Re: Sony: No firewall and no patches

["Dobbins, Roland" <rdobbins () arbor net>]

On May 11, 2011, at 6:51 AM, Thor (Hammer of God) wrote:

My experience is quite different, and I have personally seen too many instances to count where the use of firewalls 
has, without question, been what has saved a company.

I would be extremely interested to learn details of how a stateful firewall in front of a server saved a company, when 
stateless ACLs in hardware-based network infrastructure devices would've led to failure.  Seriously, if you don't mind 
outlining the scenario, I think it would be very instructive.

> So, to wrap up my input in this regard, people should use what works for them assuming they know what problems they 
> are trying to solve and how they are solving them.


If an attacker is already in a position to issue commands and induce your box to do things, he *already has his covert 
channel over which he can exfiltrate data*.  So the outbound stateful checking of server response traffic is moot, and 
simply constitutes a stateful DDoS chokepoint which makes it trivial for an attacker to take down the server in 
question by filling up the state-tables of said firewall with well-formed, programatically-generated traffic.

That's my point, in a nutshell.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

                The basis of optimism is sheer terror.

                          -- Oscar Wilde

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/