[Dshield] Secure computing (was: Port 135)

Micheal Patterson micheal at cancercare.net
Mon Oct 28 19:18:20 GMT 2002


----- Original Message -----
From: "Jan Johansson" <janj at wenf.org>
To: <list at dshield.org>
Sent: Monday, October 28, 2002 7:34 AM
Subject: Re: [Dshield] Secure computing (was: Port 135)


> On Sun, Oct 27, 2002 at 11:30:59PM -0500, David Kennedy CISSP wrote:

<snip>

> >I for one would not object to your using a firewall to protect the
> >rest of us on the Internet from your university and it's students,
> >faculty and staff.
>
> As of today I have still to see why this would be needed. We are
> not a .edu (wrong side of the pond).

Just because you don't have the .edu TLD associated with your domain doesn't
mean you're not an educational facility/network. You've said it yourself,

"Our department have 5,000 users in the database. This incorporate old and
present students. At this moment we have about 1,200 active students, 300
Windows workstations, 50 UNIX workstations, 60 SUNRays (thin client, UNIX),
25 UNIX servers and 3 Windows servers (ActiveDirectory (under development),
Ghost)."

>From a remote networks standpoint, there are 1200 possible active reasons
why you would want to possibly try to limit your network traffic outbound.
Also, that would leave approx 3800 inactive users in the database that in
the unlikely event an account has NOT been disabled, is a potential for
intrusion and breech.

300 Windows workstations. 300 potential sources of any number of things
known and unknown.

<snip>

> Looking at the sources I can rule out some. For example our AFS
> servers has never been used to attack anyone. However AFS uses
> callbacks to tell the client that files have changed. This can be
> done several hours after the client fetch the file at which time
> many statful packet filters will have timed out.

If the AFS server is connecting outbound, a stateful firewall on outbound
traffic would not hinder that. Matter of fact, outbound statefule rules
depend on that outbound traffic in order to generate the dynamic rule set.

> >This part really got my attention and you have not addressed it.
> >Using all those technologies I've snipped from your message are good.
> > If you now want to dig yourself out of the hole you're in by saying
> >you do it by AFS, SSH or a Kerberized solution, simply explain why
> >did you respond in that way to John's "135:139" line?
>
> Frustration over that people try to solve every computer problem
> with firewalls and laws. In this case (spam by windows message
> server) I see that the source of the problem as (yet again) bad
> implementation from Microsoft. So why is noone complaining? Fix
> the real problem don't make a workaround. (Or rather make them
> fix the problem).

Why is no one complaining to MS? Because it does little to no good to do so
that's why. As long as you've been in IT, you should already know that. MS
doesn't give a rats ass if they're compliant on anything at all. They just
want to be compliant enough so they can sell a product that is reachable
over the network. They really don't care if it breaks other things in the
process.

--

Micheal Patterson
Network Administration





More information about the list mailing list