RE: terminal services

["Paul D. Robertson" <proberts () patriot net>]

On Tue, 28 Jan 2003, R. DuFresne wrote:

> the last time M$-SQL was hit.  Other discussions in various lists the past
> few days have folks claiming they had no prior warning that port 1434 was
> a point of caution deserving incomong and outgoing blocks.  Though, as

It's an ephemeral port- just blocking it may make random stuff not work in 
some situations (like say DNS...)

It takes someone who's thought it out to do the filtering correclty.

Unfortunately, in my experience that's not going to happen in response to 
a worm.

> someone in one of those discussions mentioned, often the information made
> available on a threat, often gets read and interpreted in far too strict
> and narrow a sense to deal with a potential threat in a decisive manner
> the first time out.

The worst part is that this is blockable at the host on Win2k- if we had 
host-based default deny, we'd be looking at a better landscape for sure.

I can say that for every firewall I've set up, this wouldn't have gotten 
in or out that way.  I can also assure you that folks who're doing a good 
job of default deny at their border routers didn't get it from the 
Internet at large.  Steve's right on that score- firewalls work fine for 
ensuring that primary infection vectors are killed.  Wes is right too, 
that leaves secondaries like VPNs.  You're still better off with a 
properly configured perimeter though, no matter what else you've got.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards