[Dshield] Re: File Sharing

Micheal Patterson micheal at cancercare.net
Tue Oct 29 00:37:42 GMT 2002

No offense taken here. I'm a firm believer that there needs to be some sort of packet filter don't at least at the ingress router into the network. Better yet to have that and a firewall / packet filter system as well. Honestly, I'd not considered the discounts to education facilities. It had completely slipped my mind. That may not be the mindset of everyone that runs / maintains a network. That's all well and good since I'm not the one that has to worry about it. 


Micheal Patterson
Network Administration
Cancer Care Network

  ----- Original Message ----- 
  From: Ted Miller 
  To: list at dshield.org 
  Sent: Monday, October 28, 2002 12:50 PM
  Subject: [Dshield] Re: File Sharing

  We really should remove cost as a reason for educational institutions to avoid purchasing a hardware firewall. The discount that the major vendors offer (I am familiar with Cisco & SonicWall, but I am sure the others are similar) for these organizations are really, really sweet. In some cases it goes up to a fifty percent discount! 

  In my mind there is a difference between "reason" and "excuse"... cost may be an excuse for not implementing a proper firewall, but it is never a reason. There may be other reasons, but frankly nothing in this discussion has convinced me of it. I feel that a firewall is a necessary line of defense for anyone that is connected to the Internet, be it a home DSL/Cable Modem user, small business, corporation, government entity, or educational institution. 

  Of course, this is only my opinion. I trust that everyone will take this in the spirit of open discussion as intended, and not be offended! 

   Micheal Patterson <micheal at cancercare.net> wrote: 

    Bob, I can't tell that you're not missing anything. Many of the worlds top
    security analysts will tell you that in today's day and age of the Internet,
    it's best to have a tiered security structure of some sort. Personally, I
    have access lists at my border router that are pretty open but catch the
    most obvious issues (Code Red, netbios, ip spoofing, etc), then I have a
    firewall directly behind it that blocks everything by default with the
    exception of traffic to the various necessary services that have to be made
    available for the company to function. The firewall is stateful for outbound
    traffic so dynamic rules are created as needed. These dynamic rules time out
    at 120 seconds. The deny rule logs all rejected traffic to give me a pretty
    good idea what's trying to get in. If necessary, I have the ability to rate
    limit outbound traffic at the firewall as well but so far, that's not been
    necessary BUT it is available just in case.

    As fart as locations not using / wanting a firewall, IMHO it usually boils
    down to 1 of 3 things:

    1. Money, 2. Politics and 3. Ignorance (not stupidity)

    Re 1: People don't want to spend the money to purchase a hardware firewall.
    Nor do they want to take the time to implement any system with one built in
    (*BSD, Linux, etc) using IPFW, IPFilter, IPChains, etc. Various companies
    that I've run into over the years think that a firewall for a DS3 needs to
    be one massive machine when it usually doesn't. I've known many locations
    that are running P2 systems with 128mb ram that have been just laying around
    doing nothing and are now firewall / packet filter systems and they run fine
    as long as that's ALL they do.

    Re 2: Persons in charge feel that there is no need to restrict traffic from
    their network nor do they make any allowances "just in case" they have a
    need to do so. It's all a "damn, what do we do ! now?" thing when reality

    Re 3: People blindly believe that their systems are secure because they're
    running latest patches. Not taking into consideration that there may be
    other insecure items that just haven't been discovered yet. They trust MS to
    completely patch against exploits, etc. They believe that the vendors are
    taking action with their best interests in mind. This isn't always true, but
    they believe it.

    For me, I'd prefer to have as many locks on my network as I can get my hands


    Micheal Patterson
    Network Administration

    ----- Original Message -----
    From: "Bob Savage" 
    Sent: Monday, October 28, 2002 8:41 AM
    Subject: RE: [Dshield] Secure computing (was: Port 135)

    > I know this discussion is way over my head, but I don't understand the
    > resistance here to using a firewall of some kind as part of the program.
    > I must be missing a basic concept. Why would this be looked at
    > differently in an educational institution? Isn't it just common sense
    > to put a lock on the door even in a school?
    > Bob Savage

    Dshield mailing list
    Dshield at dshield.org
    To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

  Do you Yahoo!?
  Y! Web Hosting - Let the expert host your web site
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/list/attachments/20021028/9f541be8/attachment.htm

More information about the list mailing list