> -----Original Message----- > From: Jochem van Dieten [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 27, 2003 5:20 AM > To: CF-Talk > Subject: Re: SQL Worm > > Paris Lundis wrote: > > A good summary Jochem would be for folks to tune the firewall and > > ensure permissions/allowable IP list... > > Since when can you even buy a 10 Gbps firewall? > > > In your environment you point out the user base... 8000... > agreeable... > > large base for things... > > > > Tune the firewall and restrict traffic there ... allowing > like port 80 > > in and out disbaling all other services and ports, except > those in a > > defined list of authrozied servers... > > All 8000 systems are authorized servers. About 65525 of 65536 > ports are > authorized ports. You can't firewall a production network where the > product is (supposed to be) innovation.
Yes you can, and you have to. The problem is that it is a pain in the ass to maintain your rule sets as they change frequently, but that is the cost of security. Pessimistic security is a pain to maintain, which is why so many people choose not to. Every network should be firewalled and you should have specific ingress and egress rules for each host based on the needs of that host. If a host does not need outbound http, block it, then it cannot be the source of a DDOS even if it gets compromised. I have a very hard time believing that innovation means that every port on every box has to be open to the public. If the servers need to be accessible to users, they should be tunneling into the LAN to get behind the firewall. > I think we have had this discussion last week already, but > firewalls are > not the answer to all problems. Sure, properly secured firewalls on > machines running MS SQL Server would have prevented this issue (at > least, nobody has convinced me that UDP should be allowed to a > production server at all). But there are allways other DNS uses UDP. If you run DNS internally, you need to allow UDP port 53. PCAnywhere also uses UDP. > scenario's where > a firewall would not help. In the end, vigilance on all the > aspects of > security is the only way to make sure problems like this worm don't > cause a total meltdown of the internet. > > Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
