Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Code Red: What security specialist don't mention in warnings

From: Frank Knobbe <FKnobbe () KnobbeITS com>
Date: Sat, 4 Aug 2001 15:20:44 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


-----Original Message-----
From: Nate Campi [mailto:nate () campi cc]
Sent: Saturday, August 04, 2001 2:55 PM

Not true in our shop. Our web front-ends on one of the two 
news sites I
maintain have to connect outbound to several external services for
different content.

Of course this doesn't mean we allow all outbound connections. All
oubound connections are denied by default, and when building out
the architecture for a service such as this, we have the netops
guys/gals set up ACLs to allow the only the outbound connections we
need.

My point is that even when outbound connections are necessary, you
can still reduce your risk, as we have.


Nate,

absolutely correct. Any service you need should be allowed, but the
rest blocked. For payment processing systems for example you would
allow outbound access only for that service and only to that (set of)
destination(s).

This limitation can be done by service, by destination address, and
by time (which is often overlooked). My web servers for example allow
outbound connections to automatically update virus signatures every
night. The outbound connection is allowed only for HTTP and FTP, only
to the place there the signature files are, and only for about 15
minutes at 4am in the morning.

But at least you and I are putting some restrictions on it. I have
seen web servers that were sitting naked right behind a router
without router ACL's. Those are the boxes owned by exploits and used
as stepping stones. If people would put restrictions on their network
connections, they would enhance their security .... oh well, I'm
preaching to the choir again.

The reason I had posted the Code Red rant was that none of the
advisories even mentioned other counter measures. They only focused
on the patch. How will we be able to educate people and help them
secure their systems when we don't show them the whole picture?
Slapping a patch on is just a band-aid. It doesn't do anything to get
them thinking proactively with the larger picture in front of them.
I'm very disappointed of the authors of those advisories...

Regards,
Frank

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBO2xZHJytSsEygtEFEQIgbQCfbBaIcQXU+L6wYO19fYuQA5dRSk8AoKWN
KAXrbHtICvfMhhirpBKP7H84
=iMg+
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: