Your best protection is knowledge of how things broke in the past to prevent future occurences, not in whiz-bang hardware
On Fri, Jan 29, 2010 at 9:01 AM, Bayard Bell < buffer.g.overf...@googlemail.com> wrote: > Running exploitable code with a wide-open listener is bad, so if you don't > want chained attacks from one exploitable service to the other, you're going > to need a better protection baseline than subnet segregation (which > shouldn't be mistaken for a form of security domain, certainly not if you're > running on the same switch domain without at least a packet filter, > preferably stateful, between domains), to deal with older attack patterns. > Better yet would be to disable or patch exploitable services or limit > accessibility of the service via firewalling and secured port forwarding > (e.g. ssh for protection against address spoofing and session hijacking). > > Am 29 Jan 2010 um 14:33 schrieb john g4lt: > > > IIS with Solaris boxes in the same subnet is Bad. ever hear of the >> sadmind worm? it infected via a IIS host and ran the sadmind exploit on all >> Solaris boxes in its subnet >> > >
_______________________________________________ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org