Firewall Wizards mailing list archives
RE: Code Red: What security specialist don't mention in warnings
From: Frank Knobbe <FKnobbe () KnobbeITS com>
Date: Sat, 4 Aug 2001 15:20:44 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
-----Original Message----- From: Nate Campi [mailto:nate () campi cc] Sent: Saturday, August 04, 2001 2:55 PM Not true in our shop. Our web front-ends on one of the two news sites I maintain have to connect outbound to several external services for different content. Of course this doesn't mean we allow all outbound connections. All oubound connections are denied by default, and when building out the architecture for a service such as this, we have the netops guys/gals set up ACLs to allow the only the outbound connections we need. My point is that even when outbound connections are necessary, you can still reduce your risk, as we have.
Nate, absolutely correct. Any service you need should be allowed, but the rest blocked. For payment processing systems for example you would allow outbound access only for that service and only to that (set of) destination(s). This limitation can be done by service, by destination address, and by time (which is often overlooked). My web servers for example allow outbound connections to automatically update virus signatures every night. The outbound connection is allowed only for HTTP and FTP, only to the place there the signature files are, and only for about 15 minutes at 4am in the morning. But at least you and I are putting some restrictions on it. I have seen web servers that were sitting naked right behind a router without router ACL's. Those are the boxes owned by exploits and used as stepping stones. If people would put restrictions on their network connections, they would enhance their security .... oh well, I'm preaching to the choir again. The reason I had posted the Code Red rant was that none of the advisories even mentioned other counter measures. They only focused on the patch. How will we be able to educate people and help them secure their systems when we don't show them the whole picture? Slapping a patch on is just a band-aid. It doesn't do anything to get them thinking proactively with the larger picture in front of them. I'm very disappointed of the authors of those advisories... Regards, Frank -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: PGP or S/MIME encrypted email preferred. iQA/AwUBO2xZHJytSsEygtEFEQIgbQCfbBaIcQXU+L6wYO19fYuQA5dRSk8AoKWN KAXrbHtICvfMhhirpBKP7H84 =iMg+ -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Code Red: What security specialist don't mention in warnings Gautier . Rich (Aug 04)
- <Possible follow-ups>
- RE: Code Red: What security specialist don't mention in warnings Frank Knobbe (Aug 05)