Re: terminal services

["Steven M. Bellovin" <smb () research att com>]

In message <B6200F7A96BCD211864900A0C9D8173814C5453E () es01-hou bmc com>, "Noonan
, Wesley" writes:
> I am not trying to pick on anyone here, but I have some
> comments/observations inline.
>
> Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
> Senior QA Rep.
> BMC Software, Inc.
> (713) 918-2412
> wnoonan () bmc com
> http://www.bmc.com
>
>
> > -----Original Message-----
> > From: Steven M. Bellovin [mailto:smb () research att com]
> > Sent: Tuesday, January 28, 2003 15:02
> > To: natfirewall () netscape net
> > Cc: firewall-wizards () honor icsalabs com
> > Subject: Re: [fw-wiz] terminal services
> <snip>
> > Note -- I'm *not* saying that just because it's Microsoft.  Rather, I'm
> > pointing out the danger of opening extra holes in your firewall.  Ask
> > yourself this:  how did Microsoft (and others) get the infection on the
> > *inside* of its firewall?  
>
> Through things like VPN connections in many cases. In others, you are
> certainly correct that opened ports didn't help anything. My point is simply
> that a VPN is a hole in the firewall, albeit generally a mitigated hole,
> which carries many of the same risks as if someone was just punching holes
> through the firewall anyway.

Right -- it's mitigated.  You need defense in depth.
> > The issue isn't just that people inside
> > didn't patch their machines (though by my analysis, to a first
> > approximation virtually every machine they own was likely to be
> > vulnerable)
>
> I actually disagree here. The issue with slammer/sapphire is precisely that
> people didn't patch their machines.

If every user and every system administrator were to run their machines 
absolutely locked-down -- with unused services turned off, all software 
fully patched, and allowable services using strong authentication (and 
perhaps crypto) to ensure than only authorized clients connected, we 
wouldn't need firewalls.  The purpose of a firewall is to provide a 
more scalable solution -- a barrier that (helps to) protect networks 
when people don't do those things.

Sure, people should patch their software.  It's not going to happen 
universally.  Sometimes, it's sloppy administration.  That was 
certainly one factor here.  Sometimes, it's because the patch is hard 
to install (MS-SQL SP3 was easy to install, but that was only a week 
old; the six-month-old patch was very difficult to install.  Sometimes 
it's because you're crazy to install a random patch on a production 
machine until you've tested it -- patches tend to be buggier than 
release code, and tend to break other software.  In that case, you've 
committed a denial of service attack on yourself.  Sometimes, you don't 
know about the hole or the patch.  Given how many Microsoft products 
could install the code, I dare say that many people didn't even know 
they were running an SQL server.  (Office XP included it as an optional 
component.  Would you have guessed that?  I sure wouldn't have.)

We can point fingers at Microsoft for not understanding the severity of 
the hole, and hence not giving the patch grade-A service, i.e., 
something that's handled automatically by Windows Update.  But as I 
said, my response has nothing whatsoever to do with Microsoft.

I personally can secure, to my rather high standards, a few machines.
I can't do that for every machine in the company -- even a small 
company.  All it takes is one random new machine to be plugged in and 
you're much more vulnerable than you were.  *That's* why we have 
firewalls -- as one more layer of defense.


                --Steve Bellovin, http://www.research.att.com/~smb (me)
                http://www.wilyhacker.com (2nd edition of "Firewalls" book)


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards