> -----Original Message----- > From: Ron DuFresne [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, April 16, 2002 12:21 > To: Noonan, Wesley > Cc: 'Schouten, Diederik (Diederik)'; 'Rink, Jesse'; > '[EMAIL PROTECTED]' > Subject: RE: Replacing my old PIX Classic > > > IIS lockdown tool. This is kind of like the telnet exploit that you > tried to > > pass off as a VLAN issue isn't it? > > > > as others mentioned there in that switches/VLAN thread, if the switch can > be compromised, then yer VLANs are worth squat. Or are you reading > replies selectivly?
No, just noting how on two separate instances you have been completely offbase on your replies. First, in the VLAN instance, the problem affects ALL switches (VLANs or not) and results in a DoS (no data passing). In this second, you are point to a security tool for IIS that locks IIS web services down as an "exploit" against ISA. You realize that ISA <> IIS? > > > > > --17 August 2001 Patch Available for ISA Server 2000 Flaws > > > > Microsoft has issued a patch to repair three holes in its Internet > > > > Security and Acceleration (ISA) Server 2000. Two of the flaws are > > > > memory leaks: one in the voice-over-IP capability, and one in the > > > > proxy service that could lead to denial of service. The third is an > > > > error message-handling problem that could allow attackers to execute > > > > malicious code and use cookies on the affected machines. > > > > > > > http://computerworld.com/nlt/1%2C3590%2CNAV65- > > > 663_STO63199_NLTSEC%2C00.html > > > > My bad, although this causes the box to fail closed, and is not on by > > default according to the guy I talked to. > > > > Three flaws though, in the one patch, old, patched, but, does dicredit the > statment that there have been *no* problems reported with their product. Yes, it does as I have previously noted and attempted to clarify. I was incorrectly informed, and incorrectly passed the information on. > One has to take into account the history of the company, which has only > recently taken to refocusing itself upon security being primary over toys > and trinkets. ISA is hardly recently. > Now folks are watching to see how much of a refocusing is > really implimented. some are even demanding this be effective: > > Air Force CIO Wants Better Security In Microsoft Products > http://www.usatoday.com/life/cyber/tech/2002/03/11/gilligan.htm I'm not sure what your point here is? People want secure products? This isn't a uniquely MS issue. I get more Linux patches than I do MS right now. This isn't a bad thing, it's a good thing. While yes, it means there are problems, it also means they are being addressed. > > Nah, I don't see it much different than the M$ crap that is so prevalent > on > > this list, or the "ISA isn't a real firewall" bullshit. > > > > History, that's the key though. It's kinda like a kid that screws up > badly in life, and then decides to go 'right' and be a decent little > fellow, and does not understand whay folks still look at him skeptically > and question his commitments when he sldies off the beaten path, he has > developed a history, and it can take a long time to overcome such > things... It's selective history though. MS makes a prime target. They have more market share, and justifiably so have more exploits. 7 years ago there were exponentially more Novell exploits than MS exploits. Such is life. That, is history. However, when a company releases a security lockdown tool, and people claim that it is an exploit, there is some serious FUD being thrown around to attempt to discredit said company. I have already addressed the statements I was incorrect in, will you? _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
