Educause Security Discussion mailing list archives
Re: Correction: XP SP2 ports open to local subnet
From: Brian Eckman <eckman () UMN EDU>
Date: Fri, 11 Jun 2004 13:48:06 -0500
John Kristoff wrote:
I agree with some who are concerned that not filtering packets from the local subnet is potentially going to be a problem. In my experience, where I've put similiar filters on router interfaces at subnet edges, hosts within the unfiltered subnet(s) would eventually get compromised by a host that came into the shielded network with something bad.
Agreed. However, those who have NetReg or a similar scanning solution can likely make the scanner appear to be coming from the local subnet, so it can find vulnerable computers that would not have otherwise been found due to the firewall. Some security-admin type people will perceive that as a benefit. I personally do not like the exception either, or at least wish you would be prompted upon the first bootup of SP2 to help it decide. Also, remember that the local subnet filtering exception is only for the file and print sharing ports 137/udp, 138/udp, 139/tcp and 445/tcp. Ports like 135/tcp, 5000/tcp, 1025/tcp and all others are filtered from everyone by default. However, as an example, hosts vulnerable to the LSASS vulnerability in MS04-011 can be compromised by a computer on the local subnet. Same with machines with weak/blank passwords. Changing the default behavior is pretty easy, but people will have to know to do so, plus be motivated to do so. That is tough as we all know. We can still try...
I haven't played with XP SP2 so someone please fill me in on the details. If a XP SP2 host becomes compromised, will the default firewall config also block packets on egress from the compromised host to hosts not on the local subnet or are the filters only applied on ingress to itself?
The default firewall config would allow the compromised host to try to spread itself. It seems that something like Sasser (Blaster, Agobot and Polybot too) would be thwarted, as the remote host would try to establish a new connection to the Sasser FTP server to get the worm, and would not be able to because the firewall blocks the new ingress connection. However, worms will probably eventually figure out how to tell the firewall to allow access to them, or will just find ways to spread over the initial connection. And, some worms don't require that connect-back and therefore will spread uninhibited by the local firewall. The default firewall config won't stop most spyware and keyboard loggers from phoning home. The proliferation of such threats is sure to continue increasing for the foreseeable future. Especially as long as the ADODB.Stream ActiveX control continues to be accessible by Internet Explorer, and continues to have unpatched vulnerabilities. Finally, we all need to remember that SP2 is still likely two months away from being released, and that what we see today isn't necessarily what will be in the service pack itself. Granted, not much is going to change at this point, but nothing is guaranteed to stay the same either. Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Correction: XP SP2 ports open to local subnet Phil Rodrigues (Jun 09)
- <Possible follow-ups>
- Re: Correction: XP SP2 ports open to local subnet Niedens, Travis (Jun 09)
- Re: Correction: XP SP2 ports open to local subnet John Kristoff (Jun 11)
- Re: Correction: XP SP2 ports open to local subnet Brian Eckman (Jun 11)
- Re: Correction: XP SP2 ports open to local subnet Niedens, Travis (Jun 11)
- Re: Correction: XP SP2 ports open to local subnet Brian Eckman (Jun 11)
- Re: Correction: XP SP2 ports open to local subnet Niedens, Travis (Jun 11)
- Re: Correction: XP SP2 ports open to local subnet Jeff Bollinger (Jun 13)