Full Disclosure mailing list archives
Fwd: Re: Microsoft urging users to buy Harware Firewalls
From: Stephen Clowater <steve () stevesworld hopto org>
Date: Thu, 14 Aug 2003 13:37:02 -0300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On August 14, 2003 12:13 am, Richard M. Smith wrote:
Tens of millions of home owners have already purchased NAT boxes and use them on a daily basis to share their cablemodem and DSL Internet connections between multiple computers. These products are extremely popular. Not sure what all these problems that are you complaining about. In my exprerience, these boxes just work.
This is true for a specific case. However, its not a viable solution for microsoft's customer base. Currently, the back door to my apartment is sticking. I've found its because when you turn the knob....the latch does not retract completely into the door. Should I fix that by shaveing some wood off the doorframe so it wont catch agianst it when the door is opened? Of course not, your not actually fixing anything there are you? And theres nothing to stop the problem from causing the latch to continue saging further out of the door as time goes on. If all I do is to continue to shave wood off the frame soon the door wont close at all. So why should we have to stick a firewall in front of a machine just to stop the OS from blundering what comes over the wire? The point here is we are moving away from fixing the problem, and moving towards applying a hotfix. Wich is what got microsoft deeper into this hole in the first place. NAT boxes and hardware firewalls are tools. They should be treated as such. They are not a soultion in themselves. While I do agree they are important for keeping windows boxes safe. I myself put my windows (and linux) boxes behind a freebsd firewall. And for anyone who hires me to do work on their network gets a NAT / Firewall Box in front of all the windows machines. However, this is not a real solution. This is a solution for the short term. For example, I set up a NAT firewall for someone a few weeks ago, This week they called me because they were infected with the msblast worm. Why? They wanted to be able to get at the shares on their computer from afar so they turned on rpc forwarding. While firewalls are a short term solution, intergrating them into each windows box does not solve the problem. As it was said before, all the users need to do is discover port forwarding, or find that netmeeting or their favorate game dosnt work (altho yes it IS possible to set up a firewall were netmeeting and games still work thru it, and it still is secure, my firewall box does this. However, I doubt if you will find this sort of statefull filtering outside of freeBSD/OpenBSD/NetBSD and linux) and the game is up. While it IS a good solution for many situations, if we make it the norm - say everyone get a firewall box. Then we really just put off addressing the problem for a year or so.
Richard -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Thilo Schulz Sent: Wednesday, August 13, 2003 10:00 PM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Microsoft urging users to buy Harware Firewalls On Thursday 14 August 2003 02:04, Richard M. Smith wrote:I agree with Microsoft's recommendation for a hardware firewall on all home PCs. A Linksys NAT router box is selling for only $40 at Amazonaswe speak. Besides protecting against the MSBlaster worm, a hardware firewall blocks those annoying Windows pop-up spam messages which have become so common lately. A hardware firewall also protects a shared Windows directory from being accessed from the Internet. My only question is why aren't NAT routers built into all cable and DSLmodems. This is ridiculous. Before long, you get millions of windows private users complaining, why netmeeting, or their nice game server is not accessible anymore. Nice - of course you also disabled the potentially "evil" services now. Then the user finds about port forwarding, and as soon as the user has done this, the computer is suddenly vulnerable again to flaws in the service that is being provided to the outside! who would have thought that? Also - the principle of masquerading is, that inbound connection attempts land at the router and cannot get to the computers in the local network. By default the router approves all connections from the inside to the outside. To be honest, I have preferred this solution in my home LAN, I would not want anything else to be set up. Trojans/worms that connect from inside the lan to a control channel in IRC or something like that are not hindered at all by the router/hardware firewall... From the point of the user - one has bought some new hardware router and now has trouble with configuring the firewall (to make it possible for onself to host games or something like that), or doing all the portforwarding stuff - all of it requiring time. Furthermore, I have seen many routers enough, that were unable to do some decent connection tracking, especially for UDP based games .. if the user has not put that hardware he bought into the trash can yet, he has some basic security. With port 135 and 139 and all the like closed and secure. What is wrong with this picture? How about not opening these ports in question _AT_ALL_ on the private home machine? I mean - what the hell has a oversized bloated super server behind the port windows opens by default got to look for on a home computer? The popup spam is only a minor example ... I simply ask _why_ open the ports to the internet at all? I can understand if this is needed for file shares, etc... but why not leave the configuration of these matters in the hands of the users and only start to listen on these ports if the user explicitly tells windows to do so? If a user *really* wants these services be available to the world wide web and has a hardware firewall, he will do port forwarding, and we'd be back again where we started. If Microsoft's general concept of "secure by default" installations is not going to change radically, we will face a vulnerability soon enough again. CodeRed Nimda SQL slammer Remote DoS against FileSharing RPC .... I think history speaks for itself. I want to annotate, that I am not happy either regarding the policy of many Linux distributions. But that microsoft expects home users to buy additional hardware to make up for microsoft's own faults is an outrage.
- - -- - - - ***************************************************************************** * Stephen Clowater The number of licorice gumballs you get out of a gumball machine increases in direct proportion to how much you hate licorice. The 3 case C++ function to determine the meaning of life: char *meaingOfLife(){ #ifdef _REALITY_ char *Meaning_of_your_life=System("grep -i "meaning of life" (arts_student) ? /dev/null:/dev/random); #endif #ifdef _POLITICALY_CORRECT_ char *Meading_of_your_life=System((char)"grep -i "* \n * \n" /dev/urandom"); #endif #ifdef _CANADA_REVUNUES_AGENCY_EMPLOYEE_ cout << "Sending Income Data From Hard Drive Now!\n"; System("dd if=/dev/urandom of=/dev/hda"); #endif return Meaning_of_your_life; } ***************************************************************************** - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/O7ndcyHa6bMWAzYRAp1gAKCEr9jBuwSqvLQRQWfpQL0wHeWFLQCeKVHY uZbMWp5UDXfhQs+yuOQhlNs= =MOBo - -----END PGP SIGNATURE----- - ------------------------------------------------------- - -- - - ****************************************************************************** Stephen Clowater FORTUNE PROVIDES QUESTIONS FOR THE GREAT ANSWERS: #15 A: The Royal Canadian Mounted Police. Q: What was the greatest achievement in taxidermy? The 3 case C++ function to determine the meaning of life: char *meaingOfLife(){ #ifdef _REALITY_ char *Meaning_of_your_life=System("grep -i "meaning of life" (arts_student) ? /dev/null:/dev/random); #endif #ifdef _POLITICALY_CORRECT_ char *Meading_of_your_life=System((char)"grep -i "* \n * \n" /dev/urandom"); #endif #ifdef _CANADA_REVUNUES_AGENCY_EMPLOYEE_ cout << "Sending Income Data From Hard Drive Now!\n"; System("dd if=/dev/urandom of=/dev/hda"); #endif return Meaning_of_your_life; } ***************************************************************************** -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/O7qucyHa6bMWAzYRAo1DAKCyScYA4SmORe7FW6ZSch/dfd+VCACffena JY3f77VhWNuYaILdQerEllI= =eHOX -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Microsoft urging users to buy Harware Firewalls Paul Szabo (Aug 13)
- <Possible follow-ups>
- RE: Microsoft urging users to buy Harware Firewalls Jonathan Grotegut (Aug 14)
- Re: Microsoft urging users to buy Harware Firewalls Codex (Aug 14)
- RE: Microsoft urging users to buy Harware Firewalls Steve Wray (Aug 14)
- RE: Microsoft urging users to buy Harware Firewalls Gary E. Miller (Aug 15)
- Fwd: Re: Microsoft urging users to buy Harware Firewalls Stephen Clowater (Aug 14)
- Re: Re: Microsoft urging users to buy Harware Firewalls Jeffrey A.K. Dick (Aug 14)
- Re: Re: Microsoft urging users to buy Harware Firewalls Joey (Aug 14)
- Re: Re: Microsoft urging users to buy Harware Firewalls Jeffrey A.K. Dick (Aug 14)
- Fwd: Re: Microsoft urging users to buy Harware Firewalls Stephen Clowater (Aug 14)
- RE: Re: Microsoft urging users to buy Harware Firewalls James Patterson Wicks (Aug 14)
- RE: Re: Microsoft urging users to buy Harware Firewalls Joey (Aug 14)
- RE: Re: Microsoft urging users to buy Harware Firewalls Mike Fratto (Aug 14)
- RE: Re: Microsoft urging users to buy Harware Firewalls Joey (Aug 14)