On Thursday 10 May 2001 01:46, Wayne Wilson wrote:
> I hate to throw in a negative tone, but I have stated the
> opinion of other authorities and added my own practical
> experience to it, that security is not a matter of buying or
> downloading and then installing a product.....it's a matter
> of understanding what you are tyring to do, how the software
Of course. But look at it that way: an average practice wants to go "online".
SHare Internet access from one central server. Of course, they can't afford a
security expert to set up a decent system (can they ?)
They take an old box, put an e-smith CD in it, switch it on, answer a few
questions, and 15 minutes later their whole LAN is on the net, protected by a
decent out-of-the-box *audited* security.
(And they now have a samba server, print server, DHCP server, web server,
mail server, streaming MP3 server, remote GUI web administration,
preconfigured SSH, Appletalk server .... as well). Even VON (choice of PPTPor
IPSEC) Now, if that isn't userfriendly I don't know. and I swear I (and YOU!)
can set it up in 15 minutes, starting from a blank unformatted harddisk.
Compare that to the horros of Microsoft Internet sharing - e-smith is up &
running before you even have a chance to enter your serial number during
setup of Windows.
(On their web site they have a reference from a 70 bed hospital where the
sysadmin found it mindboggling how easy the setup was).
And no, I do not get any royalties. Reward enough to have the privilege of
using such a nicely crafted system.
Horst
> The folks who put these servers up did so because they
> wanted to provide web pages and because IIS was easy to use.
> IIS is also easy to patch, but they didn't do it (at least
> the ones broken into)!
They used IIS because they had no idea. Served them right ;-)
OK, I stop being cynical. But honestly, they are the laughter of the world
now. Like Mickysoft when they were broken in recently.
> Downloading a firewall and configuring it for these folks
> would have taken time, and most likely confused them over
> settings (I have used firewall software on both NT
They are already confused. Very much so. They were using IIS ;-)
> workstations, linux workstations and dedicated firewall
> machines) and taken hours worth of work. And all for
> nothing, because they would have allowed access to the
> internet on port 80! Why? Let me repeat, because that was
> their intention......
Nope. The attack did not exploit the fact that any HTTP server communicates
through port 80, they exploited a specific weakness of IIS. You are right
however that firewalls are not the appropriate defence here. Using a decent
HTTP server is.
Horst
