Firewall Wizards mailing list archives

Re: IPv6 support in firewalls

From: jseymour () linxnet com (Jim Seymour)
Date: Wed, 29 Aug 2007 08:44:57 -0400 (EDT)


Darren.Reed () Sun COM wrote:

[snip]


disabling java, active-x and javascript goes a long way to defeating
most things that attack windows boxen.


And not running MSIE.


downside is you might as well be using lynx to browse the web!


Of the three: The only one of those the lack of which would *generally*
be fairly crippling is JavaScript, IME.  We have a few
business-partner/commercial sites that use Java.  We have a total of
two (I think) sites that require ActiveX.  (Interestingly: These two,
in particular, are financially-oriented sites, operated by major
financial institutions, and *require* that one basically defeat what
few protections there are, configuration-wise, in MSIE.  There is no
wonder in my mind how and why business' are routinely 0wn3d.)

We block ActiveX via HTTP at the web proxies.  The two sites we must
use that require it are HTTPS URLs.

To this day, it boggles my mind that business' routinely/regularly
allow ActiveTrojan through their firewalls.  Almost might as well not
*have* a firewall, if you're going to allow that kind of thing, IMO.

Paul mentioned not having seen a single residential MS-Win box that
wasn't compromised.  I can show you one, Paul.  And it's only SP1, to
boot.  Thing is: On arrival, the first thing to go was MSOE (replaced
by Pegasus, at the time).  MSIE was immediately defanged (for as much
good as that does--just because you tell MSIE "don't do this," doesn't
mean it won't, turns out), and installed Mozilla.  PeeCee is behind a
packet-filtering NAT'd router, w/both ingress and egress rules.  Wife
was instructed on safe computing.  I trust that 'doze box *almost* as
much as I do my Solaris box ;).

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/contact/scform.php>.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: IPv6 support in firewalls Mike Barkett (Aug 23)
- Re: IPv6 support in firewalls Steven M. Bellovin (Aug 23)
  - Re: IPv6 support in firewalls Marcus J. Ranum (Aug 24)
    - Re: IPv6 support in firewalls Steven M. Bellovin (Aug 24)
- <Possible follow-ups>
- Re: IPv6 support in firewalls Roger Marquis (Aug 27)
- Re: IPv6 support in firewalls Jim Seymour (Aug 29)