Re: Correction: XP SP2 ports open to local subnet

[Brian Eckman <eckman () UMN EDU>]

John Kristoff wrote:
> I agree with some who are concerned that not filtering packets from the
> local subnet is potentially going to be a problem.  In my experience,
> where I've put similiar filters on router interfaces at subnet edges,
> hosts within the unfiltered subnet(s) would eventually get compromised
> by a host that came into the shielded network with something bad.


Agreed. However, those who have NetReg or a similar scanning solution
can likely make the scanner appear to be coming from the local subnet,
so it can find vulnerable computers that would not have otherwise been
found due to the firewall. Some security-admin type people will perceive
that as a benefit. I personally do not like the exception either, or at
least wish you would be prompted upon the first bootup of SP2 to help it
decide.

Also, remember that the local subnet filtering exception is only for the
file and print sharing ports 137/udp, 138/udp, 139/tcp and 445/tcp.
Ports like 135/tcp, 5000/tcp, 1025/tcp and all others are filtered from
everyone by default. However, as an example, hosts vulnerable to the
LSASS vulnerability in MS04-011 can be compromised by a computer on the
local subnet. Same with machines with weak/blank passwords.

Changing the default behavior is pretty easy, but people will have to
know to do so, plus be motivated to do so. That is tough as we all know.
We can still try...


> I haven't played with XP SP2 so someone please fill me in on the
> details.
>
> If a XP SP2 host becomes compromised, will the default firewall config
> also block packets on egress from the compromised host to hosts not on
> the local subnet or are the filters only applied on ingress to itself?

The default firewall config would allow the compromised host to try to
spread itself. It seems that something like Sasser (Blaster, Agobot and
Polybot too) would be thwarted, as the remote host would try to
establish a new connection to the Sasser FTP server to get the worm, and
would not be able to because the firewall blocks the new ingress
connection. However, worms will probably eventually figure out how to
tell the firewall to allow access to them, or will just find ways to
spread over the initial connection. And, some worms don't require that
connect-back and therefore will spread uninhibited by the local firewall.

The default firewall config won't stop most spyware and keyboard loggers
from phoning home. The proliferation of such threats is sure to continue
increasing for the foreseeable future. Especially as long as the
ADODB.Stream ActiveX control continues to be accessible by Internet
Explorer, and continues to have unpatched vulnerabilities.

Finally, we all need to remember that SP2 is still likely two months
away from being released, and that what we see today isn't necessarily
what will be in the service pack itself. Granted, not much is going to
change at this point, but nothing is guaranteed to stay the same either.

Brian

--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.