Full Disclosure mailing list archives
Re: Sony: No firewall and no patches
From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Tue, 10 May 2011 05:07:39 +0000
On May 10, 2011, at 6:03 AM, Thor (Hammer of God) wrote:
Maybe they should call that "You don't have to patch" genius!
Stateful firewalls have no place in front of servers, where every incoming request is unsolicited, and therefore there is no state to inspect in the first place. Stateful firewalls in front of servers merely serve as DDoS chokepoints due to the large amount of unnecessary state they instantiate. Instead, network access policies for servers should be implemented utilizing stateless ACLs on hardware-based routers and/or layer-3 switches capable of handling mpps of traffic. Keeping OSes and apps/services up-to-date with patches and configured securely is extremely important, of course; and network access policies should be implemented per the above. But blindly sticking stateful firewalls in places where there's no state to inspect and where they actually do more harm than good in terms of actual security posture isn't a solution. Where stateful firewalls in front of Web servers are incorrectly mandated by various regulatory frameworks, making use of mod_security or its equivalent on the Web servers themselves ensures compliance without creating a DDoS chokepoint. See <http://www.nanog.org/meetings/nanog48/presentations/Monday/Kaeo_FilterTrend_ISPSec_N48.pdf> and <http://www.eweek.com/index2.php?option=content&task=view&id=66503&pop=1&hide_ads=1&page=0&hide_js=1&catid=45> for more details on this particular sub-topic. ----------------------------------------------------------------------- Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com> The basis of optimism is sheer terror. -- Oscar Wilde _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Sony: No firewall and no patches Thor (Hammer of God) (May 09)
- Re: Sony: No firewall and no patches Ivan . (May 09)
- Re: Sony: No firewall and no patches Christian Sciberras (May 09)
- Re: Sony: No firewall and no patches Tracy Reed (May 09)
- Re: Sony: No firewall and no patches Thor (Hammer of God) (May 09)
- Re: Sony: No firewall and no patches Tracy Reed (May 09)
- Re: Sony: No firewall and no patches James Matthews (May 11)
- Re: Sony: No firewall and no patches Ivan . (May 09)
- Re: Sony: No firewall and no patches The Security Community (May 09)
- Re: Sony: No firewall and no patches Nick FitzGerald (May 09)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 09)
- Re: Sony: No firewall and no patches Tracy Reed (May 09)
- Re: Sony: No firewall and no patches Ivan . (May 09)
- Re: Sony: No firewall and no patches Valdis . Kletnieks (May 10)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 09)
- Re: Sony: No firewall and no patches Tracy Reed (May 09)
- Re: Sony: No firewall and no patches Pete Smith (May 10)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 10)
- Re: Sony: No firewall and no patches Thor (Hammer of God) (May 10)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 10)
- Re: Sony: No firewall and no patches Thor (Hammer of God) (May 10)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 10)