Firewall Wizards mailing list archives
Re: terminal services
From: "Steven M. Bellovin" <smb () research att com>
Date: Tue, 28 Jan 2003 18:08:43 -0500
In message <B6200F7A96BCD211864900A0C9D8173814C5453E () es01-hou bmc com>, "Noonan , Wesley" writes:
I am not trying to pick on anyone here, but I have some comments/observations inline. Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+ Senior QA Rep. BMC Software, Inc. (713) 918-2412 wnoonan () bmc com http://www.bmc.com-----Original Message----- From: Steven M. Bellovin [mailto:smb () research att com] Sent: Tuesday, January 28, 2003 15:02 To: natfirewall () netscape net Cc: firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] terminal services<snip>Note -- I'm *not* saying that just because it's Microsoft. Rather, I'm pointing out the danger of opening extra holes in your firewall. Ask yourself this: how did Microsoft (and others) get the infection on the *inside* of its firewall?Through things like VPN connections in many cases. In others, you are certainly correct that opened ports didn't help anything. My point is simply that a VPN is a hole in the firewall, albeit generally a mitigated hole, which carries many of the same risks as if someone was just punching holes through the firewall anyway.
Right -- it's mitigated. You need defense in depth.
The issue isn't just that people inside didn't patch their machines (though by my analysis, to a first approximation virtually every machine they own was likely to be vulnerable)I actually disagree here. The issue with slammer/sapphire is precisely that people didn't patch their machines.
If every user and every system administrator were to run their machines absolutely locked-down -- with unused services turned off, all software fully patched, and allowable services using strong authentication (and perhaps crypto) to ensure than only authorized clients connected, we wouldn't need firewalls. The purpose of a firewall is to provide a more scalable solution -- a barrier that (helps to) protect networks when people don't do those things. Sure, people should patch their software. It's not going to happen universally. Sometimes, it's sloppy administration. That was certainly one factor here. Sometimes, it's because the patch is hard to install (MS-SQL SP3 was easy to install, but that was only a week old; the six-month-old patch was very difficult to install. Sometimes it's because you're crazy to install a random patch on a production machine until you've tested it -- patches tend to be buggier than release code, and tend to break other software. In that case, you've committed a denial of service attack on yourself. Sometimes, you don't know about the hole or the patch. Given how many Microsoft products could install the code, I dare say that many people didn't even know they were running an SQL server. (Office XP included it as an optional component. Would you have guessed that? I sure wouldn't have.) We can point fingers at Microsoft for not understanding the severity of the hole, and hence not giving the patch grade-A service, i.e., something that's handled automatically by Windows Update. But as I said, my response has nothing whatsoever to do with Microsoft. I personally can secure, to my rather high standards, a few machines. I can't do that for every machine in the company -- even a small company. All it takes is one random new machine to be plugged in and you're much more vulnerable than you were. *That's* why we have firewalls -- as one more layer of defense. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of "Firewalls" book) _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: terminal services, (continued)
- RE: terminal services Noonan, Wesley (Jan 28)
- Re: terminal services Steven M. Bellovin (Jan 28)
- RE: terminal services Noonan, Wesley (Jan 28)
- RE: terminal services R. DuFresne (Jan 28)
- RE: terminal services Paul D. Robertson (Jan 28)
- Re: terminal services Barney Wolff (Jan 28)
- RE: firewall design (was: RE: terminal services ) m p (Jan 29)
- RE: terminal services R. DuFresne (Jan 28)
- RE: terminal services Paul D. Robertson (Jan 28)
- RE: terminal services R. DuFresne (Jan 28)
- Message not available
- RE: terminal services Marcus J. Ranum (Jan 28)
- Re: terminal services Barney Wolff (Jan 29)
- Re: terminal services Paul Robertson (Jan 29)
- Re: terminal services Barney Wolff (Jan 30)
- Re: DNS security (Was: re: terminal services) Mikael Olsson (Jan 31)