Security Basics mailing list archives
RE: win2k firewall
From: H C <keydet89 () yahoo com>
Date: Tue, 7 Jan 2003 12:55:30 -0800 (PST)
Perhaps you are not familiar with what BlackIce does. BlackIce knows what Code Red is, and it can stop it from hurting an UNPATCHED W2K machine.
Perhaps you're not familiar with what Code Red does. First off, it doesn't attack the operating system, it attacks the web server. Second, all that is required to protect yourself against CR is to disable the ida/idq script mapping. In fact, disabling unused script mappings (ie, unnecessary or unused services/functionality) is not only common sense, but it's also all over every site that talks about information security.
And it can afford this kind of protection vs. hundereds of other exploits as well.
But disabling the script mappings is free, and it also protects against other attacks, as well.
Basically, you can have it watching every single packet going to ALLOWED services (those that are open due to it being a webserver), and making sure that there is nothing malicious being attempted. Is that a good reason?
But you'd have to define what "malicious" is, or hope that someone has added it to BlackICE. That being the case, I'd opt for using snort instead...it's free, and it runs on Win2K. Not only that, it gives me greater control, b/c I can write my own rules, and block packets based on whether an arbitrary bit in the packet is a 1 or a 0. That's control...and that's control I would have.
There is something to attack - it's a webserver. There are numerous attacks that are done with nothing more than mangled http requests. BlackIce can stop many of them. How can I be more clear?
That's very clear. But it's also very vague, in a way. Yes, some web servers will respond poorly to mangled http requests...but the OP never did mention that web server he was using, as far as I can remember. He said he was using Win2K, but he didn't specify the web server. Vulnerabilities that work on IIS don't necessarily work on Apache. Not every web server fails to handle mangled HTTP requests properly.
Ok, fair enough. I just didn't want to get into the Steve Gibson thing here.
Sure, I understand. Another way of handling is to simply not respond to it. However, telling someone via the list to NOT talk about SG is *talking* about SG...so you're actually doing what you're trying to avoid. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
Current thread:
- RE: win2k firewall Piacquadio, Juan (Jan 06)
- <Possible follow-ups>
- re: win2k firewall H C (Jan 06)
- RE: win2k firewall Rick Darsey (Jan 07)
- RE: win2k firewall H C (Jan 07)
- RE: win2k firewall Daniel R. Miessler (Jan 07)
- RE: win2k firewall josh (Jan 08)
- RE: win2k firewall Daniel R. Miessler (Jan 08)
- RE: win2k firewall H C (Jan 08)
- RE: win2k firewall Daniel R. Miessler (Jan 08)
- RE: win2k firewall H C (Jan 08)
- RE: win2k firewall Daniel R. Miessler (Jan 08)
- RE: win2k firewall Jimmy Sansi (Jan 09)
- RE: win2k firewall Rick Darsey (Jan 07)
- RE: win2k firewall Jason Dixon (Jan 11)
- RE: win2k firewall David Gillett (Jan 13)