Full Disclosure mailing list archives
RE: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause]
From: "Erik van Straten" <emvs.fd.3FB4D11C () cpo tn tudelft nl>
Date: Fri, 16 Jan 2004 04:14:27 +0100
"Chris Harrington" <cmh () nmi net>:
So do you expect Annie to fix these broken locks or doors??
Nope. Annie is not reading this list. Microsoft probably does.
What you are saying is that you would not need a wall if the locks worked properly??
Nope. What I'm saying is that the doors to the Internet shouldn't have been there by default (135-139, 445, 1026-1030, RDP, UPnP etc. - run netstat)
This translates to not needing a firewall if the OS flaws are fixed.
Nope. It translates to not needing simple PFW's -for ingress traffic- if there are no listening ports. Flaws shouldn't have been there in the first place, and any found should be fixed ASAP%001. If someone needs to open a certain port for some purpose, that's fine (but then it makes no sense to block it with a firewall). When a vuln is published the user can disable the specific service until it is patched (ex: DameWare). It doesn't make sense to NOT stop a vulnerable service, and trust that a (closed source) PFW blocks access to it. Note: testing firewals is an art, and for example XP-ICF is hardly documented. Do you know which ports it blocks? BTW, XP+SP1 builtin ICF may start some time AFTER network I/O is accepted (confirmed by MS, that is, they say SP2 will improve this).
I always believed that some protection was better than none.
Yep. But flaws have been found in PFW's, and they do provide a false sense of security. With ABS you can drive much closer to the car in front of you. With AV and a PFW people tend to believe it is safe to run any exe (or hta). Marketing helps making people believe this.
If I had to guess I would say your home machine is Linux or BSD and
Nope. It's running Microsoft.
most likely properly patched with no vulnerabilities.
Haven't you? I can't believe my eyes. Are you guys really suggesting that PFW's are a replacement for critical patches? I *know* that's what some Annies think, but I didn't expect it from people on this list. Regarding patches and Blaster, in another post I read "if they would have been running a PFW..." - nonsense. They should have patched. People that do not apply critical patches are not security aware. People who cannot judge which patches are critical should apply them all. Note: *if* you get security unaware people to run a PFW, they'll likely disable it after the first app that fails, and they'll probably forget to turn it back on afterwards.
Do you still use iptables? I bet you would if your PC was directly connected to the Internet without a Hardware FW in front of it.
No firewall on this box. A few ports are blocked at the network perimeter, but hey, this is a university net, so if I run netcat -l <any blocked port> I'll usually see some scans.
But according to your logic it would be un-necessary to put a firewall in front of an OS whose locks worked properly.
Nope. I want all unused ports closed. For inbound connections, there's no point blocking 80/tcp if you run a public webserver, right? However, permitting access to selected IP's, combined with stateful inspection, (provided you can trust all boxes behind your router) from connecting to certain ports (like DNS), may help. However I do not see any advantage for Annie's free/cheap PFW here.
Windows, Linux, BSD all have services / ports listening by default...
I've never ran BSD. Which way-back-when flavor of Linux are you using? With Trustix, out of the box only postfix listens (to 127.0.0.1).
many of which do not need to be open to the world. It's no easier for a home user like Annie to edit the inetd.conf file to comment out services than it would be for her to stop Windows services.
Annie could *learn* how to edit inetd.conf. Or I, or someone like me, or you, could help her. However, we cannot disable RPC in XP, and I cannot configure it such that it doesn't listen to the Internet iface. You guys just don't seem to get the point.
The point is the PFW makes it possible for the home user to limit their exposure without having a great deal of technical expertise. Is it perfect? No. But it is an improvement over having nothing between Annie and the Internet.
Maybe. But many people (and companies) have not patched DCOM because they thought to be safe behind their firewall. Also apparently they don't run AV; lots have been hit by blaster or nachi after someone plugged in an infected notebook. My fear is that PFW's will have people postone patching, and not upgrade their AV license when it expires. Probably it IS a good idea if all of you go help ordinary users to protect their PC's, and do whatever you think is right. I sure hope they take you more serious than me. In my experience, their kids will immediately reinstall IM and KaZaA after you leave. They don't care about spyware. And they don't want to spend any money on software, music and movies, but they want to have it all because the guy next door does too. Anyway, this is not a "Dear Annie, you're vulnerable! Buy x and sleep well" list. This is FD - it's about educating software manufacturers. They have been warned about potential flaws in their products. Now one of them is asking *US* to spend even more time (I have spent *a* *lot*) helping their customers to clean up the mess they could have prevented. They (not Annie) should close all listening ports by default, add wizards to guide Annie through opening SMB/RPC ports to her kid's PC (NOT to any other interface), make Admin accounts unattractive for day to day use (just for SW installs/updates) and improve security. Then we'll talk firewalls, because they DO serve a purpose. Also I'd appreciate it if people would read what's being written, and not get upset that quickly. This is FD. Cheers, Erik van Straten Sysadmin _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] http-equiv () excite com (Jan 14)
- Re: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Erik van Straten (Jan 15)
- Re: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Mary Landesman (Jan 15)
- Re: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Ron DuFresne (Jan 15)
- Re: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Ron DuFresne (Jan 15)
- Re: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Kenton Smith (Jan 15)
- RE: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Chris Harrington (Jan 15)
- RE: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Erik van Straten (Jan 15)
- RE: Flawed arguments (Was all that other crap about PFW day) Paul Schmehl (Jan 15)
- RE: Flawed arguments (Was all that other crap about PFW day) Erik van Straten (Jan 16)
- Re: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Mary Landesman (Jan 15)
- Re: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Erik van Straten (Jan 15)
- Re: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Mary Landesman (Jan 15)
- Re: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Ron DuFresne (Jan 15)
- Re: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Kenton Smith (Jan 15)
- Re: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Ron DuFresne (Jan 16)
- Re: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Mary Landesman (Jan 15)
- <Possible follow-ups>
- Re: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Mike Shaw (Jan 15)