Firewall Wizards mailing list archives
RE: terminal services
From: "Noonan, Wesley" <Wesley_Noonan () bmc com>
Date: Tue, 28 Jan 2003 16:23:58 -0600
I am not trying to pick on anyone here, but I have some comments/observations inline. Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+ Senior QA Rep. BMC Software, Inc. (713) 918-2412 wnoonan () bmc com http://www.bmc.com
-----Original Message----- From: Steven M. Bellovin [mailto:smb () research att com] Sent: Tuesday, January 28, 2003 15:02 To: natfirewall () netscape net Cc: firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] terminal services
<snip>
Note -- I'm *not* saying that just because it's Microsoft. Rather, I'm pointing out the danger of opening extra holes in your firewall. Ask yourself this: how did Microsoft (and others) get the infection on the *inside* of its firewall?
Through things like VPN connections in many cases. In others, you are certainly correct that opened ports didn't help anything. My point is simply that a VPN is a hole in the firewall, albeit generally a mitigated hole, which carries many of the same risks as if someone was just punching holes through the firewall anyway.
The issue isn't just that people inside didn't patch their machines (though by my analysis, to a first approximation virtually every machine they own was likely to be vulnerable)
I actually disagree here. The issue with slammer/sapphire is precisely that people didn't patch their machines. Let's review some of the recent history. 1) Code Red. IIRC the patch against code red had been released almost 2 months before Code Red hit, yet so many systems were still vulnerable. 2) Nimda. Same thing. The patch against Nimda had been out for quite some time as well. 3) Slammer/sapphire. The patch against slammer/sapphire was released in July of *last* year. We are talking about a patch that is well over 6 months old, IOW, a mature patch. That it was not applied in so many places is just embarrassing, especially after Code Red and Nimda.
; rather, it's that there was a hole. Mostly likely, there was more than one hole, but it only took one, given how virulent this worm was.
No doubt, but the holes are secondary to what I believe the root problem is, which is laziness on the part of users, admins and vendors to apply patches in a timely fashion. I fully realize the costs of development, etc. but far too many people seem to think that once they install something, their responsibility is over. Patching systems is something that should be reviewed in the weekly security meetings and the patches should be applied on a regular and timely basis. Now I also realize that people sometimes can't apply a patch because "vendor A says that their software hasn't been tested against that patch", but this is where the vendor culpabilities lie. Vendors need to stop sticking their heads in the sand or waiting for months to years for platform testing support (including spot checking for patches) which only leaves their customers vulnerable. It is irresponsible computing on so many levels that I think it takes away from the problem to simplify it as "don't open holes in your firewall". Anyway, enough from me. Again, not trying to pick on anyone here, but this has been a frequent conversation for me of late and I figured I would toss it out to the list as food for thought. Thanks. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- terminal services natfirewall (Jan 28)
- Re: terminal services R. DuFresne (Jan 28)
- Re: terminal services Don Kendrick (Jan 28)
- Re: terminal services Paul D. Robertson (Jan 28)
- Re: terminal services David Lang (Jan 28)
- Re: terminal services Duncan Sharp (Jan 28)
- Re: terminal services Paul D. Robertson (Jan 28)
- <Possible follow-ups>
- RE: terminal services Noonan, Wesley (Jan 28)
- Re: terminal services Steven M. Bellovin (Jan 28)
- RE: terminal services Noonan, Wesley (Jan 28)
- RE: terminal services R. DuFresne (Jan 28)
- RE: terminal services Paul D. Robertson (Jan 28)
- Re: terminal services Barney Wolff (Jan 28)
- RE: firewall design (was: RE: terminal services ) m p (Jan 29)
- RE: terminal services R. DuFresne (Jan 28)
- RE: terminal services Paul D. Robertson (Jan 28)
- RE: terminal services R. DuFresne (Jan 28)
- Message not available
- RE: terminal services Marcus J. Ranum (Jan 28)
- Re: terminal services Barney Wolff (Jan 29)