On Tue, 12 Mar 2002, Steve Siegel wrote: > Hi, > > I'd appreciate some input on the safest LAN protocol to use behind a > firewall/router (e.g. Sonic Wall, Zywall). I've read, on Steve Gibson's
It really doesn't matter all that much, either you've done the firewalling right, and everything is good to go, or you haven't and you've got a way for someone to get in. Hoping for some obfuscation because a particular protocol isn't trivially routable (all protocols are routable via encapsulation[1]) may lower your risk to common automated attacks, but won't foil a determined attacker. Take Gibson with a grain of salt and a shot of Tequilla. > site, that netbeui is "safe" because it's not routed. Others have said > nothing's safe, and they disconnect Internet access before enabling any > LAN communication. Still others say that if you're behind a hardware > firewall, anything's safe -- excluding an intentional sophisticated > attack, in which case nothing's safe. "Hardware firewall" is a misnomer. All firewalls run software, all non-trivial software has bugs. Sometimes it's stored in flash or ROM, sometimes on a disk. Cars aren't safe from meteorite attacks, but that doesn't stop most of us from driving. Firewalls don't protect from all attacks either, but then again, probably 1/3 of firewalls aren't configured to protect against all of the set of attacks that they ARE capable of protecting from. Safety is relative- and so is ability to handle threat and ability to accept risk. Some things shouldn't be connected to public networks at all, some people think "leased lines" are "private." That's why people connecting networks together need to figure out what they're trying to protect, write a security policy that says how they're going to protect it, then find the correct tools to implement that policy. Missing out on those steps doesn't help, because you can't decide if something is worth protecting from a particular class of attack until you decide what your security stance is going to be. For example, you can increase your safety significantly by blocking e-mail attachments. There are something like 86 different executable attachment types in the MS world- obviously stopping that attack vector is relatively easy to do, but *lots* of people can't demand that documents are sent in RTF instead of DOC format, some can't block EXE or COM files... Start by looking at what you absolutely must allow, block everything else and call it half way done. > Additionally, using MS OS's, one can enable/disable file sharing, and > even if enabled, can limit access to specific folders. I wonder how > "safe" manipulating these OS options are. As safe as the color blue. Firewalling is about restricting access- preferably at multiple levels (defense in depth) to account for the failure mode of any particular control. Some malicous code messes with file sharing restrictions, some people mess up those controls. Others perfer to use centralized file servers instead of peer-to-peer sharing to ensure recoverability (central backups), decreased susceptability to attack (servers tend to be administered better than desktops,) compartmentalization (keeping different levels of information on different drives can make compromise of a softer target less damaging,) etc. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
