>From the Slashdot discussion: http://slashdot.org/article.pl?sid=01/10/03/1447255&mode=thread
G4 - Large number of open ports (Score:5, Insightful) by ink on Wednesday October 03, @05:04PM (#2383962) (User #4325 Info | http://www.isu.edu/~kellcrai) It's very very dangerous to keep on complaining about having a "large" number of open ports. Many system administrators will take this to mean "firewall all these ports at the border". "Why is that dangerous?" I hear you ask? As we drive more and more traffic to a small number of ports (read: everything on port 80) because of draconian firewall and proxy servers, and even driving all traffic to one protocol (read: http) a large number of services will still be running, but will now be undetectable without traffic analysis, which is mostly voodoo technology right now. The bugs and security holes are still there, but now they are hidden from us because we've conditioned everyone that non-80 is firewalled (see SOAP and Microsoft's dotNET -- in order to avoid firewalling, they are basically going to do RPC over port 80 using HTTP!) I agree that unused services need to be shut down, but at the source of the problem and not at the firewall. We need to encourage new protocols to make use of new ports so that we can manage thus stuff -- the more we drive traffic away, the harder our job will be. Please, if you are in charge of a firewall, take time to think about what you are doing to everyone else when you institute strict policies that only make you safer in the very short term. Not only are you hurting yourself, but you're giving your users and network a false sense of security. Besides, the attacks de jour of late have all propogated over SMTP and HTTP, haven't they? The wheel is turning but the hamster is dead. Craig Kelley -- [EMAIL PROTECTED] http://www.isu.edu/~kellcrai finger [EMAIL PROTECTED] for PGP block _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
