Security Basics mailing list archives
RE: Patching a Firewall
From: "Gino Genari" <mail226518 () pop net>
Date: Tue, 16 Sep 2003 07:38:00 -0400
Yes the OS needs to be patched. I.E. Windows ISA Server, Blaster and the Welchia worm. From the outside, these worms will not compromise the box because the server is not listening on port 135 or 80 (by default not publishing servers). But alas, a worm on the inside of the network WILL install itself to the ISA server if it is not patched, because by default, port 135 is listening on the inside interface. Please remember, your mileage may vary due to your individual installation. Gino. -----Original Message----- From: Robert Mezzone [mailto:Robert.Mezzone () PJSolomon Com] Sent: Monday, September 15, 2003 7:17 AM To: 'security-basics () securityfocus com' Subject: Re: Patching a Firewall I really wasn't looking to get into a Unix/Windows war. It was more of a theoretical question. Can a Unix a box be hardened more than a Windows box, I don't know since my Unix exposure is minimal, but there are a lot of things that can be done to a Windows machine to lock it down pretty tight. Can it be hacked, probably, but I would imagine anything can given enough time. I guess you are right about the Firewall accepting connections to itself, although I would think it would be slighty more secure when there is no remote administration taking place. Then again I could be wrong. You're not the only person to make this mistake but not all investment banking firms deal with money. Thanks for your comments. Robert -----Original Message----- From: Jimi Thompson <jimit () myrealbox com> To: Robert Mezzone <Robert.Mezzone () PJSolomon Com>; 'security-basics () securityfocus com' <security-basics () securityfocus com> Sent: Sun Sep 14 14:04:48 2003 Subject: Re: Patching a Firewall Robert, Item 1 - I would never run Windows as a firewall simply because of the extreme difficulty in hardening the OS to prevent it from being exploited. I have heard of this being done, but I've never observed it in a reputable shop. Most places either use a device that is specifically a firewall or a hardened *nix OS (i.e. Solaris, Trusted Solaris, Trusted FreeBSD, NSA Secure Linux, Bastille, etc.). The reason for using a nix OS is so that services which are not needed can be removed from the box without causing a major disruption to the OS. Think of what would happen if you tried to un-install NetBIOS from Windows. Item 2 - If your OS on your firewall has a vulnerability, your firewall itself is vulnerable. If I can get your OS to cooperate and give me "root" or "Administrator", I can change your firewall rules, logging, user accounts, etc. to suit myself. Item 3 - Your firewall, for management purposes, probably accepts connections to itself. The question then becomes where does it accept connections from and, if you are a hacker, how can I spoof that. ANYTHING that's not physical layer can be spoofed and even that's not a guarantee that someone sneaky hasn't installed a device somewhere to trip you up. I notice from your email address that you are with an investment banker. That means you deal with money. Any time cash is involved, especially transferring cash electronically, your level of paranoia should be very very high (like almost ready to cart you off in the "i love me jacket"). Never mind the SEC regulations..... 2 Cents, Jimi At 8:15 AM -0400 9/12/03, Robert Mezzone wrote:
I want to start off by saying my Firewall is fully patched. That being said my question is... Is it a big security risk if the OS (say Windows) running the firewall box, is not fully patched? My reasoning that it isn't is because the firewall should be configured to drop any connections to itself. Or being the firewall has to at least initially accept the packet in order to inspect
it,
enough to exploit a vulnerability. Robert --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ---------------------------------------------------------------------------
- --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- Patching a Firewall Robert Mezzone (Sep 12)
- Re: Patching a Firewall Jimi Thompson (Sep 15)
- RE: Patching a Firewall dave kleiman (Sep 16)
- RE: Patching a Firewall Jimi Thompson (Sep 16)
- Re: Patching a Firewall James Fields (Sep 19)
- RE: Patching a Firewall dave kleiman (Sep 16)
- Re: Patching a Firewall Birl (Sep 15)
- <Possible follow-ups>
- RE: Patching a Firewall Thomas F. Szabo (Sep 15)
- Re: Patching a Firewall Robert Mezzone (Sep 15)
- Re: Patching a Firewall Ansgar Wiechers (Sep 16)
- RE: Patching a Firewall Gino Genari (Sep 16)
- RE: Patching a Firewall brossini (Sep 17)
- Re: Patching a Firewall Jimi Thompson (Sep 15)