Security Basics mailing list archives
Re: Firewall question - how easy is it to get thru - Proof
From: Todd Haverkos <infosec () haverkos com>
Date: Tue, 15 Feb 2011 11:39:29 -0600
"Rivest, Philippe" <PRivest () transforcecompany com> writes:
Quick question. When I do an audit and when I find a major flaw or deficiency, IT always tells me "its because your in the internal LAN, we have a firewall protecting us". I know you have all heard that. So I try to explain that you could attack thru physical security, social engineering, virus and a lot of other ways and in the end I always add "Someone more "expert" in Firewall could bypass it".
Hi Philippe, Four words: client-side browser exploits. If they allow outbound web access, and they aren't exceedingly fastidious about patching the OS and third party internet facing applications (most commonly Java if installed, Flash, Reader, Shockwave, and Quicktime), they _will_ get owned by way of traffic their firewall is allowing outbound. That's the one to drive home, especially if trying to sell them on vulnerability management of desktops or (gulp) servers on which anyone is tempted to run a web browser to search for anything ever. Drive-by downloads, exploit packs, or spear phishing attacks are among those the firewall isn't going to help mitigate one iota. And once the attacker has an internal toehold, calling back out to him via the straight TCP, or DNS or http that their firewall invariably allow sout of their environment, the race to domain administrator is usually a short one and the game is over. Inbound-wise...does your client run web or mail servers? Are the issues you're finding web application or mail application related? If so, the firewall is a don't-care in those scenarios too because the attack will succeed over a channel their firewall is allowing by policy. If in a pinch you could always tell them "Firewall? The 90's called and they want their model of security back. No, your firewall isn't going to protect you. And--by the way--neither is your anti-virus." While true, saying that in those terms generally isn't very professional, however. Best Regards, -- Todd Haverkos, LPT MsCompE http://haverkos.com/ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: Vulnerability Data, (continued)
- Re: Vulnerability Data Brad Bemis (Feb 15)
- Re: Vulnerability Data Saif El Sherei (Feb 15)
- Re: Vulnerability Data Jeffrey Walton (Feb 15)
- Re: Vulnerability Data Jeffrey Walton (Feb 15)
- Re: Vulnerability Data lonervamp (Feb 11)
- RE: Vulnerability Data Mikhail A. Utin (Feb 15)
- Firewall question - how easy is it to get thru - Proof Rivest, Philippe (Feb 15)
- Re: Firewall question - how easy is it to get thru - Proof Francois Yang (Feb 15)
- RE: Firewall question - how easy is it to get thru - Proof Rivest, Philippe (Feb 17)
- RE: Firewall question - how easy is it to get thru - Proof Mark Brunner (Feb 18)
- Re: Firewall question - how easy is it to get thru - Proof Todd Haverkos (Feb 15)
- Re: Firewall question - how easy is it to get thru - Proof Jan Muenther (Feb 15)
- Re: Firewall question - how easy is it to get thru - Proof Max Chow (Feb 17)
- Re: Firewall question - how easy is it to get thru - Proof Gichuki John Chuksjonia (Feb 18)
- Re: Firewall question - how easy is it to get thru - Proof Robson de Oliveira Albuquerque (Feb 17)
- Re: Firewall question - how easy is it to get thru - Proof Ansgar Wiechers (Feb 17)