Re: Port 113?
- From: Nomen Nescio <nobody@xxxxxxxxx>
- Date: Tue, 29 Aug 2006 17:50:02 +0200 (CEST)
Hello B. Nice and all.
I disagree fundamentally with Mr. Gottschalk's
recommendation to use what amounts to "Default Allow"
firewall policies.
Mr. Gottschalk wrote "You should never "stealth" any port
until you have explicit reason to do so." This is an
example of a "Default Allow" policy.
I believe in using "Default Drop" policies for all of my
firewalls. As far as I am aware using INBOUND and OUTBOUND
Default Drop policies are the Most Secure default firewall
configurations. One has to know what traffic they wish to
allow , and add deliberate and specific firewall-rules to
allow it. It's a very educational process , because you
cannot use any facet of the Internet until you know exactly
which protocols and/or (TCP/UDP) ports you wish to use.
Imagine a door-lock for a house or an apartment , under
what would be similar to a "Default Allow" policy , everyone
would be able to unlock your door EXCEPT those persons whom
you have specifically listed and barred from entry. Who would wish
to have to list the 6-Billion odd people extant on the planet
just to be able to prevent their entry? Under a similar
scenario with a "Default Drop" policy ALL (those 6-Billion+)
are denied entry UNLESS they have been specifically added
to a list to be given entry (to be given a key lets say).
Mr. Gottschalk's recommendation to the original poster was
to allow the traffic to and from the poster's computer to
the extent that his ports would be "unstealthed". Later Mr.
Gottschalk mentioned that:
"I've got a box that runs Windows from time to time. By default it would
only react to ICMP codes 0,3,4,5,8,11,12,17 and 18. I configured it to not
react to code 5, 17 or 18. The other ones aren't dangerous in any way. ..."
Maybe I missed it somewhere , but I don't recall Mr. Gottschalk
warning the original poster that (perhaps especially under
Windows environments) ICMP codes 5 , 17 , and 18 are
dangerous. Did he make it clear to the original poster?
With Default Allow all is allowed (unless you know exactly
what you wish to Disallow and then add the appropriate
firewall-rule).
My advice wouldn't have left the original poster open to
problems related to ICMP codes 5 , 17 , and 18.
Perhaps today there are dangers using ICMP codes 3 , 8 ,
and 12?
Perhaps tomorrow there will be attacks using 0 , 4 , 8 ,
and 11?
Things change constantly , new attacks are formulated
constantly.
I'm quite content using a Default Drop stance.
My advice (again) is to do similarly , add rules to allow
the traffic you absolutely must have , then add other traffic
when and only when you FULLY UNDERSTAND what you are allowing.
To do otherwise you truly must be an expert , and I mean having
the ability to know of all possible attacks that are available
instantly (and being able to change your firewall configurations
instantly). I personally feel that having a secure firewall
is NOT possible using defaults that blindly allow traffic.
Perhaps Mr. Gottschalk or some others are even more omnipotent
than they could imagine. One would have to be to be able to
track and respond to varying attack-methodologies second-by-second.
Does anyone know what the dangerous ICMP codes are for today? Some
find philately or numismatic-pursuits to be more relaxing hobbies.
To each his (or her) own.
N.B. I assume that any who actually have a need to use ICMP or TCP RST
or anything else will take the time and perhaps the Great Effort to be able
to use these things securely. I elect not to use them. Some things can be Mastered.
Some other things are perhaps best Not to master (nor to use).
Cost-benefit and risk-reward analyses are your friends.
P.S. RE: Volker Birk (x2)
1) Many ISP's disable or curtail ICMP in their routers.
If you are near to such routers (as I believe I am) there
will be no forthcoming ICMP Host Unreachable messages. Even
for those routers that do give these messages , would-be
attackers would have no idea whether you were a home PC or
some networked refrigerator or toaster. OS-fingerprinting
relies on being able to receive packets (probably preferably
TCP SYN packets) from potential targets , I choose not to
emit ANY packet to anywhere without a valid reason.
2) Substantiate which? I advocate a Default Drop firewall
stance. Those using Default Drop policies will be
"stealthed" by default , they will be emitting packets only
according to the specific firewall-rules that they write ,
rather than to anyone or anything on the planet that wishes
to scan or probe them.
You and some others advocate sending packets out to
anyone for no articulated security or other advantage. It
is always less secure to allow traffic blindly. It is indeed
bizarre to allow traffic for absolutely no advantage or
reason.
My systems and my Internet connection are highly-stable. I
can leave my machines on and my connection up for days at a
time with nothing but a steady and reliable exchange of
data. Perhaps any performance-degradation when not allowing
certain types of traffic is idiosyncratic to your particular
equipment or configuration.
I am a home user , but a number of reports both here and
elsewhere seem to indicate that many larger networks
also do not require that which you and others are advocating.
.
- Follow-Ups:
- Re: Port 113?
- From: Volker Birk
- Re: Port 113?
- Prev by Date: NS5200 Config
- Next by Date: Re: Port 113?
- Previous by thread: Re: Port 113?
- Next by thread: Re: Port 113?
- Index(es):
Relevant Pages
|
