Full Disclosure mailing list archives
Re: Sony: No firewall and no patches
From: Pete Smith <seclists () decapitate us>
Date: Tue, 10 May 2011 19:42:19 +1000
On 10 May 2011 15:07, Dobbins, Roland <rdobbins () arbor net> wrote:
On May 10, 2011, at 6:03 AM, Thor (Hammer of God) wrote:Maybe they should call that "You don't have to patch" genius!Stateful firewalls have no place in front of servers, where every incoming request is unsolicited, and therefore there is no state to inspect in the first place. Stateful firewalls in front of servers merely serve as DDoS chokepoints due to the large amount of unnecessary state they instantiate.
This statement is only true for unauthenticated services which are not dealing with financial information. Would you suggest a bank not protect their internet banking service with a firewall because a DDoS might take the service off line? Or would you tell them to use a firewall in conjunction with a specific upstream device which may even be installed installed at the ISP end of the link to deal with DDoS? As Tracy mentioned having a stateful firewall is useful to block outgoing traffic, using an ACL just doesn't cut it, if an attacker initiates a connection dest port higher than 2048 (to some other server the attacker controls) and source port of 80 that will pass through an ACL without issues, this would not be so on a stateful firewall. mod_security might be good practice to use in a layered approach... but if you're running old versions of apache (like sony were) then it's not hard for an attacker to control the memory space used by mod_security and allow all packets, if the webserver is owned, then it's owned, no controls implemented on that server can be trusted or relied on. Pete
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Sony: No firewall and no patches, (continued)
- Re: Sony: No firewall and no patches Thor (Hammer of God) (May 09)
- Re: Sony: No firewall and no patches Tracy Reed (May 09)
- Re: Sony: No firewall and no patches James Matthews (May 11)
- Re: Sony: No firewall and no patches The Security Community (May 09)
- Re: Sony: No firewall and no patches Nick FitzGerald (May 09)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 09)
- Re: Sony: No firewall and no patches Tracy Reed (May 09)
- Re: Sony: No firewall and no patches Ivan . (May 09)
- Re: Sony: No firewall and no patches Valdis . Kletnieks (May 10)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 09)
- Re: Sony: No firewall and no patches Tracy Reed (May 09)
- Re: Sony: No firewall and no patches Pete Smith (May 10)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 10)
- Re: Sony: No firewall and no patches Thor (Hammer of God) (May 10)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 10)
- Re: Sony: No firewall and no patches Thor (Hammer of God) (May 10)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 10)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 10)
- Re: Sony: No firewall and no patches Bruno Cesar Moreira de Souza (May 10)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 10)