Firewall Wizards mailing list archives
Re: Firewalls that generate new packets..
From: Timothy Shea <tim () tshea net>
Date: Wed, 28 Nov 2007 15:37:44 -0600
I ran into a situation at a client a year ago in which a bots weren't infecting a client workstation - they were infecting a piece of manufacturing equipment making "Really Important and Delicate Stuff" that was installed by a vendor. The interface was built on top of Windows 2000. This machine managed to infect a nearby oscilloscope who's OS also happened to be Windows 2000. Combine that with their "default outbound policy", the company was DDoSing itself and whoever the intended target was for that day. These two machines out of the tens of thousands connected to this network network would effectively take out the primary and the backup firewalls at random times during the day. The mitigation had nothing to do with firewalls but involved changes in network architecture, increased monitoring, changes in process and bitch slapping a few people. I would of found the whole situation amusing if I wasn't crying. On Nov 27, 2007, at 11:07 PM, Darren Reed wrote:
Paul D. Robertson wrote:On Tue, 27 Nov 2007, Paul Melson wrote:in both directions. State tables allow your firewall to have a deny-all default inbound policy and an allow-all default outbound policy. They allowWith today's proliferation of Trojans and Spyware, anyone with a Windows user population above three who has an allow-all default outbound policy is an idiot and populations of one to three are likely candidates for the club if not associate members.To give you an idea of how bad this problem is, I recently did a fresh install of Microsoft Windows XP + Service pack 2 (I hadn't caught up with all of the patches yet) and experimented with surfing the Internet like a normal user - default security settings for Internet Exploder. Half a dozen web sites later - no more - and spyware had installed itself into winlogin. Removal? Safest bet will be a format. How did it get there? I suspect some popup ad with nasty javascript/activex. Now what percentage of the Internet population does this represent? Port 80/443 restrictions mean nothing. Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewalls that generate new packets.., (continued)
- Re: Firewalls that generate new packets.. Timothy Shea (Nov 29)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 30)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 30)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 27)
- Re: Firewalls that generate new packets.. Anton Chuvakin (Nov 27)
- Message not available
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)
- Re: Firewalls that generate new packets.. Anton Chuvakin (Nov 28)
- Re: Firewalls that generate new packets.. jason (Nov 27)
- Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Timothy Shea (Nov 28)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 28)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 29)
- Re: Firewalls that generate new packets.. lordchariot (Nov 29)
- Re: Firewalls that generate new packets.. Cat Okita (Nov 26)
- Re: Firewalls that generate new packets.. Chris Blask (Nov 26)