Re: Sony: No firewall and no patches

[Pete Smith <seclists () decapitate us>]

On 10 May 2011 15:07, Dobbins, Roland <rdobbins () arbor net> wrote:

> On May 10, 2011, at 6:03 AM, Thor (Hammer of God) wrote:
>
> > Maybe they should call that "You don't have to patch" genius!
>
>
> Stateful firewalls have no place in front of servers, where every incoming
> request is unsolicited, and therefore there is no state to inspect in the
> first place.  Stateful firewalls in front of servers merely serve as DDoS
> chokepoints due to the large amount of unnecessary state they instantiate.
This statement is only true for unauthenticated services which are not
dealing with financial information. Would you suggest a bank not protect
their internet banking service with a firewall because a DDoS might take the
service off line? Or would you tell them to use a firewall
in conjunction with a specific upstream device which may even be installed
installed at the ISP end of the link to deal with DDoS?

As Tracy mentioned having a stateful firewall is useful to block outgoing
traffic, using an ACL just doesn't cut it, if an attacker initiates a
connection dest port higher than 2048 (to some other server the attacker
controls) and source port of 80 that will pass through an ACL without
issues, this would not be so on a stateful firewall.

mod_security might be good practice to use in a layered approach... but if
you're running old versions of apache (like sony were) then it's not hard
for an attacker to control the memory space used by mod_security and allow
all packets, if the webserver is owned, then it's owned, no controls
implemented on that server can be trusted or relied on.

Pete

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/