Firewall Wizards mailing list archives
Re: IPv6 support in firewalls
From: jseymour () linxnet com (Jim Seymour)
Date: Wed, 29 Aug 2007 08:44:57 -0400 (EDT)
Darren.Reed () Sun COM wrote:
[snip]
disabling java, active-x and javascript goes a long way to defeating most things that attack windows boxen.
And not running MSIE.
downside is you might as well be using lynx to browse the web!
Of the three: The only one of those the lack of which would *generally* be fairly crippling is JavaScript, IME. We have a few business-partner/commercial sites that use Java. We have a total of two (I think) sites that require ActiveX. (Interestingly: These two, in particular, are financially-oriented sites, operated by major financial institutions, and *require* that one basically defeat what few protections there are, configuration-wise, in MSIE. There is no wonder in my mind how and why business' are routinely 0wn3d.) We block ActiveX via HTTP at the web proxies. The two sites we must use that require it are HTTPS URLs. To this day, it boggles my mind that business' routinely/regularly allow ActiveTrojan through their firewalls. Almost might as well not *have* a firewall, if you're going to allow that kind of thing, IMO. Paul mentioned not having seen a single residential MS-Win box that wasn't compromised. I can show you one, Paul. And it's only SP1, to boot. Thing is: On arrival, the first thing to go was MSOE (replaced by Pegasus, at the time). MSIE was immediately defanged (for as much good as that does--just because you tell MSIE "don't do this," doesn't mean it won't, turns out), and installed Mozilla. PeeCee is behind a packet-filtering NAT'd router, w/both ingress and egress rules. Wife was instructed on safe computing. I trust that 'doze box *almost* as much as I do my Solaris box ;). Regards, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at <http://jimsun.linxnet.com/contact/scform.php>. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: IPv6 support in firewalls Mike Barkett (Aug 23)
- Re: IPv6 support in firewalls Steven M. Bellovin (Aug 23)
- Re: IPv6 support in firewalls Marcus J. Ranum (Aug 24)
- Re: IPv6 support in firewalls Steven M. Bellovin (Aug 24)
- Re: IPv6 support in firewalls Marcus J. Ranum (Aug 24)
- <Possible follow-ups>
- Re: IPv6 support in firewalls Roger Marquis (Aug 27)
- Re: IPv6 support in firewalls Jim Seymour (Aug 29)
- Re: IPv6 support in firewalls Steven M. Bellovin (Aug 23)