Re: Why you have hardware firewalls
From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: Wed, 13 Apr 2005 18:29:52 -0500
In article <xyZ6e.1468$BS.firstname.lastname@example.org>, Leythos wrote:
>On Tue, 12 Apr 2005 19:03:12 -0500, Moe Trin wrote:
>> I found the owner, and mentioned his little problem. Sure enough, his
>> windoze toy server had been 0wn3d again.
>The problem doesn't have anything to do with a firewall or lack of one,
>it's got everything to do with properly setting up the OS/Services to
>handle a public connection.
I know that - you know that - perhaps every competent professional knows
this - but these aren't professionals. The site is operated and maintained
(yeah, right) by a 17 year old.
>We've had a number of IIS servers directly on the public network for 6+
>months without a single compromise, but we also know what services to stop,
Bingo. You can actually run the typical windoze server with all the
extraneous crap in it's default wide open state (not that I'd recommend
windoze, much less running the defaults) behind a very restrictive firewall
without as much risk - but the better combination is the stripped system
running behind the firewall if you insist on a microsoft solution. Netcraft
suggests there are better ways.
>Then there is that ability of Windows to filter connections itself....
I just used a passive tool to ID the system - it looks like the idiot is
running 98, but I can't tell which patch level.
>I do agree, there is no reason for the US Based Pizza place, even Pizza
>Hut, to offer online ordering to people outside their country (even if PH
>did offer pizza in Russia, they would not do it from a US based server).
I know that smarter individuals have set up systems where the first page
wants your postal (ZIP) code, and uses that to try to identify the nearest
retailer. Trying to use IP addresses to identify a location is difficult.
The local cable/DSL is provided by Cox and QWorst, and there are about 50
local ISPs. But what about the "local" businesses? Looking up $WORK says
New York, but a traceroute enters a blackhole in San Jose California, and
we have subnets in Europe, Asia, and where I am in Arizona. One local site
does indeed block $WORK as non-local, and the only way I can reach them is
from a tunnel, or over the phone. So they loose our business.