Security Basics mailing list archives

RE: win2k firewall

From: H C <keydet89 () yahoo com>
Date: Tue, 7 Jan 2003 12:55:30 -0800 (PST)

Perhaps you are not familiar with what BlackIce
does.  BlackIce knows
what Code Red is, and it can stop it from hurting an
UNPATCHED W2K machine.


Perhaps you're not familiar with what Code Red does. 
First off, it doesn't attack the operating system, it
attacks the web server.  Second, all that is required
to protect yourself against CR is to disable the
ida/idq script mapping.  In fact, disabling unused
script mappings (ie, unnecessary or unused
services/functionality) is not only common sense, but
it's also all over every site that talks about
information security.

And it can afford this kind of protection
vs. hundereds of other exploits as well.


But disabling the script mappings is free, and it also
protects against other attacks, as well.

Basically, you can have it watching every
single packet going to ALLOWED services (those that
are open due to
it being a webserver), and making sure that there is
nothing
malicious being attempted.  Is that a good reason?


But you'd have to define what "malicious" is, or hope
that someone has added it to BlackICE.  That being the
case, I'd opt for using snort instead...it's free, and
it runs on Win2K.  Not only that, it gives me greater
control, b/c I can write my own rules, and block
packets based on whether an arbitrary bit in the
packet is a 1 or a 0.  That's control...and that's
control I would have.

There is something to attack - it's a webserver. 
There are numerous
attacks that are done with nothing more than mangled
http requests. 
BlackIce can stop many of them.  How can I be more
clear?


That's very clear.  But it's also very vague, in a
way.  Yes, some web servers will respond poorly to
mangled http requests...but the OP never did mention
that web server he was using, as far as I can
remember.  He said he was using Win2K, but he didn't
specify the web server.  Vulnerabilities that work on
IIS don't necessarily work on Apache.  Not every web
server fails to handle mangled HTTP requests properly.

Ok, fair enough.  I just didn't want to get into the
Steve Gibson thing here.


Sure, I understand.  Another way of handling is to
simply not respond to it.  However, telling someone
via the list to NOT talk about SG is *talking* about
SG...so you're actually doing what you're trying to
avoid.


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Current thread:

RE: win2k firewall Piacquadio, Juan (Jan 06)
- <Possible follow-ups>
- re: win2k firewall H C (Jan 06)
  - RE: win2k firewall Rick Darsey (Jan 07)
    - RE: win2k firewall H C (Jan 07)
  - RE: win2k firewall Daniel R. Miessler (Jan 07)
    - RE: win2k firewall josh (Jan 08)
    - RE: win2k firewall Daniel R. Miessler (Jan 08)
    - RE: win2k firewall H C (Jan 08)
    - RE: win2k firewall Daniel R. Miessler (Jan 08)
    - RE: win2k firewall H C (Jan 08)
    - RE: win2k firewall Daniel R. Miessler (Jan 08)
    - RE: win2k firewall Jimmy Sansi (Jan 09)
    - RE: win2k firewall Jason Dixon (Jan 11)
    - RE: win2k firewall David Gillett (Jan 13)
  - re: win2k firewall Theo Spears (Jan 08)
- RE: win2k firewall Mark S. Searle (Jan 06)
- RE: win2k firewall Paul Carroll (Jan 07)
- RE: win2k firewall H C (Jan 07)
- RE: win2k firewall Mark S. Searle (Jan 08)
- RE: win2k firewall Zimin, Alex (Jan 09)

(Thread continues...)