[Dshield] Secure computing (was: Port 135)

Jan Johansson janj+dshield at wenf.org
Sun Oct 27 22:24:41 GMT 2002


On Sun, Oct 27, 2002 at 01:19:10PM -0700, Kenton Smith wrote:
>I can understand your logic to a point. This seems a bit like
>the John Wayne approach to me. What about some kind of layered
>approach to security? Here's where your argument falls flat to
>me:
><snip>
>Our opinion is that "Firewalls are for cowards".
><snip>

This is a joke that we use when people suggest that the solution
to all problems is a firewall. But it is also a golden rule of
how we do things.

A firewall may well have its place. We do not use it as our front
door as it would cause more problems than it solves.

><snip>
>A firewall will never save your ass if a
>cracker really wants it.
><snip>
>If a cracker really wants it, nothing will save your ass. If a
>cracker really wants it he is going to use things you don't even
>know about.

As stated a cracker/hacker will not be stopped by anything. But
resent events have shown that a firewall won't even stop crack
bots (think CodeRed).

>What about the newly discovered Kerberos flaw? How long does it
>take you to patch something like this?

I assume we are talking about the kadmind buffer overflow in
Heimdal (and kth-krb).

The kadmind service was turned off immediatly we got the news
(which was within one hour of public annoucement). It was down
for atleast 12 hours before the patched version was up again.
This is something that may not be accepted when uptime demand is
99.95% and such, we do not have those demands.

Our trackrecord is far from perfect, the site has fallen behind
because of bad management but it is getting better everyday.

>I'm not saying that your way of doing it is wrong, however to
>rule out using something because "I don't need 'em", then your
>leaving yourself and you users open. If there was a silver
>bullet we'd all be out of a job, but my job is to make sure it
>doesn't happen to our company and I'm going to use as many
>different means as possible to do that.

I would never rule any solution out. We have courses where the
students are supposed to install their own server, the only way
we can save ourselves from 1000 abuse mails is to put a shield
between them and the world. This may be a firewall or simply not
routing thoose nets of our network.

One choose the tool that will do the job in the best way.





More information about the list mailing list