| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: DaveHowe at cmn.sharp-uk.co.uk (David Howe) Subject: The worm author finally revealed! at Friday, January 31, 2003 7:00 PM, Paul Schmehl <pauls@...allas.edu> was seen to say: > On Fri, 2003-01-31 at 11:31, David Howe wrote: >> at Friday, January 31, 2003 3:55 PM, Paul Schmehl >> <pauls@...allas.edu> >>> Firewall? DMZ? What makes you think everybody has those? >> Its about $40 for a personal firewall; Windows 2K and above come as >> standard with one installed anyhow. Even if this won't give you a >> DMZ, it at least gives you local port filtering. Why allow access to >> anything other than the required ports? Its your server and if it >> gets compromised its your problem. Use the available tools to expose >> just the ports you use and no others (unix admins seem to have no >> problems with this concept - why do windows admins seem to go for >> "do a full install and give it whatever access it wants"?) > Your $40 personal firewall won't do shit for a class B network with > two DS3s, must less an OC3. And what has this got to do with protecting an individual webserver that doesn't have a "real" firewall with DMZ capability? Do you honestly believe a company that can afford 2xDS3 *and* has a web-addressable Class B won't have a real firewall? Take the quote in context - you can't have it both ways. first you point out that not all companies are big enough to have a full firewall, then *bitch* because I point out that for a company that small, a personal firewall on the webserver itself is just fine. In addition, I could probably make a good case for protecting individual webservers with a personal firewall *in addition* to the main DMZing firewall - because personal firewalls can be a lot more precise and process-specific. however, in a installation the size of which you are describing, it would be an unacceptable extra load on probably already overstrained webservers. > Enterprise firewalls are a lot more than > $40, and they need a full time *skilled* technician to make them worth > using. Now you're in the range of $100,000+ for first year costs > (equipment and licensing costs, installation costs, hiring costs and > salary.) > A DMZ requires *two* of those babies. Depends on how you structure it. You can usually get along quite happily with a single firewall handling both lan and dmz; if load is an issue, then you are probably better off putting two servers "in the front line" anyhow as the majority of your traffic will be web-->webserver anyhow. if a large proportion is inbound to the real lan, you have problems. The only people I know who *ever* recommend a two-server setup with one between dmz and web, and then one between dmz and lan are people being paid on commission for how many firewall appliances they sell. Outside of particularly wierd traffic patterns, would never dream of fitting a second firewall into that position; a *third*, possibly, but not a second. > Really? Well people here are talking about suing the "admins" who are > "too lazy" to patch. How about if I sue the ISPs who don't block port > 1434/UDP and consequently take down the Internet from all their single > users who were running SQL with no clue? Feel free to try. I already gave reasons why blocking *any* port above 1024 could cause extra work for the ISP. you also overlook the wonderful legal situation in the USA, where if you begin filtering *for any reason* you *make* yourself legally responsible for any failures in the filtering > Wanna bet a lawyer will take that case some day? I wouldn't expect one to take it on a no-fee basis - but a lawyer will help you sue anyone for anything if you pay him.
Powered by blists - more mailing lists