begin Noah Meyerhans quotation: > > I just don't see how that gets you anything at all if only the "trusted" > ports have any services listening on them. I have seen personally a > WinNT box, behind a firewall, with only port 80 visible to the world get > cracked. Not only was it cracked, but it was then used as a launch pad > for an attack on another box that was also in the DMZ. All that was > with only port 80 open.
Ok, I don't see why "this has not been sufficient in some circumstances" translates to not getting you anything at all. Every security tool ever used fails this test you seem to be using. > Basically, my approach is to assume that all ports on all hosts are > visible to the world. To me, this as a fundamental fact of networking. That probably works on a small network. Try it with several thousand servers and 200,000 users, not counting internet customers. Or try it with an ISP, where you can't control the configuration on ANY of the users' computers. I've worked in both situations. Firewalls are a godsend. -- Shawn McMahon | McMahon's Laws of Linux support: http://www.eiv.com | 1) There's more than one way to do it AIM: spmcmahonfedex, smcmahoneiv | 2) Somebody thinks your way is wrong
pgpWmdp8qIN2m.pgp
Description: PGP signature