| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3316945956.1074206329@[192.168.2.119]> From: pauls at utdallas.edu (Paul Schmehl) Subject: Flawed arguments (Was all that other crap about PFW day) --On Friday, January 16, 2004 4:14 AM +0100 Erik van Straten <emvs.fd.3FB4D11C@....tn.tudelft.nl> wrote: > "Chris Harrington" <cmh@....net>: >> So do you expect Annie to fix these broken locks or doors?? > > Nope. Annie is not reading this list. Microsoft probably does. > I had to laugh at this. Do you seriously think Microsoft has employees reading this list? I doubt it. In fact I issue a challenge right now. If *anyone* who works at MS is reading this list, respond when you read this. If you don't want to do so publicly, you can email me and I will notify the list. (David, are you there?) >> What you are saying is that you would not need a wall if the locks >> worked properly?? > > Nope. What I'm saying is that the doors to the Internet shouldn't have > been there by default (135-139, 445, 1026-1030, RDP, UPnP etc. - run > netstat) Oh, I get it. You mean like NFS, X Windows, RPC, portmap, finger, chargen, rlogin, rsh, ftp, like those sorts of things? The things that Unix had almost 20 years to disable in the default install before they finally did? That sort of stuff? > >> This translates to not needing a firewall if the OS flaws are fixed. > > Nope. It translates to not needing simple PFW's -for ingress traffic- > if there are no listening ports. Flaws shouldn't have been there in the > first place, and any found should be fixed ASAP%001. > Well, hell, let's ban iptables, ipfw, pf, ipchains, et. al. from "workstation" installs of *nix. After all, *nix is secure out of the box, right? And PFW's just give people a false sense of security anyway, right? > > Yep. But flaws have been found in PFW's, and they do provide a false > sense of security. You mean like this? <http://www.shmoo.com/mail/bugtraq/apr01/msg00028.shtml> or this? <http://www.blu.org/pipermail/discuss/1999-July/030040.html> or this? <http://www.ciac.org/ciac/bulletins/l-029.shtml> or this? <http://www.openbsd.org/errata28.html#ipf_frag> Of course, I'm absolutely *certain* that there isn't a single *nix user who thinks they're more secure with a firewall enabled. Oh wait, Dan, who doesn't even use AV because he uses Unix pointed out that *nix firewalls are now enabled by default (obviously making the OS more secure, right?) The irony is overwhelming me. > With ABS you can drive much closer to the car in > front of you. With AV and a PFW people tend to believe it is safe to > run any exe (or hta). Marketing helps making people believe this. > I have to agree with you here. It's been made obvious to me by the posts today in this thread. > > Nope. I want all unused ports closed. For inbound connections, there's > no point blocking 80/tcp if you run a public webserver, right? However, > permitting access to selected IP's, combined with stateful inspection, > (provided you can trust all boxes behind your router) Here's the only hint I'm going to give you. YOU CANT. > from connecting > to certain ports (like DNS), may help. However I do not see any > advantage for Annie's free/cheap PFW here. > You must run a network of one. >> Windows, Linux, BSD all have services / ports listening by default... > > I've never ran BSD. Which way-back-when flavor of Linux are you using? > With Trustix, out of the box only postfix listens (to 127.0.0.1). > > Annie could *learn* how to edit inetd.conf. Or I, or someone like me, > or you, could help her. However, we cannot disable RPC in XP, and I > cannot configure it such that it doesn't listen to the Internet iface. > You guys just don't seem to get the point. > Annie can learn inetd.conf but not Windows PFWs? What planet is annie from? What planet are you from? You can't disable RPC? Please! Search the FD archives. >> The point is the PFW makes it possible for the home user to limit >> their exposure without having a great deal of technical expertise. Is >> it perfect? No. But it is an improvement over having nothing between >> Annie and the Internet. > > Maybe. But many people (and companies) have not patched DCOM because > they thought to be safe behind their firewall. Also apparently they > don't run AV; lots have been hit by blaster or nachi after someone > plugged in an infected notebook. My fear is that PFW's will have people > postone patching, and not upgrade their AV license when it expires. > Which would change things how? Exactly? Paul Schmehl (pauls@...allas.edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu
Powered by blists - more mailing lists