Firewall Wizards mailing list archives
Re: IPv6 support in firewalls
From: "Paul D. Robertson" <paul () compuwar net>
Date: Mon, 27 Aug 2007 17:19:58 -0400 (EDT)
On Mon, 27 Aug 2007, Behm, Jeffrey L. wrote:
I feel I could have substantiated it a few years ago. Example: I had built a linux box for a network class I was teaching at a local university, so I could show them telnet, ssh, DNS, ftp, http, samba, etc. I quickly (and stupidly (i.e. didn't harden it at all and didn't put it behind a NAT device)) threw the box together, and put it out on a routable IP address outside my NAT device on my home network the morning before the night class. Even before I even made it to class, it was owned (via an RPC hack). Had I put it behind a NAT device, and only allowed those services I wanted to access, I would bet that it wouldn't have been owned in less than 12 hours.
Speed of compromise is different than compromise or not. I remain steadfastly convinced that obscurity does change the rate of compromise, especially in terms of target of opportunity attacks.
It seems to me that those writing the mal-code are on to the idea that NAT devices are in place more and more often, so they aren't wasting time trying to get code past them.
It's more than that, for malcode that involves user action, you're already inside the trust boundary, and you're not as reliant on quickly patched bugs. It's easy to fix the network, it's much more difficult to fix the user.
Stupid users, who click on an unknown .exe are a good enough vector to exploit, as you are seeing today...
Which is why I'm convinced those users should not be in charge of their own security. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." http://www.fluiditgroup.com/blog/pdr/ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- ***SPAM*** Re: IPv6 support in firewalls, (continued)
- ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 23)
- Re: ***SPAM*** Re: IPv6 support in firewalls ArkanoiD (Aug 24)
- Re: ***SPAM*** Re: IPv6 support in firewalls Patrick M. Hausen (Aug 27)
- Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
- Re: IPv6 support in firewalls ArkanoiD (Aug 27)
- Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
- Re: IPv6 support in firewalls Paul D. Robertson (Aug 27)
- Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
- Re: IPv6 support in firewalls Paul D. Robertson (Aug 27)
- Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
- Re: IPv6 support in firewalls Paul D. Robertson (Aug 27)
- Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
- Re: IPv6 support in firewalls ArkanoiD (Aug 28)
- Re: IPv6 support in firewalls Darren . Reed (Aug 28)
- Re: IPv6 support in firewalls ArkanoiD (Aug 29)
- Re: IPv6 support in firewalls Paul D. Robertson (Aug 29)
- Re: IPv6 support in firewalls ArkanoiD (Aug 29)
- Re: IPv6 support in firewalls ArkanoiD (Aug 27)
- Re: ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 27)
- Re: IPv6 support in firewalls Patrick M. Hausen (Aug 27)
- ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 27)