[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <019501c2cb7f$31ab7300$c71121c2@sharpuk.co.uk>
From: DaveHowe at cmn.sharp-uk.co.uk (David Howe)
Subject: The worm author finally revealed!
at Friday, January 31, 2003 7:00 PM, Paul Schmehl <pauls@...allas.edu>
was seen to say:
> On Fri, 2003-01-31 at 11:31, David Howe wrote:
>> at Friday, January 31, 2003 3:55 PM, Paul Schmehl
>> <pauls@...allas.edu>
>>> Firewall? DMZ? What makes you think everybody has those?
>> Its about $40 for a personal firewall; Windows 2K and above come as
>> standard with one installed anyhow. Even if this won't give you a
>> DMZ, it at least gives you local port filtering. Why allow access to
>> anything other than the required ports? Its your server and if it
>> gets compromised its your problem. Use the available tools to expose
>> just the ports you use and no others (unix admins seem to have no
>> problems with this concept - why do windows admins seem to go for
>> "do a full install and give it whatever access it wants"?)
> Your $40 personal firewall won't do shit for a class B network with
> two DS3s, must less an OC3.
And what has this got to do with protecting an individual webserver that
doesn't have a "real" firewall with DMZ capability?
Do you honestly believe a company that can afford 2xDS3 *and* has a
web-addressable Class B won't have a real firewall?
Take the quote in context - you can't have it both ways. first you point
out that not all companies are big enough to have a full firewall, then
*bitch* because I point out that for a company that small, a personal
firewall on the webserver itself is just fine.
In addition, I could probably make a good case for protecting individual
webservers with a personal firewall *in addition* to the main DMZing
firewall - because personal firewalls can be a lot more precise and
process-specific. however, in a installation the size of which you are
describing, it would be an unacceptable extra load on probably already
overstrained webservers.
> Enterprise firewalls are a lot more than
> $40, and they need a full time *skilled* technician to make them worth
> using. Now you're in the range of $100,000+ for first year costs
> (equipment and licensing costs, installation costs, hiring costs and
> salary.)
> A DMZ requires *two* of those babies.
Depends on how you structure it. You can usually get along quite happily
with a single firewall handling both lan and dmz; if load is an issue,
then you are probably better off putting two servers "in the front line"
anyhow as the majority of your traffic will be web-->webserver anyhow.
if a large proportion is inbound to the real lan, you have problems.
The only people I know who *ever* recommend a two-server setup with one
between dmz and web, and then one between dmz and lan are people being
paid on commission for how many firewall appliances they sell. Outside
of particularly wierd traffic patterns, would never dream of fitting a
second firewall into that position; a *third*, possibly, but not a
second.
> Really? Well people here are talking about suing the "admins" who are
> "too lazy" to patch. How about if I sue the ISPs who don't block port
> 1434/UDP and consequently take down the Internet from all their single
> users who were running SQL with no clue?
Feel free to try.
I already gave reasons why blocking *any* port above 1024 could cause
extra work for the ISP. you also overlook the wonderful legal situation
in the USA, where if you begin filtering *for any reason* you *make*
yourself legally responsible for any failures in the filtering
> Wanna bet a lawyer will take that case some day?
I wouldn't expect one to take it on a no-fee basis - but a lawyer will
help you sue anyone for anything if you pay him.
Powered by blists - more mailing lists