lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: pauls at utdallas.edu (Paul Schmehl)
Subject: The worm author finally revealed!

On Fri, 2003-01-31 at 11:31, David Howe wrote:
> at Friday, January 31, 2003 3:55 PM, Paul Schmehl <pauls@...allas.edu>
> > Firewall?  DMZ?  What makes you think everybody has those?
> Its about $40 for a personal firewall; Windows 2K and above come as
> standard with one installed anyhow. Even if this won't give you a DMZ,
> it at least gives you local port filtering. Why allow access to anything
> other than the required ports?  Its your server and if it gets
> compromised its your problem. Use the available tools to expose just the
> ports you use and no others (unix admins seem to have no problems with
> this concept - why do windows admins seem to go for "do a full install
> and give it whatever access it wants"?)

Your $40 personal firewall won't do shit for a class B network with two
DS3s, must less an OC3.  Enterprise firewalls are a lot more than $40,
and they need a full time *skilled* technician to make them worth
using.  Now you're in the range of $100,000+ for first year costs
(equipment and licensing costs, installation costs, hiring costs and
salary.)

A DMZ requires *two* of those babies.  Now you're up to a quarter of a
million dollars.  And people in high places sit up and take notice when
you start asking for that kind of money.

Redundancy requires *four* of them.  Now you're at a half a mil.  And
the routers to handle that kind of traffic are close to six figures as
well.  But you don't want to put too many ACLs on that router or it'll
be CPU bound and traffic will start congesting at the ingress and egress
of the network.

It gets expensive in a hurry.  Now do you still need to wonder why some
networks have no firewall and no DMZ?
> 
> > How 'bout
> > an even more esoteric question?  Why do the tier 1 providers (like
> > UUNET) allow traffic on port 1434???
> because there is no reason to block it.

Really?  Well people here are talking about suing the "admins" who are
"too lazy" to patch.  How about if I sue the ISPs who don't block port
1434/UDP and consequently take down the Internet from all their single
users who were running SQL with no clue?

Wanna bet a lawyer will take that case some day?

-- 
Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/~pauls/
AVIEN Founding Member

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ