Firewall Wizards mailing list archives
Re: NetBIOS over TCP/IP and Windows Sockets
From: Robert Graham <robert_david_graham () yahoo com>
Date: Mon, 26 Jul 1999 21:09:30 -0700 (PDT)
1) Are you asking about the dangers of exposing port 1521 to the Internet at large? In that case the answer is "there exists no known exploit for which the vendor doesn't have a patch, but there almost certainly exists an exploit that hasn't been discovered yet." Moreover, it is likely that the system will be misconfigured many times in such a way that a hacker can break into the system. (The answer is the same for any particular port/application you want to expose). 2) Are you asking about the dangers of exposing port 1521 on the server to only the DMZ (in other words, the rule allows only traffic between machine A on the DMZ to port 1521 on machine B internal). This is a standard problem: exposed web servers accessing internal databases. This means that the database is only as secure as the server. Therefore, you should put the webserver behind a firewall, and even then it is likely not secure. All I need is port 80 open on your NT web servers and I could probably exploit the cfm, .htr, or RDO bugs in order to break into the server, compromising your database. Note that most firewalls will not protect against such exploits, but most IDS systems will at least detect the attempts against them. The short answer, it's dangerous. Do it only if absolutely necessary, and then be very very paranoid. Rob. --- "C. K. Lung" <cklung () ica net> wrote:
We have a few NT servers and a BDC in a DMZ and would like to manage them behind a firewall. I am warned that I would create "vulnerabilities" myself by openning up some ports (135, 137, 138, 139?) to allow NetBIOS over TCP/IP traffic going through. How danger is to open up the port 1521 on a firewall to allow users to access a Oracle database through a web browser in a DMZ? Could someone point me to a right direction to find out more technical information these "dangers"? Any info is greatly appreciated. Thanks, C.K. clung () hotmail com
=== Robert Graham "Anxiously awaiting the millenium so I can start programming with 2-digits again." _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
Current thread:
- NetBIOS over TCP/IP and Windows Sockets C. K. Lung (Jul 26)
- <Possible follow-ups>
- Re: NetBIOS over TCP/IP and Windows Sockets Robert Graham (Jul 27)