Re: Why you have hardware firewalls

From: Darko Gavrilovic (darkog_at_REMOVETHIShushmail.com)
Date: 04/13/05


Date: Wed, 13 Apr 2005 17:16:05 GMT

Leythos wrote:

> On Wed, 13 Apr 2005 06:08:38 -0500, Darko Gavrilovic wrote:
>>
>> your methodology may work - if you knew for sure 110% where you target
>> customers/visitors are connecting from. but what information makes you
>> so sure? and how do you know you aren't losing customers?
>
> You must be assuming that we don't know who our clients are? If I
> design/host a web site for a roofing company based in the USA, there is
> little chance they are going to get a request for a bid from Oz or from
> Asia, and no reason for them to expose their site to those countries as
> their business model doesn't cover doing work outside the USA (outside
> their state for that matter). The same is true for many businesses.
>
>> the way i see it, your site is either on the internet and public or it's
>> on intranet and private. if it's private, then by all means place behind
>> F/W and filter to your own corp. subnets.
>
> All web servers, or anything that provides public access (ftp, smtp,
> etc..) should be behind a quality firewall device.
>
>> but if it's public, it's public. where is your reasoning to adjust IP
>> filter to target audience connections? the site is in english, so you
>> will just assume that anyone who can't read english won't visit - so you
>> will filter out non-english speaking countries?
>
> You're wrong, public doesn't mean World, it means open to as far as you
> want it to reach. In many cases, there are no reasons for non-global
> companies or organizations to reach beyond their local country. Even if
> the company did get a request for third-world services they would not be
> able to service it as their infrastructure would not be setup for it. For
> those that want to service third-world countries, more power to them, and
> they would need to remain unblocked, but I see no reason to expose
> services that should not be available to others.
>
> The way to look at it is simple - reduce your exposure as much as
> possible, which will also reduce your load/management needs, and also
> helps to reduce your exposure to threats.
>
> Oh, it has nothing to do with the language of any peoples, it's got
> everything to do with where you want to expose your services too. If you
> know that you're never going to sell/service places in country XYZ, then
> you can block all the IP ranges in country XYZ - this eliminates a
> direct threat area/path.
>
>> also, relying on IP filtering is a little weak. as we all know, IP's can
>> be spoofed. or even simpler, you can find a proxy from allowed IP and
>> use it to get in. a guy who has targeted *your* site for an attack
>> probably learnt *that* way before he learn how to be a scripter.
>
> And, in this discussion, you should already understand that it's a PART of
> the entire solution, not the sole method. Blocking connections to
> countries that you don't do business with is a valid means of eliminating
> threats. In case you missed it, this is only a small part of a security
> solution.
>
>> filtering SMTP proto so asian countries are excluded is common practice
>> and makes sense. but filtering HTTP proto, i do not come across that too
>> often.
>
> I see daily connection attempts to HTTP, FTP, SMTP, 4899, and several
> others, from many foreign sites. In the early days I would track the IP,
> block just the IP, and then move on. Now, as it's more evident, it's
> easier to block the country or net-block used by the prober, I don't block
> /8's, but I do block /16's and /24's all the time.
>

yeah - i guess a lot depends on the type of business and services you are
selling.

it still seems weird to "penalize" entire chunks of the internet based on
something/action/hack attempt that has not happened yet.

would it not make more sense to automate & integrate an IDS (snort) with
your firewall and have it auto block any suspicious hits. you might wind up
blocking a lot of false positives - but at least your are not blocking
right across the board.

(p.s. for the purposes of this thread - lets assume you are selling services
to anyone willing to pay. not selling services to just your local
community. lets say you are selling web design services.)

-- 
"Why do they call it rush hour when nothing moves?", Robin Williams


Relevant Pages

  • Re: Man gets nine years for spamming
    ... >>1) SPAM is not a SECURITY issue. ... >>business model as you. ... You may be able to block countries, ... blanket IP block filtering. ...
    (alt.computer.security)
  • Re: modern highway R3a linking China, Laos and Thailand is expected to substantially raise economic
    ... The launch of the modern highway R3a linking China, Laos and Thailand ... While the development has delighted the business community, ... The system requires all involved countries to harmonise their customs ... the region more attractive for trade and investments," he said. ...
    (soc.culture.cambodia)
  • modern highway R3a linking China, Laos and Thailand is expected to substantially raise economic pros
    ... The launch of the modern highway R3a linking China, Laos and Thailand ... While the development has delighted the business community, ... The system requires all involved countries to harmonise their customs ... the region more attractive for trade and investments," he said. ...
    (soc.culture.cambodia)
  • Re: Man gets nine years for spamming
    ... >> 1) If I don't do business in a country there is no reason to provide ... > Again, I do not and will not, blacklist countries. ... > Stay away from windows if possible to anything on your DMZ. ... do you let Asian countries have access to your company LAN? ...
    (alt.computer.security)
  • Re: Man gets nine years for spamming
    ... The point is, for me, blocking countries is ... especially where there are other techniques ... My company for example does a lot of business in China, ... Not even taking into account that most of the SPAM will spoof email ...
    (alt.computer.security)