[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re: [Full-Disclosure] Microsoft urging users to buy Harware Firewalls
- To: "Jeffrey A.K. Dick" <jeffdick@covirt.com>, full-disclosure@lists.netsys.com
- Subject: Re: Re: [Full-Disclosure] Microsoft urging users to buy Harware Firewalls
- From: Joey <joey2cool@yahoo.com>
- Date: Thu, 14 Aug 2003 12:01:17 -0700 (PDT)
I would have to disagree, no OS that listens on ports
is secure, and firewalls can defend against all
threats. The only attack that you can pull on a
non-open OS or well firewalled connection is a DoS
attack. Even with that, usually you dont break the
OS(there was a case with win95 and "nuke" attacks) but
you can flood the connection.
A combination of a good firewall and a secure OS, one
that doesn't run servers unless you tell it to, is the
best way to go. Firewalls can block ICMP requests and
DoS attacks to an extent, and log them when an OS
cant. There are several OSs that can be configured to
not run servers during install and a lot dont run
servers on the default install. The problem with
windows is that it runs several services that you
cannot disable during install, and in a critical part
of the OS. Then microsoft wants you to hide their
mistakes that they probably wont fix themselves by
saying RPC was never meant to be on the internet in
the first place, even though it has been since NT!
In most services in windows, you cant change ports, or
change access rules by IP like restricting connections
to only localhost or subnets. All microsoft has to do
is a "netstat -an" to see the 20 ports or however many
they have open on a default install. They released a
patch but DCOM is still on, and RPC is still listening
on port 135. More and more ISPs are blocking port 135
now though because of microsoft.
Each time my ISP has blocked a port it had something
to do with microsoft products. 80(codered/nimda),
136-139(netbios), 445(SMB), 1433-1434(slammer),
135(RPC). Because of codered I am no longer able to
run a webserver from home. Sure, my ISP as well as
most ISPs say no servers but they really didnt care
before codered.
--- "Jeffrey A.K. Dick" <jeffdick@covirt.com> wrote:
> I think that we need to stop looking for a single
> "solution" ... there is no
> silver bullet to be found ... all OS's are insecure
> and no firewall can
> defend against all threats. There are always going
> to be exploitable
> weaknesses. Anybody who says otherwise is either an
> idiot or is trying to
> sell something.
>
> Firewalls are an excellent means of defense --
> everyone should have one and
> it should be seperate from the desktop OS. However,
> just as "real" firewalls
> do not prevent fires, network firewalls do not
> prevent security breaches --
> they are designed to slow the spread.
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html