RE: terminal services

["Noonan, Wesley" <Wesley_Noonan () bmc com>]

I am not trying to pick on anyone here, but I have some
comments/observations inline.

Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
Senior QA Rep.
BMC Software, Inc.
(713) 918-2412
wnoonan () bmc com
http://www.bmc.com


> -----Original Message-----
> From: Steven M. Bellovin [mailto:smb () research att com]
> Sent: Tuesday, January 28, 2003 15:02
> To: natfirewall () netscape net
> Cc: firewall-wizards () honor icsalabs com
> Subject: Re: [fw-wiz] terminal services
<snip>
> Note -- I'm *not* saying that just because it's Microsoft.  Rather, I'm
> pointing out the danger of opening extra holes in your firewall.  Ask
> yourself this:  how did Microsoft (and others) get the infection on the
> *inside* of its firewall?  

Through things like VPN connections in many cases. In others, you are
certainly correct that opened ports didn't help anything. My point is simply
that a VPN is a hole in the firewall, albeit generally a mitigated hole,
which carries many of the same risks as if someone was just punching holes
through the firewall anyway.
 
> The issue isn't just that people inside
> didn't patch their machines (though by my analysis, to a first
> approximation virtually every machine they own was likely to be
> vulnerable)

I actually disagree here. The issue with slammer/sapphire is precisely that
people didn't patch their machines. Let's review some of the recent history.

1) Code Red. IIRC the patch against code red had been released almost 2
months before Code Red hit, yet so many systems were still vulnerable.
2) Nimda. Same thing. The patch against Nimda had been out for quite some
time as well.
3) Slammer/sapphire. The patch against slammer/sapphire was released in July
of *last* year. We are talking about a patch that is well over 6 months old,
IOW, a mature patch. That it was not applied in so many places is just
embarrassing, especially after Code Red and Nimda.

> ; rather, it's that there was a hole.  Mostly likely, there
> was more than one hole, but it only took one, given how virulent this
> worm was.

No doubt, but the holes are secondary to what I believe the root problem is,
which is laziness on the part of users, admins and vendors to apply patches
in a timely fashion. I fully realize the costs of development, etc. but far
too many people seem to think that once they install something, their
responsibility is over. Patching systems is something that should be
reviewed in the weekly security meetings and the patches should be applied
on a regular and timely basis.

Now I also realize that people sometimes can't apply a patch because "vendor
A says that their software hasn't been tested against that patch", but this
is where the vendor culpabilities lie. Vendors need to stop sticking their
heads in the sand or waiting for months to years for platform testing
support (including spot checking for patches) which only leaves their
customers vulnerable. It is irresponsible computing on so many levels that I
think it takes away from the problem to simplify it as "don't open holes in
your firewall". 

Anyway, enough from me. Again, not trying to pick on anyone here, but this
has been a frequent conversation for me of late and I figured I would toss
it out to the list as food for thought. Thanks.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards