[Dshield] Re: Risk Assessment

Brian Dessent brian at dessent.net
Fri Oct 22 23:14:54 GMT 2004


Mar Matthias Darin wrote:

> 2.  Careful study of all required services and making sure that ONLY their
>    appropriate protocol is referenced.
> 
>    Example: specs on port 80 say both tcp and udp are used.  tcpdump
>    monitoring stays my web server uses only tcp.  udp is blocked.  Same
>    thing with my mail server, tcp only on tcpdump.

If you need to use tcpdump to know that your webserver doesn't use UDP
then you are really missing the point.

>    I allow only the protocol my servers use irregardless of the specs.
>    I have spent 4 years studing this.

...and risk breaking some protocols in some corner cases that you never
saw in your hasty testing.

> 5.  Severe limits om my email server:
>    1.  No literal ip connections.

I think you mean "no literal IP addresses in the HELO."  Every
connection is a "literal IP" at the network stack layer.

>    4.  Mail is not accepted from any IP address that does NOT have a
>        reverse DNS lookup.

Try that on a large server and see how well it works.  You will find
that you get a lot of false positives.  Yes, there are lots of clueless
mail admins that run servers without rDNS, but that's life.

> 6.  No ICMP packets allowed at all.

Now this is just idiotic.  You should at least allow type 3/code 4
(Needs Fragmentation) so that you don't break path MTU discovery.  See
also <http://alive.znep.com/~marcs/mtu/>.  It's also probably good to
enable type 11/code 0 (Time Exceeded) so that traceroute works.  And
finally 8/0 and 0/0 for ping.  If you really want to disable ping then
filter it, but I think that's false security.  If you think that having
traceroute and ping is a security vulnerability then you really need to
read more about how TCP/IP works and stop reading rants from steve
gibson and the like.  Certainly you want to filter most other ICMP types
but blindly filtering ALL ICMP is bad, it's "goober with a firewall"
syndrome - "OH NO A PING!  HAXX0RS ARE PINGING ME!"

Brian



More information about the list mailing list