I manage a national enterprise and we block port 135 on all external firewall interfaces. There is scant reason why this port needs to be open from external IP's. If an application requires open access to port 135 over the Internet, it's a piss poor application written by a programmer who should know better. When our company started out, had one vendor who though it would be cool to allow all of it's Exchange customers to use the full Outlook client from anywhere, including from home, without using a VPN tunnel. Needless to say that they are nearly out of business now. The real solution to the real problem is not working with crappy vendors, stop treating the security policy like toilet paper and create network environments that can be secured against known threats and set to monitor for the unknown threats. If your political environment at work is such that creating such an environment is impossible, then it is up to you whether you want to continue working there. Th! e only thing that you can do is advise the executive staff of the risk that they take when implementing poor security and hope that they take your advice seriously. If they don't give you the money to implement the necessary security, implement the best security that you can and DOCUMENT your actions and the risks associated with it. If the environment is so bad that you cannot even do that, then you should be surfing Monster.com for a new job rather than ranting at people on this forum for offering sound suggestions to combat the problem.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Brad Bemis Sent: Thursday, August 14, 2003 12:22 PM To: Ed Carp; Anjan Dave; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] "MS Blast" Win2000 Patch Download -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > It's probably worth mentioning even more that if you have > port 135 bocked on your firewall, you wouldn't have to worry > about it :( Personally I am getting tired of people making these kinds of comments. It is obvious that these people have never had responsibility for a large-scale, multi-national enterprise environment that touches so many different organizations world-wide that it is nearly impossible to account for every single Internet access point (not to mention remote access and mobile computers). While it may be true that blocking port 135 at the firewall would work in an ideal environment, very few of us that deal with security matters in the real world have anything that even begins to approach an ideal environment. We need to be discussing real solutions to real problems, not verbalizing a continued ignorance of reality. Sorry for the rant, but this topic is getting old quickly! Thank you for your time and attention, ======================== Brad Bemis ======================== -----BEGIN PGP SIGNATURE----- iQA/AwUBPzu3JJDnOfS48mrdEQJ1GACg984qft3Pbr5v2SXbG2Yi72T65rYAoMeH N6LbpR3GXG27Dx19DEthJP0N =GRs4 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html This e-mail is the property of Oxygen Media, LLC. It is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential, or otherwise protected from disclosure. Distribution or copying of this e-mail or the information contained herein by anyone other than the intended recipient is prohibited. If you have received this e-mail in error, please immediately notify us by sending an e-mail to [EMAIL PROTECTED] and destroy all electronic and paper copies of this e-mail. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
