lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 10 May 2011 19:42:19 +1000
From: Pete Smith <seclists@...apitate.us>
To: "Dobbins, Roland" <rdobbins@...or.net>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Sony: No firewall and no patches

On 10 May 2011 15:07, Dobbins, Roland <rdobbins@...or.net> wrote:

> On May 10, 2011, at 6:03 AM, Thor (Hammer of God) wrote:
>
> > Maybe they should call that "You don't have to patch" genius!
>
>
> Stateful firewalls have no place in front of servers, where every incoming
> request is unsolicited, and therefore there is no state to inspect in the
> first place.  Stateful firewalls in front of servers merely serve as DDoS
> chokepoints due to the large amount of unnecessary state they instantiate.
>
>
This statement is only true for unauthenticated services which are not
dealing with financial information. Would you suggest a bank not protect
their internet banking service with a firewall because a DDoS might take the
service off line? Or would you tell them to use a firewall
in conjunction with a specific upstream device which may even be installed
installed at the ISP end of the link to deal with DDoS?

As Tracy mentioned having a stateful firewall is useful to block outgoing
traffic, using an ACL just doesn't cut it, if an attacker initiates a
connection dest port higher than 2048 (to some other server the attacker
controls) and source port of 80 that will pass through an ACL without
issues, this would not be so on a stateful firewall.

mod_security might be good practice to use in a layered approach... but if
you're running old versions of apache (like sony were) then it's not hard
for an attacker to control the memory space used by mod_security and allow
all packets, if the webserver is owned, then it's owned, no controls
implemented on that server can be trusted or relied on.

Pete

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ