Re: nmap fun

[Magosányi Árpád <mag () bunuel tii matav hu>]

A levelezőm azt hiszi, hogy Bret Watson a következőeket írta:
> Truly this is so - but the interesting bit is that nmap was finding 
> xwindows, SNMP and other 'nice' services that would certainly attract a 
> hacker.. but no proxy on the firewall was set for them..
>
> But you're right - run a netbios probe across a NT Gauntlet and you'll see 
> some interesting info - even if the packet filters are supposed to be set 
> to bar netbios traffic...
>
> Yep Marcus was right - by getting transparent proxies we traded a definite 
> level of security and one should always remember that the standard textbook 
> firewall config always includes a screening router (aka packet filter) in 
> front - its there for a reason guys!...

The packet filter is still logically in front. But on the same machine.

> Still it makes on truly uncomfortable trying to defend APs against packet 
> filters when they become transparent to nmap..

We are talking about a reasonably good application proxy firewall which
is defended by a poor packet filter configured in a braindead manner.
This is what NAI did with Gauntlet.

But still; if you install a Gauntlet, rip off its various GUIs, 
harden the underlying OS, use the native packet filter instead 
the one they have given to you,
configure it locally or through ssh using vi, you can get the
3rd or 4th best firewall in the market. It is magnitudes more
secure than any of the "market leader firewall"s 
(which are not even firewalls).

-- 
GNU GPL: csak tiszta forrásból

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards