Re: SANS Top Ten and Commercial Firewalls

[Devdas Bhagat <dvb () users sourceforge net>]

On 02/10/02 14:27 -0400, Gary Flynn wrote:
> Being efficient (as opposed to being lazy :) I thought
> I'd pose a question here to a body of folks familiar with
> the firewall marketplace rather than scour individual 
> commercial web sites where details are often rare.
>
> Of the SANS "Twenty Most Critical Internet Security 
> Vulnerabilities" ( http://www.sans.org/top20 )
> how many are addressed by the majority of commercial 
> firewalls without resorting to blocking the associated 
> port and service entirely?
Well, rather than use a firewall, I would prefer a better software in
the first place. Fix the problem at the root.
 
> In other words, how many of them can detect and block
> things like:
>
> W1. IIS malicious requests for cmd.exe and sample files
>     and buffer overflows.
> W2. Requests for MDAC access
(Don't use IIS, or put Apache/Squid in front of it as a proxy).

> W3. Malicious SQL Server requests based on patched defects or
>     sa access without a password.
Change the default settings, apply patches, use another SQL server.

> W5. Null netbios access (as opposed to all netbios access)
> W6. Netbios sessions based on LM Hash.
> W7. Netbios sessions to accounts with no passwords.
This deserves a straight firewall block on ports if you need netbios
enabled on externally accessible boxen. Recommendation is don't use
netbios externally at all.

> W8. Malicious HTTP responses exploiting IE defects.
Don't use IE? Patch.

> W9. Remote Registry Access
> U1. Malicious RPC calls
Windows? Block the ports. Not much choice.

> U2. Malicious HTTP calls to Apache web servers exploiting the
>     OpenSSL or Apache chunk handling defects.
Use a proxy like zorp in front, or just stay up to date on patches.

> U3. Malicious SSH requests exploiting SSH defects.
Patch.

> U4. Malicious SNMP requests or requests with the community
>     name blank or equal to "public".
So don't use those settings, or move to SNMP v3 where possible.

> U5. Malicious requests to FTP servers exploiting wu-ftp defects.
proftpd, vsftpd, pureftpd

> U7. Malicious requests to the line printer daemon.
patch, cups

> U8. Malicious requests to sendmail.
Postfix/Qmail

> U9. Malicious requests to bind.
DJBDNS
 
> I know there will be variances and subsets but I was hoping
> to get some kind of general feeling for the overall coverage.
> If you know of a better place to pose the question, please
> let me know.
How about looking for relatively more bugfree software in the first
place? Make security a higher priority when deciding what to run? 
Talk to vendors about it?

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards