Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NetBIOS over TCP/IP and Windows Sockets

From: Robert Graham <robert_david_graham () yahoo com>
Date: Mon, 26 Jul 1999 21:09:30 -0700 (PDT)
1) Are you asking about the dangers of exposing port 1521 to the Internet at
large? In that case the answer is "there exists no known exploit for which the
vendor doesn't have a patch, but there almost certainly exists an exploit that
hasn't been discovered yet." Moreover, it is likely that the system will be
misconfigured many times in such a way that a hacker can break into the system.
(The answer is the same for any particular port/application you want to
expose).

2) Are you asking about the dangers of exposing port 1521 on the server to only
the DMZ (in other words, the rule allows only traffic between machine A on the
DMZ to port 1521 on machine B internal). This is a standard problem: exposed
web servers accessing internal databases. This means that the database is only
as secure as the server. Therefore, you should put the webserver behind a
firewall, and even then it is likely not secure. All I need is port 80 open on
your NT web servers and I could probably exploit the cfm, .htr, or RDO bugs in
order to break into the server, compromising your database. Note that most
firewalls will not protect against such exploits, but most IDS systems will at
least detect the attempts against them.

The short answer, it's dangerous. Do it only if absolutely necessary, and then
be very very paranoid.

Rob.

--- "C. K. Lung" <cklung () ica net> wrote:

We have a few NT servers and a BDC in a DMZ and would like to manage them
behind a firewall.  I am warned that I would create "vulnerabilities" myself
by openning up some ports (135, 137, 138, 139?) to allow NetBIOS over TCP/IP
traffic going through.

How danger is to open up the port 1521 on a firewall to allow users to
access a Oracle database through a web browser in a DMZ?

Could someone point me to a right direction to find out more technical
information these "dangers"?

Any info is greatly appreciated.

Thanks,

C.K.
clung () hotmail com




===
Robert Graham
"Anxiously awaiting the millenium so I can start programming
with 2-digits again."
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
Previous By Date Next
Previous By Thread Next

Current thread: