Re: Probes on Port 135 and 445 continue

From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 10/14/04 

Date: Wed, 13 Oct 2004 17:50:34 -0500

In article <MPG.1bd62cb4e6d23a3298984f@news-server.columbus.rr.com>,
Leythos wrote:
>In article <slrncmohdk.6li.ibuprofin@atlantis.phx.az.us>,
>ibuprofin@painkiller.example.tld says...

>As I said before, and many times with this idea, if you need a public IP
>all you have to do is request it, the default will be NAT.

You really think that would last more than a day or two? The lusers
whining "the internet is broken", and tech support trying to explain
this crap, then offering to provide a public IP. Or do you propose to
make that a premium feature at a minor extra cost? Yeah, let's see how
long that one lasts.

>I found several state agencies that were running all of their computers
>on public IP's, in fact, they had a firewall, but it was setup to pass
>ALL traffic in/out without restrictions - funny way of doing it.

I think it is fairly well known that a lot of people shouldn't be allowed
near computers. But how did _you_ convince the state agency that their
current setup was insane - and then get the bean counters to agree to
pay for it?

You might also want to look at the third article in the Risks-Forum Digest
for Tuesday 12 October 2004 (Volume 23, Issue 56) which you can find as
the Usenet newsgroup 'comp.risks'. Colorado DMV disabled for a week with
a computer virus. If the story (via Denver Post) is correct, "every
computer in the system" got reinstalled. Whoopie!

>We converted them to 32 Public IP natted through the firewall, and then
>4 class C segments using private addresses. Took about a week due to
>some desktop machines having Fixed IP's.

Boy, you wouldn't like our setup - we have ALL of our systems on fixed
IPs, and monitor the IP/MAC relationship for security purposes. The
monitor is just a perl script talking to the servers and routers grabbing
their ARP cache every N minutes. We also use a passive O/S fingerprinting
tool.

But you failed to answer this one:

>> How do you propose that they fund the effort
>> to change all of the un-needed public IPs to RFC1918.

It's not as if this effort is cost-free - if it were, you wouldn't be doing
it. I'm sure there is considerable gnashing of teeth in Colorado right now,
but how soon do you see that being translated into them instituting proper
security procedures other than something cosmetic that the PHBs will
consider adequate. Now, someone should take the "Chainsaw of Enlightenment"
to the staff - but the chances of that happening are...

>As a matter of fact, I have done this, and it's not easy. We do it over
>a weekend and after staging things during the month before it.

Great - Ohio State University seems to have (at least) three public /16s.
Ohio U seems to only have one, as does Ohio Northern and Cleveland State.
How long to convert those six? And that magic question - how do you
convince the board of regents (or whatever) to spend those bucks.

       Old guy

Relevant Pages

  • Re: Probes on Port 135 and 445 continue
    ... >on public IP's, in fact, they had a firewall, but it was setup to pass ... and monitor the IP/MAC relationship for security purposes. ... Ohio U seems to only have one, as does Ohio Northern and Cleveland State. ...
    (comp.security.misc)
  • Re: XP setup screen does not fill screen
    ... to windows and change the resolution...I told him how can i change ... screen nicely...but its the setup that is the problem. ... Its an excellent monitor otherwise..but rotten support. ... Again Video card with HDTV seems limiting itself to the TV mode. ...
    (rec.video.desktop)
  • Re: XP setup screen does not fill screen
    ... to windows and change the resolution...I told him how can i change the ... screen nicely...but its the setup that is the problem. ... If your problemonly occurs when installing/reinstalling Windows, and not when Windows is running, then your only remaining remedies are to use your HDTV monitor's internal menu and settings to temporarily adjust your monitor to make these hidden buttons appear, and if your monitor has no such range of adjustment, then to replace your video card with one which has better support for your specific HDTV. ...
    (rec.video.desktop)
  • Re: full-screen video on second monitor
    ... monitor and full-sceen on a second monitor. ... I have a stong need for this type of display setup. ... The VMR7 instance will attempt to use and overlay ... If your video card is so ...
    (microsoft.public.win32.programmer.directx.video)
  • Re: XP setup screen does not fill screen
    ... to windows and change the resolution...I told him how can i change the ... screen nicely...but its the setup that is the problem. ... Its an excellent monitor otherwise..but rotten support. ... i believe its limited to the TV and not the VGa MODE. ...
    (rec.video.desktop)