On Tue, 16 Apr 2002, Noonan, Wesley wrote: > > -----Original Message----- > > From: Ron DuFresne [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, April 16, 2002 12:21 > > To: Noonan, Wesley > > Cc: 'Schouten, Diederik (Diederik)'; 'Rink, Jesse'; > > '[EMAIL PROTECTED]' > > Subject: RE: Replacing my old PIX Classic > > > > > IIS lockdown tool. This is kind of like the telnet exploit that you > > tried to > > > pass off as a VLAN issue isn't it? > > > > > > > as others mentioned there in that switches/VLAN thread, if the switch can > > be compromised, then yer VLANs are worth squat. Or are you reading > > replies selectivly? > > No, just noting how on two separate instances you have been completely > offbase on your replies. First, in the VLAN instance, the problem affects > ALL switches (VLANs or not) and results in a DoS (no data passing). In this >
And the problem as noted in the VLAN thread still affects them. you did also read this part of the thread: <quote> Date: Sat, 13 Apr 2002 15:57:12 +0200 From: Bernd Eckenfels <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: VLANs and security... was RE: Cisco IDS On Fri, Apr 12, 2002 at 06:51:46PM -0500, Noonan, Wesley wrote: > > Cisco Security Advisory: Cisco CatOS Telnet Buffer Vulnerability > > There is nothing VLAN specific to this exploit. Once again, this looks like > FUD to me. Well, it is simple: Switches are no security device. They have a long hiistory of beeing exploitable, their complete design is optimized for communication, not separation. This is clearly a reason to be very careful when you actually use a VLAN Switch for separating communication. Evey bug in a switch is a possible argument against using VLAN and pro using physical separation. Still a air gap is th best firewall. </quote> > second, you are point to a security tool for IIS that locks IIS web services > down as an "exploit" against ISA. You realize that ISA <> IIS? > <ROFL> sure I do, see below: > > > > > > > --17 August 2001 Patch Available for ISA Server 2000 Flaws > > > > > Microsoft has issued a patch to repair three holes in its Internet > > > > > Security and Acceleration (ISA) Server 2000. Two of the flaws are > > > > > memory leaks: one in the voice-over-IP capability, and one in the > > > > > proxy service that could lead to denial of service. The third is an > > > > > error message-handling problem that could allow attackers to execute > > > > > malicious code and use cookies on the affected machines. > > > > > > > > > http://computerworld.com/nlt/1%2C3590%2CNAV65- > > > > 663_STO63199_NLTSEC%2C00.html > > > > > > My bad, although this causes the box to fail closed, and is not on by > > > default according to the guy I talked to. > > > > > > > Three flaws though, in the one patch, old, patched, but, does dicredit the > > statment that there have been *no* problems reported with their product. > > Yes, it does as I have previously noted and attempted to clarify. I was > incorrectly informed, and incorrectly passed the information on. > Newsgroups tend to be slow, can I suggest butraq and ntbugtraq as better places to keep informed and up to date? > > One has to take into account the history of the company, which has only > > recently taken to refocusing itself upon security being primary over toys > > and trinkets. > > ISA is hardly recently. > I refer not to that, you misread. I refer to the M$ from the BIG man down directive to make security the prime concern for all products. This is the recent reference I make. > > Now folks are watching to see how much of a refocusing is > > really implimented. some are even demanding this be effective: > > > > Air Force CIO Wants Better Security In Microsoft Products > > http://www.usatoday.com/life/cyber/tech/2002/03/11/gilligan.htm > > I'm not sure what your point here is? People want secure products? This > isn't a uniquely MS issue. I get more Linux patches than I do MS right now. > This isn't a bad thing, it's a good thing. While yes, it means there are > problems, it also means they are being addressed. > <smile> there are other issues of history to consider, first, most vendors are much or historically much quicker to not only admit to a security issue, but to devise patches for them, linux folks being one. M$ has a bad record with producing patches in quicktime and also producing patches that are not broked or break other areas when installed. Which sounds alot like an issue with QA...Of course, being fairly new to the list, you might well be unaware of the history... > > > Nah, I don't see it much different than the M$ crap that is so prevalent > > on > > > this list, or the "ISA isn't a real firewall" bullshit. > > > > > > > History, that's the key though. It's kinda like a kid that screws up > > badly in life, and then decides to go 'right' and be a decent little > > fellow, and does not understand whay folks still look at him skeptically > > and question his commitments when he sldies off the beaten path, he has > > developed a history, and it can take a long time to overcome such > > things... > > It's selective history though. MS makes a prime target. They have more > market share, and justifiably so have more exploits. 7 years ago there were > exponentially more Novell exploits than MS exploits. Such is life. That, is > history. > Not at all, do a search on bugtraq and some of the other vul sites, it's a lengthy history. I was here when Russ Cooper was first talking about what later became NTbugtraq, talk to him seriously about the bad history he had to battle back then when he was an avid poster here and not devoted mostly to that list and it's concerns. > However, when a company releases a security lockdown tool, and people claim > that it is an exploit, there is some serious FUD being thrown around to > attempt to discredit said company. I have already addressed the statements I > was incorrect in, will you? > Ahh, yes, this is what I get for trying to quickly show how incorrect the original statement was on ISA being bug clear. and it was perhaps not realted to this discussion, until you recent rants has made it so. Now let it demonstrate the poorly realsed tools that are proped up to deal with issues folks need immediate issues dealt with when there are sploits and viri/worms damaging their abilities to function. Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
