[Dshield] A few followup points

Bob Konigsberg bobk at networkeval.com
Tue Mar 19 21:59:35 GMT 2002


I'd like to follow up on Stephanie Grobety's last post regarding egress
filtering, but expand it somewhat  for the benefit of some of the puzzlement
(and those puzzled) posted over the last few days.

The purpose of egress (or outbound) filtering is to make sure that all traffic
being sent out of your machine (locally or to the Internet) is being sent by
programs that you, the user, know of, and approve of.  Programs like ZA (Zone
Alarm), Norton, and McAfee's firewall, maybe others, (I don't know) will pretty
quickly figure out that your web browser, email client, Anti-Virus live-update
or whatever are supposed to be running, and they verify that with you, the user.

After that they will blink when those programs open a connection, and ID them,
but won't say anything else.  However, if you pick up some spyware (PKZip,
MSNBC News Agent), worms (W32.QAZ for example) that is trying to either "phone
home" or spread, you will get an alarm (hopefully), and do something about it.

Having run numerous corporate firewalls for a living, when it came time to get
my DSL connection live, I never considered anything but putting up the firewall
first before ANY connection.  I use a SonicWall SOHO, and although pricey
(about $500), my systems are completely invisible from the outside.    However,
I still run Norton AntiVirus, McAfee Anti Virus (Depending on the machine, some
are corporate, and so run the software specified by my employer), and Zone
Alarm.

This brings us to another point already expressed by some other list
contributors, called "defense in depth" whereby you don't ever trust only one
layer to protect anything, since any software of any significant complexity
cannot help but have vulnerabilities be they discovered or undiscovered.

Anti-Virus companies themselves commonly use their competitors products in
addition to their own, just because they know and understand this matter. 
There was a vulnerability recently uncovered with respect to Norton's email
virus checker, whereby some particular mal-formed MIME (Multipurpose Internet
Mail Extensions) types could sneak a virus past the mail server, but they would
still be caught by the desktop software.

Likewise with firewalls, as a previous poster pointed out.

The unfortunate part about this is that security is a pain to deal with, and
most people, unless the threat is in their faces, won't do anything until they
get burned a few times.  Heck! I do this stuff for a living, and it's STILL a
pain.
  __
 /_/ _   /_
/_/ /_/ /_/ (SANS GSEC)




More information about the list mailing list