Re: TCP port 5000 syn increasing

[Harlan Carvey <keydet89 () yahoo com>]

Andreas,

> > I'm waiting for the first worm that tunnels over
> HTTP port 80, as a number
> > of protocols already do, to get around firewalls
> that only pass 25 and 80. ;)
>
> It would have to be "de-tunneled" on the inside to
> do something useful. Either
> the network is already compromised, or it exploits
> something on that specific service.

Excellent point!  It's about time something more lucid
passed through this list.  To be honest, there's way
too much hand-waving and too much of a
smoke-and-mirrors approach to infosec.  It's so easy
to say "worm that tunnels into the network over port
80" and get the media (and following the domino
effect, the general public) all hyped and spinning out
of control.  But you're right...it has to be
"de-tunnelled" to something, unless it's an exploit
against the web server itself - at which point it
isn't tunnelling, then, is it?

And you know, even this kind of thing is relatively
easy to protect against.  If you're going to configure
your router or firewall in a default deny status, and
then allow only specific traffic, why not then just
restrict that traffic to specific hosts or ranges? 
Why allow port 25 into your entire infrastructure,
when you've got only one email server?  Why not just
allow port 25 to the specific host, or to ranges
depending upon the size of your infrastructure?



---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040517
----------------------------------------------------------------------------