Firewall Wizards mailing list archives
Re: SANS Top Ten and Commercial Firewalls
From: Devdas Bhagat <dvb () users sourceforge net>
Date: Thu, 3 Oct 2002 04:07:47 +0530
On 02/10/02 14:27 -0400, Gary Flynn wrote:
Being efficient (as opposed to being lazy :) I thought I'd pose a question here to a body of folks familiar with the firewall marketplace rather than scour individual commercial web sites where details are often rare. Of the SANS "Twenty Most Critical Internet Security Vulnerabilities" ( http://www.sans.org/top20 ) how many are addressed by the majority of commercial firewalls without resorting to blocking the associated port and service entirely?
Well, rather than use a firewall, I would prefer a better software in the first place. Fix the problem at the root.
In other words, how many of them can detect and block things like: W1. IIS malicious requests for cmd.exe and sample files and buffer overflows. W2. Requests for MDAC access
(Don't use IIS, or put Apache/Squid in front of it as a proxy).
W3. Malicious SQL Server requests based on patched defects or sa access without a password.
Change the default settings, apply patches, use another SQL server.
W5. Null netbios access (as opposed to all netbios access) W6. Netbios sessions based on LM Hash. W7. Netbios sessions to accounts with no passwords.
This deserves a straight firewall block on ports if you need netbios enabled on externally accessible boxen. Recommendation is don't use netbios externally at all.
W8. Malicious HTTP responses exploiting IE defects.
Don't use IE? Patch.
W9. Remote Registry Access U1. Malicious RPC calls
Windows? Block the ports. Not much choice.
U2. Malicious HTTP calls to Apache web servers exploiting the OpenSSL or Apache chunk handling defects.
Use a proxy like zorp in front, or just stay up to date on patches.
U3. Malicious SSH requests exploiting SSH defects.
Patch.
U4. Malicious SNMP requests or requests with the community name blank or equal to "public".
So don't use those settings, or move to SNMP v3 where possible.
U5. Malicious requests to FTP servers exploiting wu-ftp defects.
proftpd, vsftpd, pureftpd
U7. Malicious requests to the line printer daemon.
patch, cups
U8. Malicious requests to sendmail.
Postfix/Qmail
U9. Malicious requests to bind.
DJBDNS
I know there will be variances and subsets but I was hoping to get some kind of general feeling for the overall coverage. If you know of a better place to pose the question, please let me know.
How about looking for relatively more bugfree software in the first place? Make security a higher priority when deciding what to run? Talk to vendors about it? Devdas Bhagat _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- SANS Top Ten and Commercial Firewalls Gary Flynn (Oct 02)
- Re: SANS Top Ten and Commercial Firewalls H. Morrow Long (Oct 02)
- Re: SANS Top Ten and Commercial Firewalls Devdas Bhagat (Oct 02)
- stealth ports and IDS James X (Oct 03)
- Re: stealth ports and IDS Anton A. Chuvakin (Oct 03)
- Re: stealth ports and IDS Kevin Steves (Oct 03)
- Re: stealth ports and IDS Paul D. Robertson (Oct 03)
- Re: stealth ports and IDS Robert McMahon (Oct 03)
- Re: stealth ports and IDS Nilesh Chaudhari (Oct 05)
- stealth ports and IDS James X (Oct 03)
- Re: stealth ports and IDS Zen (Oct 03)
- Re: stealth ports and IDS Paul D. Robertson (Oct 03)
- Re: stealth ports and IDS Todd Underwood (Oct 03)
- Re: stealth ports and IDS Jim MacLeod (Oct 03)