Full Disclosure mailing list archives

Re: Sony: No firewall and no patches

From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Thu, 12 May 2011 14:10:23 +0000

On 11/05/11 23:05, phocean wrote:

 Also, if you filter (and you should) both inbound and outbound
traffic,  how do you allow legitimate responses to the server?

I think Roland said earlier that outbound connections from these boxes
should be going out another interface, presumably (my presumption)
through a stateful firewall of some kind, because ACLs wouldn't be sufficient.

This is perhaps the aspect that has been missed in this discussion (mentioned
once, not particularly picked up on, and not really noted again).  It eliminates
many of the concerns of using ACLs over stateful.


Actually, the stateless solution was to just ACL via "known good" source ports.  And this was a large part of my 
original response of the value of firewalls in front of a server. Limiting outbound traffic to responses to valid 
initiated traffic is an important security control, specifically because the "ACL's wouldn't be sufficient."

The examples I was going to tally up for Roland were any number of SQL injection attacks where tftp and ftp command 
files were created (in this case, by some tool that I presume created .cmd files just like we all used to do with "echo

") to get other toolsets.  These requests failed as the SQL box couldn't make outbound connections.  There was no

capability for the attacker to initiate another remote connection to craft a response to.  

I was actually going to try to get detailed information from way back where Code Red propagation was avoided by 
outbound connection attempts as well, but I don't really see the value in doing that at this point.  I also had Slammer 
research where I tested ISA's resilience to blocking outbound UDP 1434 connections, but I think it suffices to say that 
there are many, many valid examples of why stateful inspection of traffic is valuable and adds security in depth. 

I had some other responses as well, but I have to bolt.  I'll make sure to catch up on the rest of the responses before 
I do so as well.

t

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Sony: No firewall and no patches, (continued)
- - - Re: Sony: No firewall and no patches Christian Sciberras (May 11)
    - Re: Sony: No firewall and no patches phocean (May 11)
    - Re: Sony: No firewall and no patches Cal Leeming (May 11)
    - Re: Sony: No firewall and no patches Thor (Hammer of God) (May 11)
    - Re: Sony: No firewall and no patches phocean (May 11)
    - Re: Sony: No firewall and no patches Dobbins, Roland (May 11)
    - Re: Sony: No firewall and no patches phocean (May 11)
    - Re: Sony: No firewall and no patches Dobbins, Roland (May 11)
    - Re: Sony: No firewall and no patches phocean (May 11)
    - Re: Sony: No firewall and no patches Craig Miskell (May 11)
    - Re: Sony: No firewall and no patches Thor (Hammer of God) (May 12)
    - Re: Sony: No firewall and no patches Cal Leeming (May 11)
    - Re: Sony: No firewall and no patches Thor (Hammer of God) (May 12)
    - Re: Sony: No firewall and no patches Peter Osterberg (May 11)
    - Re: Sony: No firewall and no patches Pavel Kankovsky (May 15)
    - Re: Sony: No firewall and no patches Bruno Cesar Moreira de Souza (May 12)
- Re: Sony: No firewall and no patches Michael Krymson (May 11)
  - Re: Sony: No firewall and no patches phocean (May 11)
    - Re: Sony: No firewall and no patches Dobbins, Roland (May 11)
    - Re: Sony: No firewall and no patches phocean (May 11)
    - Re: Sony: No firewall and no patches Dobbins, Roland (May 11)

(Thread continues...)