From: emvs.fd.3FB4D11C at cpo.tn.tudelft.nl (Erik van Straten)
Subject: UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause]

"Chris Harrington" <cmh@....net>:
> So do you expect Annie to fix these broken locks or doors??

Nope. Annie is not reading this list. Microsoft probably does.

> What you are saying is that you would not need a wall if the locks
> worked properly??

Nope. What I'm saying is that the doors to the Internet shouldn't have 
been there by default (135-139, 445, 1026-1030, RDP, UPnP etc. - run 
netstat)

> This translates to not needing a firewall if the OS flaws are fixed.

Nope. It translates to not needing simple PFW's -for ingress traffic-
if there are no listening ports. Flaws shouldn't have been there in the
first place, and any found should be fixed ASAP%001.

If someone needs to open a certain port for some purpose, that's fine
(but then it makes no sense to block it with a firewall). When a vuln
is published the user can disable the specific service until it is
patched (ex: DameWare). It doesn't make sense to NOT stop a vulnerable
service, and trust that a (closed source) PFW blocks access to it.
Note: testing firewals is an art, and for example XP-ICF is hardly
documented. Do you know which ports it blocks? BTW, XP+SP1 builtin ICF
may start some time AFTER network I/O is accepted (confirmed by MS,
that is, they say SP2 will improve this).

> I always believed that some protection was better than none.

Yep. But flaws have been found in PFW's, and they do provide a false
sense of security. With ABS you can drive much closer to the car in
front of you. With AV and a PFW people tend to believe it is safe to
run any exe (or hta). Marketing helps making people believe this.

> If I had to guess I would say your home machine is Linux or BSD and

Nope. It's running Microsoft.

> most likely properly patched with no vulnerabilities.

Haven't you? I can't believe my eyes. Are you guys really suggesting
that PFW's are a replacement for critical patches? I *know* that's what
some Annies think, but I didn't expect it from people on this list.
Regarding patches and Blaster, in another post I read "if they would
have been running a PFW..." - nonsense. They should have patched.
People that do not apply critical patches are not security aware.
People who cannot judge which patches are critical should apply them
all. Note: *if* you get security unaware people to run a PFW, they'll
likely disable it after the first app that fails, and they'll probably
forget to turn it back on afterwards.

> Do you still use iptables? I bet you would if your PC was directly
> connected to the Internet without a Hardware FW in front of it.

No firewall on this box. A few ports are blocked at the network
perimeter, but hey, this is a university net, so if I run
netcat -l <any blocked port> I'll usually see some scans.

> But according to your logic it would be un-necessary to put a
> firewall in front of an OS whose locks worked properly.

Nope. I want all unused ports closed. For inbound connections, there's
no point blocking 80/tcp if you run a public webserver, right? However,
permitting access to selected IP's, combined with stateful inspection,
(provided you can trust all boxes behind your router) from connecting
to certain ports (like DNS), may help. However I do not see any
advantage for Annie's free/cheap PFW here.

> Windows, Linux, BSD all have services / ports listening by default...

I've never ran BSD. Which way-back-when flavor of Linux are you using?
With Trustix, out of the box only postfix listens (to 127.0.0.1).

> many of which do not need to be open to the world. It's no easier for
> a home user like Annie to edit the inetd.conf file to comment out
> services than it would be for her to stop Windows services.

Annie could *learn* how to edit inetd.conf. Or I, or someone like me, 
or you, could help her. However, we cannot disable RPC in XP, and I 
cannot configure it such that it doesn't listen to the Internet iface. 
You guys just don't seem to get the point.

> The point is the PFW makes it possible for the home user to limit
> their exposure without having a great deal of technical expertise. Is
> it perfect? No. But it is an improvement over having nothing between
> Annie and the Internet.

Maybe. But many people (and companies) have not patched DCOM because
they thought to be safe behind their firewall. Also apparently they
don't run AV; lots have been hit by blaster or nachi after someone
plugged in an infected notebook. My fear is that PFW's will have people
postone patching, and not upgrade their AV license when it expires.

Probably it IS a good idea if all of you go help ordinary users to 
protect their PC's, and do whatever you think is right. I sure hope 
they take you more serious than me. In my experience, their kids will 
immediately reinstall IM and KaZaA after you leave. They don't care 
about spyware. And they don't want to spend any money on software, 
music and movies, but they want to have it all because the guy next 
door does too.

Anyway, this is not a "Dear Annie, you're vulnerable! Buy x and sleep
well" list. This is FD - it's about educating software manufacturers.
They have been warned about potential flaws in their products. Now one
of them is asking *US* to spend even more time (I have spent *a* *lot*)
helping their customers to clean up the mess they could have prevented.

They (not Annie) should close all listening ports by default, add
wizards to guide Annie through opening SMB/RPC ports to her kid's PC
(NOT to any other interface), make Admin accounts unattractive for day
to day use (just for SW installs/updates) and improve security. Then
we'll talk firewalls, because they DO serve a purpose. Also I'd
appreciate it if people would read what's being written, and not get
upset that quickly. This is FD.

Cheers,
Erik van Straten
Sysadmin

Powered by blists - more mailing lists