i agree with danny on everything except i would have said "trust the competent people you hire to do the job right". i spent a lot more than 30 hours repairing the damage done after a local consultant put an allow any any rule on the outside interface of a pix firewall.
and as far as not interfering with my work. let them. they are the ones paying the bill and they "are" the customers. all you can do is give good advice and point out best practices. if they don't want to follow the advice, well, i have the name of a good pix firewall installation company. :-) steve -----Original Message----- From: Cox, Danny H. [mailto:[EMAIL PROTECTED]] Sent: Friday, August 16, 2002 12:28 PM To: Ted Bardusch Cc: [EMAIL PROTECTED] Subject: RE: AW: [gb-users] win2K security problems, the facts! What everyone is forgetting: 1. Microsoft Windows "out of the box" installs tend to be wide open. 2. Services like ftp, telnet, www, Indexing, remote access, remote registry, routing & remote access, RPC, Windows Mgmt, Installer and Scheduler all have known hacks and all (mostly) are open to access/exploits "out of the box". 3. There is also a little known issue with the IP stack in NT that requires a "hot fix". It implements a new randomizer. 4. Even Linux systems are prey to attack After having a customer demand I open a couple of ports (against my stern warnings) to a Linux web server (20,21,23,25), their server was hacked in less than 29 hours. The net result - They learned a big lesson (trust the people you hire to do the job right - don't interfere). In the end it cost about 30 man hours to undo the damage caused. Anyone that ignores the risks and walks headstrong into a lions den deserves to get eaten. Systems are faster and perform tasks without judgment. They are only as smart as those using them. I would never put a system in front of a firewall - REGARDLESS. There are far too many tools available to get the job done right. Oh, By The Way (BTW) Yes, you can nail down a Windows system - It's almost unusable, but you can. The same is true for almost every O.S. out there. Danny H. Cox -----Original Message----- From: Ted Bardusch [mailto:[EMAIL PROTECTED]] Sent: Friday, August 16, 2002 8:47 AM To: Marc Suxdorf Cc: Mike Burden; [EMAIL PROTECTED] Subject: Re: AW: [gb-users] win2K security problems, the facts! One thing to be aware of in setting up your hypothetical outside the firewall, up to date patched box of whatever OS -- until it's fully patched, which in some cases takes multiple reboots, it is fully exposed and vulnerable while it's downloading the updates and patches. In that time frame, a scanning attack might well succeed. I saw an article a couple of years ago that an unpatched Red Hat install was rooted in under 30 minutes on average. Windows would not likely be too different. Personally I suggest using the GB Light with default filters, that does a great job in the vast majority of cases. Ted Bardusch [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archive of the last 1000 messages: http://www.mail-archive.com/[email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archive of the last 1000 messages: http://www.mail-archive.com/[email protected]
