Full Disclosure mailing list archives
Re: Sony: No firewall and no patches
From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Thu, 12 May 2011 14:10:23 +0000
On 11/05/11 23:05, phocean wrote:Also, if you filter (and you should) both inbound and outbound traffic, how do you allow legitimate responses to the server?I think Roland said earlier that outbound connections from these boxes should be going out another interface, presumably (my presumption) through a stateful firewall of some kind, because ACLs wouldn't be sufficient. This is perhaps the aspect that has been missed in this discussion (mentioned once, not particularly picked up on, and not really noted again). It eliminates many of the concerns of using ACLs over stateful.
Actually, the stateless solution was to just ACL via "known good" source ports. And this was a large part of my original response of the value of firewalls in front of a server. Limiting outbound traffic to responses to valid initiated traffic is an important security control, specifically because the "ACL's wouldn't be sufficient." The examples I was going to tally up for Roland were any number of SQL injection attacks where tftp and ftp command files were created (in this case, by some tool that I presume created .cmd files just like we all used to do with "echo
") to get other toolsets. These requests failed as the SQL box couldn't make outbound connections. There was no
capability for the attacker to initiate another remote connection to craft a response to. I was actually going to try to get detailed information from way back where Code Red propagation was avoided by outbound connection attempts as well, but I don't really see the value in doing that at this point. I also had Slammer research where I tested ISA's resilience to blocking outbound UDP 1434 connections, but I think it suffices to say that there are many, many valid examples of why stateful inspection of traffic is valuable and adds security in depth. I had some other responses as well, but I have to bolt. I'll make sure to catch up on the rest of the responses before I do so as well. t _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Sony: No firewall and no patches, (continued)
- Re: Sony: No firewall and no patches Christian Sciberras (May 11)
- Re: Sony: No firewall and no patches phocean (May 11)
- Re: Sony: No firewall and no patches Cal Leeming (May 11)
- Re: Sony: No firewall and no patches Thor (Hammer of God) (May 11)
- Re: Sony: No firewall and no patches phocean (May 11)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 11)
- Re: Sony: No firewall and no patches phocean (May 11)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 11)
- Re: Sony: No firewall and no patches phocean (May 11)
- Re: Sony: No firewall and no patches Craig Miskell (May 11)
- Re: Sony: No firewall and no patches Thor (Hammer of God) (May 12)
- Re: Sony: No firewall and no patches Cal Leeming (May 11)
- Re: Sony: No firewall and no patches Thor (Hammer of God) (May 12)
- Re: Sony: No firewall and no patches Peter Osterberg (May 11)
- Re: Sony: No firewall and no patches Pavel Kankovsky (May 15)
- Re: Sony: No firewall and no patches Bruno Cesar Moreira de Souza (May 12)
- Re: Sony: No firewall and no patches phocean (May 11)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 11)
- Re: Sony: No firewall and no patches phocean (May 11)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 11)