RE: Flawed arguments (Was all that other crap about PFW day)

[Paul Schmehl <pauls () utdallas edu>]

--On Friday, January 16, 2004 4:14 AM +0100 Erik van Straten 
<emvs.fd.3FB4D11C () cpo tn tudelft nl> wrote:

> "Chris Harrington" <cmh () nmi net>:
> > So do you expect Annie to fix these broken locks or doors??
>
> Nope. Annie is not reading this list. Microsoft probably does.
I had to laugh at this.  Do you seriously think Microsoft has employees 
reading this list?  I doubt it.  In fact I issue a challenge right now.  If 
*anyone* who works at MS is reading this list, respond when you read this. 
If you don't want to do so publicly, you can email me and I will notify the 
list.  (David, are you there?)

> > What you are saying is that you would not need a wall if the locks
> > worked properly??
>
> Nope. What I'm saying is that the doors to the Internet shouldn't have
> been there by default (135-139, 445, 1026-1030, RDP, UPnP etc. - run
> netstat)

Oh, I get it.  You mean like NFS, X Windows, RPC, portmap, finger, chargen, 
rlogin, rsh, ftp, like those sorts of things?  The things that Unix had 
almost 20 years to disable in the default install before they finally did? 
That sort of stuff?
> > This translates to not needing a firewall if the OS flaws are fixed.
>
> Nope. It translates to not needing simple PFW's -for ingress traffic-
> if there are no listening ports. Flaws shouldn't have been there in the
> first place, and any found should be fixed ASAP%001.
Well, hell, let's ban iptables, ipfw, pf, ipchains, et. al. from 
"workstation" installs of *nix.  After all, *nix is secure out of the box, 
right?  And PFW's just give people a false sense of security anyway, right?
> Yep. But flaws have been found in PFW's, and they do provide a false
> sense of security.

You mean like this?
<http://www.shmoo.com/mail/bugtraq/apr01/msg00028.shtml>
or this?
<http://www.blu.org/pipermail/discuss/1999-July/030040.html>
or this?
<http://www.ciac.org/ciac/bulletins/l-029.shtml>
or this?
<http://www.openbsd.org/errata28.html#ipf_frag>

Of course, I'm absolutely *certain* that there isn't a single *nix user who 
thinks they're more secure with a firewall enabled.  Oh wait, Dan, who 
doesn't even use AV because he uses Unix pointed out that *nix firewalls 
are now enabled by default (obviously making the OS more secure, right?)

The irony is overwhelming me.

> With ABS you can drive much closer to the car in
> front of you. With AV and a PFW people tend to believe it is safe to
> run any exe (or hta). Marketing helps making people believe this.
I have to agree with you here.  It's been made obvious to me by the posts 
today in this thread.
> Nope. I want all unused ports closed. For inbound connections, there's
> no point blocking 80/tcp if you run a public webserver, right? However,
> permitting access to selected IP's, combined with stateful inspection,
> (provided you can trust all boxes behind your router)

Here's the only hint I'm going to give you.  YOU CANT.

> from connecting
> to certain ports (like DNS), may help. However I do not see any
> advantage for Annie's free/cheap PFW here.
You must run a network of one.

> > Windows, Linux, BSD all have services / ports listening by default...
>
> I've never ran BSD. Which way-back-when flavor of Linux are you using?
> With Trustix, out of the box only postfix listens (to 127.0.0.1).
>
> Annie could *learn* how to edit inetd.conf. Or I, or someone like me,
> or you, could help her. However, we cannot disable RPC in XP, and I
> cannot configure it such that it doesn't listen to the Internet iface.
> You guys just don't seem to get the point.
Annie can learn inetd.conf but not Windows PFWs?  What planet is annie 
from?  What planet are you from?  You can't disable RPC?  Please!  Search 
the FD archives.

> > The point is the PFW makes it possible for the home user to limit
> > their exposure without having a great deal of technical expertise. Is
> > it perfect? No. But it is an improvement over having nothing between
> > Annie and the Internet.
>
> Maybe. But many people (and companies) have not patched DCOM because
> they thought to be safe behind their firewall. Also apparently they
> don't run AV; lots have been hit by blaster or nachi after someone
> plugged in an infected notebook. My fear is that PFW's will have people
> postone patching, and not upgrade their AV license when it expires.
Which would change things how?  Exactly?

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html