Full Disclosure mailing list archives
RE: Flawed arguments (Was all that other crap about PFW day)
From: Paul Schmehl <pauls () utdallas edu>
Date: Thu, 15 Jan 2004 22:38:49 -0600
--On Friday, January 16, 2004 4:14 AM +0100 Erik van Straten <emvs.fd.3FB4D11C () cpo tn tudelft nl> wrote:
I had to laugh at this. Do you seriously think Microsoft has employees reading this list? I doubt it. In fact I issue a challenge right now. If *anyone* who works at MS is reading this list, respond when you read this. If you don't want to do so publicly, you can email me and I will notify the list. (David, are you there?)"Chris Harrington" <cmh () nmi net>:So do you expect Annie to fix these broken locks or doors??Nope. Annie is not reading this list. Microsoft probably does.
What you are saying is that you would not need a wall if the locks worked properly??Nope. What I'm saying is that the doors to the Internet shouldn't have been there by default (135-139, 445, 1026-1030, RDP, UPnP etc. - run netstat)
Oh, I get it. You mean like NFS, X Windows, RPC, portmap, finger, chargen, rlogin, rsh, ftp, like those sorts of things? The things that Unix had almost 20 years to disable in the default install before they finally did? That sort of stuff?
Well, hell, let's ban iptables, ipfw, pf, ipchains, et. al. from "workstation" installs of *nix. After all, *nix is secure out of the box, right? And PFW's just give people a false sense of security anyway, right?This translates to not needing a firewall if the OS flaws are fixed.Nope. It translates to not needing simple PFW's -for ingress traffic- if there are no listening ports. Flaws shouldn't have been there in the first place, and any found should be fixed ASAP%001.
Yep. But flaws have been found in PFW's, and they do provide a false sense of security.
You mean like this? <http://www.shmoo.com/mail/bugtraq/apr01/msg00028.shtml> or this? <http://www.blu.org/pipermail/discuss/1999-July/030040.html> or this? <http://www.ciac.org/ciac/bulletins/l-029.shtml> or this? <http://www.openbsd.org/errata28.html#ipf_frag>Of course, I'm absolutely *certain* that there isn't a single *nix user who thinks they're more secure with a firewall enabled. Oh wait, Dan, who doesn't even use AV because he uses Unix pointed out that *nix firewalls are now enabled by default (obviously making the OS more secure, right?)
The irony is overwhelming me.
I have to agree with you here. It's been made obvious to me by the posts today in this thread.With ABS you can drive much closer to the car in front of you. With AV and a PFW people tend to believe it is safe to run any exe (or hta). Marketing helps making people believe this.
Nope. I want all unused ports closed. For inbound connections, there's no point blocking 80/tcp if you run a public webserver, right? However, permitting access to selected IP's, combined with stateful inspection, (provided you can trust all boxes behind your router)
Here's the only hint I'm going to give you. YOU CANT.
from connecting to certain ports (like DNS), may help. However I do not see any advantage for Annie's free/cheap PFW here.
You must run a network of one.
Annie can learn inetd.conf but not Windows PFWs? What planet is annie from? What planet are you from? You can't disable RPC? Please! Search the FD archives.Windows, Linux, BSD all have services / ports listening by default...I've never ran BSD. Which way-back-when flavor of Linux are you using? With Trustix, out of the box only postfix listens (to 127.0.0.1). Annie could *learn* how to edit inetd.conf. Or I, or someone like me, or you, could help her. However, we cannot disable RPC in XP, and I cannot configure it such that it doesn't listen to the Internet iface. You guys just don't seem to get the point.
The point is the PFW makes it possible for the home user to limit their exposure without having a great deal of technical expertise. Is it perfect? No. But it is an improvement over having nothing between Annie and the Internet.Maybe. But many people (and companies) have not patched DCOM because they thought to be safe behind their firewall. Also apparently they don't run AV; lots have been hit by blaster or nachi after someone plugged in an infected notebook. My fear is that PFW's will have people postone patching, and not upgrade their AV license when it expires.
Which would change things how? Exactly? Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] http-equiv () excite com (Jan 14)
- Re: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Erik van Straten (Jan 15)
- Re: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Mary Landesman (Jan 15)
- Re: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Ron DuFresne (Jan 15)
- Re: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Ron DuFresne (Jan 15)
- Re: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Kenton Smith (Jan 15)
- RE: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Chris Harrington (Jan 15)
- RE: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Erik van Straten (Jan 15)
- RE: Flawed arguments (Was all that other crap about PFW day) Paul Schmehl (Jan 15)
- RE: Flawed arguments (Was all that other crap about PFW day) Erik van Straten (Jan 16)
- Re: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Mary Landesman (Jan 15)
- Re: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Erik van Straten (Jan 15)
- Re: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Mary Landesman (Jan 15)
- Re: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Ron DuFresne (Jan 15)
- Re: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Kenton Smith (Jan 15)
- Re: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Ron DuFresne (Jan 16)
- Re: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Mary Landesman (Jan 15)
- <Possible follow-ups>
- Re: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause] Mike Shaw (Jan 15)
- netlux.org down? :-( Exibar (Jan 15)