[Dshield] Secure computing (was: Port 135)

Russell Washington russ.washington at vaultsentry.com
Mon Oct 28 15:20:43 GMT 2002

> My solution to the Windows Messenger problem is to turn of the service.

Can't argue with that.

> Missbehaving students loose their access and are reported to the police.

Geez, you DO take security seriously.  My apologies :)

> My solution to the Windows Messenger problem is to turn of the service.

Pretty danged informative rant, thanks for posting it :)

-----Original Message-----
From: Jan Johansson [mailto:janj+dshield at wenf.org] 
Sent: Saturday, October 26, 2002 2:51 PM
To: list at dshield.org
Subject: [Dshield] Secure computing (was: Port 135)

I will try to respond on all the comments that have been made.

First we are talking about Windows Message Service not MSN messenger.

The sum 10,000 was taken out of the air, but I believe it is pretty accurate
for the whole university. Our department have 5,000 users in the database.
This incorporate old and present students. At this moment we have about
1,200 active students, 300 Windows workstations, 50 UNIX workstations, 60
SUNRays (thin client, UNIX), 25 UNIX servers and 3 Windows servers
(ActiveDirectory (under development), Ghost).

Our opinion is that "Firewalls are for cowards". This does not mean we take
security lightly. We do use paket filters but mostly for making sure our
boxes are not cracked until they get patched. Missbehaving computers are
null routed. Missbehaving students loose their access and are reported to
the police.

AFS[1] is used for storing user data. There is nothing that can match AFS in
ease of administration and provided security. It was moved to opensource a
little while back and since then many improvments have been made which make
it even more superior. The problem is however that there is not a good
Windows client available. One is out there but it is not as solid as one
would wish. And so we must provide workarounds:

- Kerberized FTP (no plaintext). This causes problem because the
  student can't use their FTP client of choice. The Kerberized client is not
very good (it can't upload/download a full directory structure).

- SSH (protocol v2) with SCP, SFTP. Because of problems with
  compiling SSH (support for AFS and Kerberos) this is not a supported
solution at the moment. Many man hours have been put into this as it would
enable a whole range of alternatives for our users.

- Samba (SMB server for UNIX). This works in plaintext[2] which
  is computing of the 80s (very bad with todays standard). We don't
advertise this. It is just for the really computer illiterate when
installation of the Kerberized FTP fails. Last month we had zero(0) logins
to our samba server from outside campus network[3]. The goal is to turn of
all SMB services within
six(6) months.

My solution to the Windows Messenger problem is to turn of the service. It
has huge flaws (no proper authentication) and as such it can't be used.
There are alternatives like Zephyr which uses Kerberos for authentication
and works on both Windows and UNIX. Switching things off and replacing them
with opensource tools is a very common solution with Windows. It has huge
flaws all over and that is why we prefer to work with UNIX. This is not an
easy task as many applications are only available for Windows.

So to summarise. We work in a different way. We remove the bad stuff from
our network. We live in a world that has no firewalls and we adapt after it.
A firewall will never save your ass if a cracker really wants it. A common
thing today is to put up a $ 5000 firewall, with a $ 1000 proxy to protect
an Internet Information Server. The correct solution for me is to put up a
$0 Apache with no firewall and tell my users that ASP with an Access
database is not the only solution available.

Thank you for reading this rant. :-)

[1] http://www.openafs.org/
[2] I am aware that Samba can be set
up do use encrypted passwords but this is not possible to use with AFS. [3]
How? Using SMB over routed networks (the Internet) is very easy. In older
versions of Windows you need a WINS server.  In more recent versions you
just give IP or a FQDN (\\samba.foo.com\bar). Today broadcasting after
computer names is used after DNS and WINS have been tried.

Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list