I would have to disagree, no OS that listens on ports is secure, and firewalls can defend against all threats. The only attack that you can pull on a non-open OS or well firewalled connection is a DoS attack. Even with that, usually you dont break the OS(there was a case with win95 and "nuke" attacks) but you can flood the connection.
A combination of a good firewall and a secure OS, one that doesn't run servers unless you tell it to, is the best way to go. Firewalls can block ICMP requests and DoS attacks to an extent, and log them when an OS cant. There are several OSs that can be configured to not run servers during install and a lot dont run servers on the default install. The problem with windows is that it runs several services that you cannot disable during install, and in a critical part of the OS. Then microsoft wants you to hide their mistakes that they probably wont fix themselves by saying RPC was never meant to be on the internet in the first place, even though it has been since NT! In most services in windows, you cant change ports, or change access rules by IP like restricting connections to only localhost or subnets. All microsoft has to do is a "netstat -an" to see the 20 ports or however many they have open on a default install. They released a patch but DCOM is still on, and RPC is still listening on port 135. More and more ISPs are blocking port 135 now though because of microsoft. Each time my ISP has blocked a port it had something to do with microsoft products. 80(codered/nimda), 136-139(netbios), 445(SMB), 1433-1434(slammer), 135(RPC). Because of codered I am no longer able to run a webserver from home. Sure, my ISP as well as most ISPs say no servers but they really didnt care before codered. --- "Jeffrey A.K. Dick" <[EMAIL PROTECTED]> wrote: > I think that we need to stop looking for a single > "solution" ... there is no > silver bullet to be found ... all OS's are insecure > and no firewall can > defend against all threats. There are always going > to be exploitable > weaknesses. Anybody who says otherwise is either an > idiot or is trying to > sell something. > > Firewalls are an excellent means of defense -- > everyone should have one and > it should be seperate from the desktop OS. However, > just as "real" firewalls > do not prevent fires, network firewalls do not > prevent security breaches -- > they are designed to slow the spread. __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
