lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.43.0301311401230.7309-100000@tundra.winternet.com>
From: dufresne at winternet.com (Ron DuFresne)
Subject: The worm author finally revealed!

On 31 Jan 2003, Paul Schmehl wrote:

	[SNIP]

>
> Your $40 personal firewall won't do shit for a class B network with two
> DS3s, must less an OC3.  Enterprise firewalls are a lot more than $40,
> and they need a full time *skilled* technician to make them worth
> using.  Now you're in the range of $100,000+ for first year costs
> (equipment and licensing costs, installation costs, hiring costs and
> salary.)

if deployed on all commisioned servers, then yer protected at host
level...


>
> A DMZ requires *two* of those babies.  Now you're up to a quarter of a
> million dollars.  And people in high places sit up and take notice when
> you start asking for that kind of money.
>

Depends, in many cases yer only needing one firewall with two or more
interfaces.


> Redundancy requires *four* of them.  Now you're at a half a mil.  And
> the routers to handle that kind of traffic are close to six figures as
> well.  But you don't want to put too many ACLs on that router or it'll
> be CPU bound and traffic will start congesting at the ingress and egress
> of the network.
>

again, in most cases, depending upon the HW/SW choices made, two boxes and
the proper number of interfaces.


> It gets expensive in a hurry.  Now do you still need to wonder why some
> networks have no firewall and no DMZ?

The real expense is in maint of the equipment, and testing/auditing
periodically...


> >
> > > How 'bout
> > > an even more esoteric question?  Why do the tier 1 providers (like
> > > UUNET) allow traffic on port 1434???
> > because there is no reason to block it.
>
> Really?  Well people here are talking about suing the "admins" who are
> "too lazy" to patch.  How about if I sue the ISPs who don't block port
> 1434/UDP and consequently take down the Internet from all their single
> users who were running SQL with no clue?
>

I never mentioned suing the admins, but, lost jobs for those admins and
security folks not doing the work they were hired to do is certainly
feasable.


But, what does interest me here, is that if utdallas has no real security
policy, and no perimiter defences, what does the Adjunct Information
Security Officer really do?  Tis a real question and not meant as a slam.

Thanks,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
	***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ