Re: Variations of firewall ruleset bypass via FTP

[Paul Robertson <proberts () patriot net>]

On Sat, 12 Oct 2002, Darren Reed wrote:

> This deserves more treatment than I have given it because I'm
> sure it is a reflection of an attitude people form when they
> have no understanding of roles and responsibilities people have,
> never mind what "software engineering" is, beyond a simple "hack
> on it" mentality.

I think you're taking it more personally than you should[1], let me see if 
I can take a less inflamitory stance...

> So your reading, of my saying meaning the "someone else" to be the
> users is quite incorrect.  What I said was, literally, quite correct.

I think what Mikael's concern was (and he'll pipe up if I'm wrong, I'm 
sure) is that folks looking at the vuln. note will see "IPFilter- Not 
vulnerable." and stop there, rather than looking for a Net- or Free- 
entry.  "Check the specific OS line, or your version number, or upgrade." 
Might be more helpful too.

Please note I'm saying this with no direct evidence that the versions 
shipping with any prior version of Net- are or aren't vulnerable- because 
I think that's irrelevant to the point.  

It's really about making sure people know they should upgrade, not about a 
particular implementation.  That's why I think it was irresponsible for 
anyone else to talk about IPF's status, but if they shouldn't, then you 
most certainly need to- and it should be verbose enough to ensure that 
folks using IPF don't get the wrong idea.  

Let's face it, most people don't run up-to-date systems, and we need to 
point them to upgrades when we can.  It may well be the responsibility of 
the individual admin to check and read and dig for info, but since we 
*know* that's going to fail more times than it doesn't (and this isn't a 
shot at Net- admins, most of my evidence is based on OTHER *nix OS', I'm 
just not sure the Net- folks are any different than anyone else.)  We can 
make it easier to encourage people to upgrade, or not, and I think a lot 
of us are advocating that, nothing more.

If I were still admining NetBSD systems in production, I'd look at the IPF 
entry well before I'd look at the NetBSD entry because I'd expect you to 
have more complete and accurate information.  Maybe that's the wrong way 
to look at it, but I think that's the gist of the case Mikael proposed.

Paul
[1] Yes, that's really easy to say when you're not the person under fire.
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards