Firewall Wizards mailing list archives
RE: mitigating the lack of a firewall
From: "Starkey, Kyle" <Kyle.Starkey () msdw com>
Date: Tue, 15 Feb 2000 09:35:33 -0800
Danger Will Robinson.... Warning! Danger! OK so it isn't that bad, but I would be frightened putting an NT IIS server out on the internet standing alone. This type of a machine, while it can be locked down is still pretty vulnerable to stack attacks due to the weak stack the MS threw together as an after thought. If you are going to put this box out on the interent all by itself and it was only serving static content then I would say this might be OK, but at least block inbound ports with some router ACL's to give you that warm cozy feeling. If this box is serving up dynamic content that requires you to reach into the enterprise and get some data from your internal DB server, then NO, you should definately put it behind a firewall (and ACL's just to be safe). At the very least Bruce turn off the netbios connections on all interfaces so that some one doesn't walk into your box and suck out the SAM (passwords kept here). Also run a vulnerability scanner (ISS, Cybercop, etc.) against it to make sure you haven't missed anything, rememeber to not load the sample files on IIS. I think also Lance Spitzner wrote a paper on armoring NT, check out http://www.enteract.com/~lspitz/pubs.html there should be something there that is in PLAIN english that can help you. just my paranoid .02 -Kyle Information Security MSDW Online -----Original Message----- From: Bruce H. Nearon [mailto:bhn () simlab net] Sent: Saturday, February 12, 2000 8:03 AM To: firewall-wizards () nfr net Subject: mitigating the lack of a firewall Suppose an Internet site does not have a firewall. Can a securely configured IIS 4.0 server running under securely configured NT 4.0 protect the site from unauthorized access and denial of service attacks? Bruce Nearon, CPA The Cohn Consulting Group Roseland, New jersey
Current thread:
- mitigating the lack of a firewall Bruce H. Nearon (Feb 14)
- Re: mitigating the lack of a firewall R. DuFresne (Feb 15)
- RE: mitigating the lack of a firewall Phil Cox (Feb 15)
- Re: mitigating the lack of a firewall Aaron D. Turner (Feb 15)
- Re: mitigating the lack of a firewall Ryan Russell (Feb 15)
- Message not available
- Re: mitigating the lack of a firewall Marcus J. Ranum (Feb 15)
- Re: mitigating the lack of a firewall R. DuFresne (Feb 15)
- <Possible follow-ups>
- RE: mitigating the lack of a firewall Starkey, Kyle (Feb 15)
- RE: mitigating the lack of a firewall David LeBlanc (Feb 16)
- Re: mitigating the lack of a firewall Malcolm Holser (Feb 17)
- RE: mitigating the lack of a firewall Burden, James (Feb 24)