[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030207143856.GR3656@trance.org>
From: niels=netsys at bakker.net (Niels Bakker)
Subject: SQL Slammer - lessons learned
* John.Airey@...b.org.uk [Fri 07 Feb 2003, 11:46 CET]:
[..]
> Which brings me full circle back to stateful inspection. I can see no
> business reason why any organisation would need the outside world to
> initiate sessions to ports other than allowed privileged ports. (I leave the
> definition of allowed privileged ports undefined as it is an issue between
> the ISP and its customers. One or two people have digressed onto this issue)
The concept of UDP having a session worth speaking of that firewalls can
use to distinguish packets belonging to a conversation from packets not
belonging to one is so deeply flawed I won't even get into it.
I'm not sure why this issue keeps getting rehashed. It's been well
established that a policy of denying all that isn't needed is prudent.
Also, it's been established that it's not up to connectivity providers
to force their ideas of proper filters on everyone.
> -
> John Airey, BSc (Jt Hons), CNA, RHCE
> Internet systems support officer, ITCSD, Royal National Institute of the
> Blind,
Please use a real signature separator; software can then automatically
recognise signatures and skip them when quoting, for example. Also, I'd
appreciate it if you would upgrade to a real mail user agent that
generated proper In-Reply-To: and References: headers so threading would
work for those who prefer to use it, e.g. me.
I also won't get started on your stupid legal disclaimer - whose only
value is to pinpoint your company's legal team as a bunch of knuckle-
dragging morons. (So thanks for the heads-up in showing who you hang
out with; it's a valuable aid in determining one's worth.)
Have a Nice Day,
-- Niels.
--
Powered by blists - more mailing lists