lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <40071328.6060806@jmu.edu>
Date: Thu, 15 Jan 2004 17:24:40 -0500
From: Gary Flynn <flynngn@....edu>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: Re: Re: January 15 is Personal Firewall Day, help
 the cause


Folks,

Argue the technical merits of firewalls all you want
but keep reality in mind:

1) There are millions of vulnerable computers out
    there on the net operated by people you have
    little or no chance of training as a system
    administrator.

2) Fixing tomorrow's software (whether by not shipping
    it with open ports or by somehow magically shipping
    it with no flaws) will not do anything to help the
    vulnerabilities, exploits, and criminal behavior that
    are out there TODAY.

3) A firewall is going to make the immediate situation
    better, not worse. (Except perhaps for the support
    folks who have to put up with all the silly, worthless,
    and alarming popups some commercial offerers choose to
    include in their default installation settings.)

Simply put, we are currently in a bad situation. Affixing
blame and crying because the solution isn't perfect or
doesn't magically and retroactively solve all the problems
isn't going to do anything to improve the situation. A
firewall will help rectify bad business decisions that led
to shipping consumer devices with ports open by default,
and shield all the defective software running on those
machines. The environment changed under us in the last
decade. There is plenty of blame to go around.

That said, I wonder if its necessary to push third party
products. Windows XP and 2003 ship with ICF...a nice quiet
firewall. Windows 2000 has IPSEC policies which, although
complicated, can be used to provide a functional incoming
communications firewall. Wrap it up with some scripts and
an HTA web interface to make it user friendly. 9x has fewer
open ports and is slowly going away.

While the outbound application filtering is useful,
when firewalls become common, then malicious code will
incorporate firewall disabling software just as often
as they now include SMTP software. Shoot, AV vendors
might do us all a favor if code inspection detects
firewall API calls or process kills to firewall
or AV processes and pops up a warning. :)


-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ