Firewall Wizards mailing list archives
RE: MSBlast circumventing host firewall
From: Paul Robertson <proberts () patriot net>
Date: Mon, 18 Aug 2003 08:14:41 -0400 (EDT)
On Mon, 18 Aug 2003, Paul Matuszewski wrote:
Aye, The reason you're seeing this is because of the actual use of winproxy. It'll dot the job at firewalling (per say) things to the inside interfaces, but it still hasn't taken care of the actual ports on the machine itself. You'll have to patch those bad boys up right away. Fixing the issue with
Let's not forget that there's an alternative to patching in this case (as there was with Slammer for a lot of systems...) Turning off DCOM on a host that doesn't need it is a good idea, and likely more protective than patching. Now, obviously that means that the software on the box can't require DCOM, and I don't know what Winproxy uses, it's name puts it right out of the universe of things I'd use ;)
the open ports can be taken care of by remove windows networking and the related services to the port. However, you might run into trouble with WinProxy failing because of it, not too familar with the software here. That's why people use inline firewalls/filtering routers... just so you know.
[Ah ha! One of my favorite soapboxes...] At this stage in the game, I'd go so far as to say that every border router an organization owns should have filtering on it. Anti-spoofing for sure, per-protocol allows for necessary protocols, and then per-port or stateful rules if you can get away with it. Back when I had to secure a large enterprise for a living, and didn't want to try to put Firewall Feature Set[1] on my borders, I put two stateful packet fitlers between the firewalls and the routers, just to add an additional layer of protection- two relatively quick dual-NIC PCs in parallel cost about USD $1200 each at that point in time, now you could do it for half that for both. Any of the free *nix OS' with their default packet filtering software would work (OpenBSD/pf, FreeBSD/ipfw or ipfilter, NetBSD/ipfilter, Linux/ipchains or iptables) If you're really stuck for strangeness, some of the combinations will also do bridge-mode filtering. Obviously, there are a multitude of commerical products that would also fit the bill here, but the firewall itself is likely to be one of those, and I'm a big fan of hetrogeneous networking. Paul [1] I've got nothing against FFS (in fact, I like it,) but back then it was new, and new doesn't go into my security infrastructure very often. I also had an issue with rate of change on the borders, which were taking the load for the largest node of our biggest Web site, so adding filters to the corporate side of that equation made the most sense. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- MSBlast circumventing host firewall Josh Welch (Aug 17)
- RE: MSBlast circumventing host firewall Paul Matuszewski (Aug 18)
- RE: MSBlast circumventing host firewall Paul Robertson (Aug 18)
- RE: MSBlast circumventing host firewall Paul Matuszewski (Aug 18)