Running exploitable code with a wide-open listener is bad, so if you
don't want chained attacks from one exploitable service to the other,
you're going to need a better protection baseline than subnet
segregation (which shouldn't be mistaken for a form of security
domain, certainly not if you're running on the same switch domain
without at least a packet filter, preferably stateful, between
domains), to deal with older attack patterns. Better yet would be to
disable or patch exploitable services or limit accessibility of the
service via firewalling and secured port forwarding (e.g. ssh for
protection against address spoofing and session hijacking).
Am 29 Jan 2010 um 14:33 schrieb john g4lt:
IIS with Solaris boxes in the same subnet is Bad. ever hear of the
sadmind worm? it infected via a IIS host and ran the sadmind
exploit on all Solaris boxes in its subnet
_______________________________________________
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org