[Dshield] Re: Risk Assessment
brian at dessent.net
Fri Oct 22 23:14:54 GMT 2004
Mar Matthias Darin wrote:
> 2. Careful study of all required services and making sure that ONLY their
> appropriate protocol is referenced.
> Example: specs on port 80 say both tcp and udp are used. tcpdump
> monitoring stays my web server uses only tcp. udp is blocked. Same
> thing with my mail server, tcp only on tcpdump.
If you need to use tcpdump to know that your webserver doesn't use UDP
then you are really missing the point.
> I allow only the protocol my servers use irregardless of the specs.
> I have spent 4 years studing this.
...and risk breaking some protocols in some corner cases that you never
saw in your hasty testing.
> 5. Severe limits om my email server:
> 1. No literal ip connections.
I think you mean "no literal IP addresses in the HELO." Every
connection is a "literal IP" at the network stack layer.
> 4. Mail is not accepted from any IP address that does NOT have a
> reverse DNS lookup.
Try that on a large server and see how well it works. You will find
that you get a lot of false positives. Yes, there are lots of clueless
mail admins that run servers without rDNS, but that's life.
> 6. No ICMP packets allowed at all.
Now this is just idiotic. You should at least allow type 3/code 4
(Needs Fragmentation) so that you don't break path MTU discovery. See
also <http://alive.znep.com/~marcs/mtu/>. It's also probably good to
enable type 11/code 0 (Time Exceeded) so that traceroute works. And
finally 8/0 and 0/0 for ping. If you really want to disable ping then
filter it, but I think that's false security. If you think that having
traceroute and ping is a security vulnerability then you really need to
read more about how TCP/IP works and stop reading rants from steve
gibson and the like. Certainly you want to filter most other ICMP types
but blindly filtering ALL ICMP is bad, it's "goober with a firewall"
syndrome - "OH NO A PING! HAXX0RS ARE PINGING ME!"
More information about the list