Re: The worm author finally revealed!

[Ron DuFresne <dufresne () winternet com>]

On 31 Jan 2003, Paul Schmehl wrote:

        [SNIP]

> Your $40 personal firewall won't do shit for a class B network with two
> DS3s, must less an OC3.  Enterprise firewalls are a lot more than $40,
> and they need a full time *skilled* technician to make them worth
> using.  Now you're in the range of $100,000+ for first year costs
> (equipment and licensing costs, installation costs, hiring costs and
> salary.)

if deployed on all commisioned servers, then yer protected at host
level...


> A DMZ requires *two* of those babies.  Now you're up to a quarter of a
> million dollars.  And people in high places sit up and take notice when
> you start asking for that kind of money.

Depends, in many cases yer only needing one firewall with two or more
interfaces.


> Redundancy requires *four* of them.  Now you're at a half a mil.  And
> the routers to handle that kind of traffic are close to six figures as
> well.  But you don't want to put too many ACLs on that router or it'll
> be CPU bound and traffic will start congesting at the ingress and egress
> of the network.

again, in most cases, depending upon the HW/SW choices made, two boxes and
the proper number of interfaces.


> It gets expensive in a hurry.  Now do you still need to wonder why some
> networks have no firewall and no DMZ?

The real expense is in maint of the equipment, and testing/auditing
periodically...


> > > How 'bout
> > > an even more esoteric question?  Why do the tier 1 providers (like
> > > UUNET) allow traffic on port 1434???
> > because there is no reason to block it.
>
> Really?  Well people here are talking about suing the "admins" who are
> "too lazy" to patch.  How about if I sue the ISPs who don't block port
> 1434/UDP and consequently take down the Internet from all their single
> users who were running SQL with no clue?

I never mentioned suing the admins, but, lost jobs for those admins and
security folks not doing the work they were hired to do is certainly
feasable.


But, what does interest me here, is that if utdallas has no real security
policy, and no perimiter defences, what does the Adjunct Information
Security Officer really do?  Tis a real question and not meant as a slam.

Thanks,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html