[Dshield] Secure computing (was: Port 135)
micheal at cancercare.net
Mon Oct 28 20:07:16 GMT 2002
Bob, I can't tell that you're not missing anything. Many of the worlds top
security analysts will tell you that in today's day and age of the Internet,
it's best to have a tiered security structure of some sort. Personally, I
have access lists at my border router that are pretty open but catch the
most obvious issues (Code Red, netbios, ip spoofing, etc), then I have a
firewall directly behind it that blocks everything by default with the
exception of traffic to the various necessary services that have to be made
available for the company to function. The firewall is stateful for outbound
traffic so dynamic rules are created as needed. These dynamic rules time out
at 120 seconds. The deny rule logs all rejected traffic to give me a pretty
good idea what's trying to get in. If necessary, I have the ability to rate
limit outbound traffic at the firewall as well but so far, that's not been
necessary BUT it is available just in case.
As fart as locations not using / wanting a firewall, IMHO it usually boils
down to 1 of 3 things:
1. Money, 2. Politics and 3. Ignorance (not stupidity)
Re 1: People don't want to spend the money to purchase a hardware firewall.
Nor do they want to take the time to implement any system with one built in
(*BSD, Linux, etc) using IPFW, IPFilter, IPChains, etc. Various companies
that I've run into over the years think that a firewall for a DS3 needs to
be one massive machine when it usually doesn't. I've known many locations
that are running P2 systems with 128mb ram that have been just laying around
doing nothing and are now firewall / packet filter systems and they run fine
as long as that's ALL they do.
Re 2: Persons in charge feel that there is no need to restrict traffic from
their network nor do they make any allowances "just in case" they have a
need to do so. It's all a "damn, what do we do now?" thing when reality
Re 3: People blindly believe that their systems are secure because they're
running latest patches. Not taking into consideration that there may be
other insecure items that just haven't been discovered yet. They trust MS to
completely patch against exploits, etc. They believe that the vendors are
taking action with their best interests in mind. This isn't always true, but
they believe it.
For me, I'd prefer to have as many locks on my network as I can get my hands
----- Original Message -----
From: "Bob Savage" <bsavage at rnr-inc.com>
To: <list at dshield.org>
Sent: Monday, October 28, 2002 8:41 AM
Subject: RE: [Dshield] Secure computing (was: Port 135)
> I know this discussion is way over my head, but I don't understand the
> resistance here to using a firewall of some kind as part of the program.
> I must be missing a basic concept. Why would this be looked at
> differently in an educational institution? Isn't it just common sense
> to put a lock on the door even in a school?
> Bob Savage
More information about the list