current
threats are being directed. I saw the slammer hit within minutes of it
starting - my logging software paged me. It was very interesting to
learn about all the public companies that were compromised because they
didn't understand basic security principals.

> Do you run an insecure http server or any other insecure service on port 80?

Not sure what you mean now - I have hundreds of IIS servers all across
the country (actually several countries) that are installed and never
been hacked, port 80 and 443. It's a matter of knowing your enemy and
knowing your OS/applications.

> > WG, there is no such thing as a secure OS, since most people install
> > applications with their servers they leave their systems open.
>
> Those people simply shoud not run servers.

It would be nice if that were possible, but people run computers on all
sorts of platforms without knowing anything about them. How many people
are running MS Office Professional right now, how many developers are
running Visual Studio .Net and have the SMTP and MSDE services running
and don't know it.... The list goes on. For the most part, a simple NAT
router would keep their machines from being hacked.

> > It's better to teach people how to secure the "Environment", not just
> > the OS.
>
> What comes first, a locked down system or an open system with a fence around
> it?

The fence should be first - You need the fence so that you can lock it
down before it gets exposed.

How many systems, using the default install, are 100% locked down during
and just after the install? Not many. 

-- 
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

Relevant Pages

  • Re: License Question
    ... CALs, ... Windows Server 2003 Pricing and Licensing FAQ ... Q. Why do I need a Windows External Connector license? ... You can acquire Windows CALs for each of your external users, ...
    (microsoft.public.windows.terminal_services)
  • Re: The e-mail account does not exist at the organization this message was sent to.
    ... Would you please tell me how to setup the system so that NDR mail goes to ... > How were these external users supposed to receive the mail. ... > from another Exchange server or ISP? ...
    (microsoft.public.exchange2000.general)
  • RE: Issue with slow mail on Exchange 2003
    ... Scenario 1: If the issue happens to the mails to external users randomly, ... mails to its server temporarily, ... Please let me know how many Exchange Servers in your site. ...
    (microsoft.public.exchange.admin)
  • Re: 2000 server solution
    ... How do you authenticate the external users? ... the danger of spoofing attacks remains. ... packet filters operate) I'll fly to Mars tomorrow. ... Do you run an insecure http server or any other insecure service on port 80? ...
    (comp.security.firewalls)
  • Re: Can you prevent or warn of forwarding to external recipients?
    ... Boris, thank you but this setting applies to incmoing emails. ... forwarding comapny confidential information to external users. ... have to use 3rd party content filtering software. ...
    (microsoft.public.exchange.admin)