[Dshield] Possible solution for ISP (was DShield's public goals)

Frank Knobbe frank at knobbe.us
Thu Jan 19 19:31:31 GMT 2006


On Thu, 2006-01-19 at 09:44 -0500, Valdis.Kletnieks at vt.edu wrote:
> Well, if the UPnP request came from 192.168.10.4, it's Joe, if it came
> from 198.168.10.8, it's Suzie.  This isn't rocket science. ;)

Right, but your firewall doesn't configure itself accordingly. The UPnP
request supply the default gateway to the user. That's pretty much it.
No inbound NAT to Joe PC forwarding is configured.

> > Remember, all you need is HTTPS open outbound, and more programs than
> > you like can tunnel outbound and inbound data across that. ;)
> 
> You sure you want to point that out?  :)

Don't think that's a big secret. :)  There are plenty of other ways to
turn a firewall into a sieve, more ways than I care to publicize. ;)

> You're making the case that heavy-handed per-port blocking doesn't do any
> benefit security-wise, 

No, no, I'm not commenting at all on port blocking. I was staying out of
that debate on purpose. I'm just saying that the argument that firewalls
prevent things from working is becoming less true. Software these days
finds ways around a firewall, but outbound as well as inbound traffic.

(Look at AIM and the things it pulls to connect through a firewall...
let's try AIM... doesn't work? Let's try 80, 443, even frigging
TELNET...argh! )

> because all it actually accomplishes is to make all the
> malware use SSL over port 443 to tunnel out, where Snort and similar tools
> can't see the malware anymore....

Ever wonder why so many botnets still run in clear-text IRC? Because the
encrypted ones are harder to spot. :)  That doesn't mean that what you
don't see doesn't exist :) 
There are more ways to blind IDSes (not just Snort) then just SSL.
That's not the point, and we're drifting from the topic faster than the
reader can say "What the heck is he talking about..." ;)


To bring this back on topic (or to confuse it more), why don't we
mention the magic word IPS? Comcast is using those fabled Instant
Protection Systems. Is it helping? How about other ISPs? Maybe instead
of just port blocking, an IPS might help? Instead of denying port 25 to
a customers PC, how about denying the SMTP protocol, regardless of what
port it's running on.

(Bonus question, since you usually like to ask those ;) How many woes
has Comcast experienced with IPSes within the last year?)

Cheers,
Frank

-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20060119/989eadc2/attachment.bin


More information about the list mailing list