RE: MSBlast circumventing host firewall

[Paul Robertson <proberts () patriot net>]

On Mon, 18 Aug 2003, Paul Matuszewski wrote:

> Aye,
> The reason you're seeing this is because of the actual use of winproxy.
>
> It'll dot the job at firewalling (per say) things to the inside interfaces,
> but it still hasn't taken care of the actual ports on the machine itself.
> You'll have to patch those bad boys up right away.  Fixing the issue with

Let's not forget that there's an alternative to patching in this case (as 
there was with Slammer for a lot of systems...)

Turning off DCOM on a host that doesn't need it is a good idea, and likely 
more protective than patching.  Now, obviously that means that the 
software on the box can't require DCOM, and I don't know what Winproxy 
uses, it's name puts it right out of the universe of things I'd use ;)

> the open ports can be taken care of by remove windows networking and the
> related services to the port.  However, you might run into trouble with
> WinProxy failing because of it, not too familar with the software here.
>
> That's why people use inline firewalls/filtering routers... just so you
> know.

[Ah ha!  One of my favorite soapboxes...]

At this stage in the game, I'd go so far as to say that every border 
router an organization owns should have filtering on it.  Anti-spoofing 
for sure, per-protocol allows for necessary protocols, and then per-port 
or stateful rules if you can get away with it.

Back when I had to secure a large enterprise for a living, and didn't want 
to try to put Firewall Feature Set[1] on my borders, I put two stateful 
packet fitlers between the firewalls and the routers, just to add an 
additional layer of protection- two relatively quick dual-NIC PCs in 
parallel cost about USD $1200 each at that point in time, now you could do 
it for half that for both.  Any of the free *nix OS' with their default 
packet filtering software would work (OpenBSD/pf, FreeBSD/ipfw or 
ipfilter, NetBSD/ipfilter, Linux/ipchains or iptables)  If you're really 
stuck for strangeness, some of the combinations will also do bridge-mode 
filtering.

Obviously, there are a multitude of commerical products that would also 
fit the bill here, but the firewall itself is likely to be one of those, 
and I'm a big fan of hetrogeneous networking.
 
Paul
[1] I've got nothing against FFS (in fact, I like it,) but back then it 
was new, and new doesn't go into my security infrastructure very often.  I 
also had an issue with rate of change on the borders, which were taking 
the load for the largest node of our biggest Web site, so adding filters 
to the corporate side of that equation made the most sense.
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards