Firewall Wizards mailing list archives

Re: IPv6 support in firewalls

From: "Paul D. Robertson" <paul () compuwar net>
Date: Mon, 27 Aug 2007 17:19:58 -0400 (EDT)

On Mon, 27 Aug 2007, Behm, Jeffrey L. wrote:

I feel I could have substantiated it a few years ago.

Example: I had built a linux box for a network class
I was teaching at a local university, so I could show
them telnet, ssh, DNS, ftp, http, samba, etc.

I quickly (and stupidly (i.e. didn't harden it at all
and didn't put it behind a NAT device)) threw the box
together, and put it out on a routable IP address 
outside my NAT device on my home network the morning
before the night class.  Even before I even made it
to class, it was owned (via an RPC hack). Had I put it
behind a NAT device, and only allowed those services
I wanted to access, I would bet that it wouldn't have
been owned in less than 12 hours.


Speed of compromise is different than compromise or not.  I remain 
steadfastly convinced that obscurity does change the rate of compromise, 
especially in terms of target of opportunity attacks.

It seems to me that those writing the mal-code are on
to the idea that NAT devices are in place more and more
often, so they aren't wasting time trying to get code
past them.


It's more than that, for malcode that involves user action, you're already 
inside the trust boundary, and you're not as reliant on quickly patched 
bugs.  It's easy to fix the network, it's much more difficult to fix the 
user.

Stupid users, who click on an unknown .exe are a good
enough vector to exploit, as you are seeing today...


Which is why I'm convinced those users should not be in charge of their 
own security.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
             http://www.fluiditgroup.com/blog/pdr/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

***SPAM*** Re: IPv6 support in firewalls, (continued)
- - - ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 23)
    - Re: ***SPAM*** Re: IPv6 support in firewalls ArkanoiD (Aug 24)
    - Re: ***SPAM*** Re: IPv6 support in firewalls Patrick M. Hausen (Aug 27)
    - Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
    - Re: IPv6 support in firewalls ArkanoiD (Aug 27)
    - Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
    - Re: IPv6 support in firewalls Paul D. Robertson (Aug 27)
    - Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
    - Re: IPv6 support in firewalls Paul D. Robertson (Aug 27)
    - Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
    - Re: IPv6 support in firewalls Paul D. Robertson (Aug 27)
    - Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
    - Re: IPv6 support in firewalls ArkanoiD (Aug 28)
    - Re: IPv6 support in firewalls Darren . Reed (Aug 28)
    - Re: IPv6 support in firewalls ArkanoiD (Aug 29)
    - Re: IPv6 support in firewalls Paul D. Robertson (Aug 29)
    - Re: IPv6 support in firewalls ArkanoiD (Aug 29)
    - Re: IPv6 support in firewalls ArkanoiD (Aug 27)
    - Re: ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 27)
    - Re: IPv6 support in firewalls Patrick M. Hausen (Aug 27)
    - ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 27)

(Thread continues...)