lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5E7DF5E2-8AE8-4A8B-AA23-B9C8DD80020F@arbor.net>
Date: Tue, 10 May 2011 05:07:39 +0000
From: "Dobbins, Roland" <rdobbins@...or.net>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Sony: No firewall and no patches

On May 10, 2011, at 6:03 AM, Thor (Hammer of God) wrote:

> Maybe they should call that "You don't have to patch" genius! 


Stateful firewalls have no place in front of servers, where every incoming request is unsolicited, and therefore there is no state to inspect in the first place.  Stateful firewalls in front of servers merely serve as DDoS chokepoints due to the large amount of unnecessary state they instantiate.

Instead, network access policies for servers should be implemented utilizing stateless ACLs on hardware-based routers and/or layer-3 switches capable of handling mpps of traffic.

Keeping OSes and apps/services up-to-date with patches and configured securely is extremely important, of course; and network access policies should be implemented per the above.  But blindly sticking stateful firewalls in places where there's no state to inspect and where they actually do more harm than good in terms of actual security posture isn't a solution.  Where stateful firewalls in front of Web servers are incorrectly mandated by various regulatory frameworks, making use of mod_security or its equivalent on the Web servers themselves ensures compliance without creating a DDoS chokepoint.

See <http://www.nanog.org/meetings/nanog48/presentations/Monday/Kaeo_FilterTrend_ISPSec_N48.pdf> and <http://www.eweek.com/index2.php?option=content&task=view&id=66503&pop=1&hide_ads=1&page=0&hide_js=1&catid=45> for more details on this particular sub-topic.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins@...or.net> // <http://www.arbornetworks.com>

		The basis of optimism is sheer terror.

			  -- Oscar Wilde

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ