Re: [Full-disclosure] Sony: No firewall and no patches
On Sun, May 15, 2011 at 01:59:54AM +0200, Łukasz Bromirski spake thusly: Netgear? Or perhaps Linksys? That doesn't inspire much confidence. :) Five seconds spent with google would actually provide you with the both current and past Roland work, how it relates to the thread, and saved you from making fool of yourself. I am familiar with his background. I just don't believe that they are legitimately the world's largest manufacturer of firewalls by units shipped by the brand we know them as. It's a sort of disingenuous marketing game. -- Tracy Reed Digital signature attached for your safety. CopilotcoProfessionally Managed PCI Compliant Secure Hosting 866-MY-COPILOT x101 http://copilotco.com pgpDIpSbyzE98.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On Wed, 11 May 2011, Dobbins, Roland wrote: So the outbound stateful checking of server response traffic is moot, and simply constitutes a stateful DDoS chokepoint which makes it trivial for an attacker to take down the server in question by filling up the state-tables of said firewall with well-formed, programatically-generated traffic. irony Yup. We all know servers handle traffic without any of those pesky state-tables that can be filled up with well-formed, programatically-generated traffic. /irony -- Pavel Kankovsky aka Peak / Jeremiah 9:21\ For death is come up into our MS Windows(tm)... \ 21st century edition / ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On 2011-05-12 01:43, Tracy Reed wrote: On Wed, May 11, 2011 at 04:49:13PM +, Dobbins, Roland spake thusly: My operational experience, including that acquired during my tenure working for the world's largest manufacturer of firewalls by units shipped, contradicts this statement. Netgear? Or perhaps Linksys? That doesn't inspire much confidence. :) Five seconds spent with google would actually provide you with the both current and past Roland work, how it relates to the thread, and saved you from making fool of yourself. -- There's no sense in being precise when | Łukasz Bromirski you don't know what you're talking | jid:lbromir...@jabber.org about. John von Neumann |http://lukasz.bromirski.net ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/05/11 23:05, phocean wrote: Also, if you filter (and you should) both inbound and outbound traffic, how do you allow legitimate responses to the server? I think Roland said earlier that outbound connections from these boxes should be going out another interface, presumably (my presumption) through a stateful firewall of some kind, because ACLs wouldn't be sufficient. This is perhaps the aspect that has been missed in this discussion (mentioned once, not particularly picked up on, and not really noted again). It eliminates many of the concerns of using ACLs over stateful. - -- Craig Miskell Systems Administrator, Catalyst IT DDI: +64 4 8020427 == Everything about the *nix culture points to not walking anywhere except possibly to a pub :-P - Jim Perrin on CentOS mailing list -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNyvhEAAoJENezkH+p+mMXTRcQALarm9rALmeYrV9HMD0ydazH bnqATleLZUlnnzeIh4Qk5T8bVClq0jrpX2Yl0PzGdvly3lM3Vk0GdM7HV7sHP0Ns 1x5Nw2cgk9id0NzltRrKkUPZ9TU3YJTIIyx+vULSIwqEKiQmXE3m3qDTvifsiHBF ZCh3oa6kKI4rQoGTVtiEUUeJF6AXIF6O4xUaOiGiF1ZxjBvPpCBSNlcDf1SDmu2o TPNbPS+mp06GKMXaymsSscYogtU35ce3nLQMojEBr0q13RdnIe+y7PK1/bdVeDkt YU/4FyYIkh6A8VWpGIaWNR75HGNUJY7wl8Qf3fFPcZ8oo681NhnX5vXp/VCbyizv V6OHbn+LL8bKurRKCPI1YI9G47C384uIClA1PWYEg9W7HETFg86NUFKgHGyISCai QKn2MHH9KPW4x3OQJkQEfnCaSWHaXjW0DYbRt9Ui+rGrf5bsVntXS2J9Bz8XtB0r ZGxSeq54u6wr2kXUiFr6Rph9X8MsmJl5P57ROdUbe9WbVEx6fWJ7HoWprePDxVWY VN8wtWxBuuv0da2Ggf7MS8suHTMWpGQ21PISqjVc1Fe7EzIEOQb8FxWgk7hXR/R2 wFxn5qMICFMWZGpQ2rSoXK/3LgkwXey9Y1RpvMITIVNzVWBiC1RrHiFFm168Gyeg 1Gxybh4HjkVqWbT7dmdU =6N5Y -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On 11/05/11 23:05, phocean wrote: Also, if you filter (and you should) both inbound and outbound traffic, how do you allow legitimate responses to the server? I think Roland said earlier that outbound connections from these boxes should be going out another interface, presumably (my presumption) through a stateful firewall of some kind, because ACLs wouldn't be sufficient. This is perhaps the aspect that has been missed in this discussion (mentioned once, not particularly picked up on, and not really noted again). It eliminates many of the concerns of using ACLs over stateful. Actually, the stateless solution was to just ACL via known good source ports. And this was a large part of my original response of the value of firewalls in front of a server. Limiting outbound traffic to responses to valid initiated traffic is an important security control, specifically because the ACL's wouldn't be sufficient. The examples I was going to tally up for Roland were any number of SQL injection attacks where tftp and ftp command files were created (in this case, by some tool that I presume created .cmd files just like we all used to do with echo ) to get other toolsets. These requests failed as the SQL box couldn't make outbound connections. There was no capability for the attacker to initiate another remote connection to craft a response to. I was actually going to try to get detailed information from way back where Code Red propagation was avoided by outbound connection attempts as well, but I don't really see the value in doing that at this point. I also had Slammer research where I tested ISA's resilience to blocking outbound UDP 1434 connections, but I think it suffices to say that there are many, many valid examples of why stateful inspection of traffic is valuable and adds security in depth. I had some other responses as well, but I have to bolt. I'll make sure to catch up on the rest of the responses before I do so as well. t ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
--- On May 11, 2011, Dobbins, Roland rdobb...@arbor.net escreveu: On May 11, 2011, at 12:52 AM, Bruno Cesar Moreira de Souza wrote: How would you block an ACK tunnel using only a packet filter? (http://ntsecurity.nu/papers/acktunneling/) You don't need to stop the httpd service to create this kind of tunnel, as the packets from the attacker would just be ignored by the httpd service, but could be intercepted by the malicious code executed on the compromised server (using the same approach employed by network sniffers). See my previous response to Thor. I don't intend to keep this thread going forever in the face of incomprehension, but this focus on corner-case exfiltration techniques which are easily obviated by OS and service/app BCPs and appropriate monitoring, I don't think it is incomprehension. Some people just don't agree with the incorrect and generic statement that stateful firewalls are useless to protect servers. I can agree that in some specific cases, when the availability is the main concern for external servers, you may consider to use ACLs instead of a stateful firewall. It's an option to be more resilient against DDoS attacks. However, I can't agree that it should be a rule for every DMZ and external network in the world, because there are other options to prevent DDoS attacks (including using clustered firewalls), and also the stateful firewalls have value to restrict the action of an attacker after a server compromise. Also, you are underestimating the skill of some attackers. My experience as a penetration tester and security incident investigator shows that it is not always so easy (even for organizations with 24x7 monitoring) to detect the action of attackers. As said before, a stateful firewall can be a strong layer of defense to restrict the damage of an attack, and to avoid backdoors and covert channels. to the point of instantiating unnecessary and harmful state in front of servers which makes it trivial to take them down, I'm not convinced that it is always significantly easier to take down a firewall than the web server. In many cases, it can be also trivial to take a web server down with a DoS attack (tool example: http://ha.ckers.org/slowloris/). demonstrates that in general, the infosec community pretty much completely ignores the availability leg of the confidentiality-integrity-availability triad. No, the infosec community seeks to balance these three legs. However, to decide which leg you are going to give more protection for in each environment (for example, a DMZ) and in each organization, it's better to conduct first a risk analisys. For example, for a bank it can be worse to have an external penetration incident into critical database servers allowing modification of financial information than an unavailability incident on the Internet Banking web site. Which is disappointing, given that availability is in fact the most important leg of that triad. This is a misleading statement. It depends on the information, environment, risks, organization etc. For many organizations, the confidentiality and integrity of the information stored in critical database servers can be much more important than the availability of the public web sites. This is why organizations with a minimum information security maturity conduct risk analisys before deciding which security mechanisms they will implement. Bruno Cesar M. de Souza ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
Good morning, Mr. Pot!! :-p From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Cal Leeming Sent: Wednesday, May 11, 2011 10:04 AM To: Dobbins, Roland Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Sony: No firewall and no patches He says, 34 emails later. :| On Wed, May 11, 2011 at 10:29 AM, Dobbins, Roland rdobb...@arbor.netmailto:rdobb...@arbor.net wrote: On May 11, 2011, at 4:22 PM, phocean wrote: So why going private? Because full-disclosure isn't the best forum for a lengthy discussion of this type. --- Roland Dobbins rdobb...@arbor.netmailto:rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
It doesn't sound good to me and maybe other people here. I am interested too even if I have followed it passively so far. So why going private? On Wed, 11 May 2011 00:35:41 +, Dobbins, Roland wrote: On May 11, 2011, at 7:18 AM, Thor (Hammer of God) wrote: Let's take it offline - you can share back with the group if you feel it valuable. Sounds good to me, thanks much! --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On May 11, 2011, at 4:22 PM, phocean wrote: So why going private? Because full-disclosure isn't the best forum for a lengthy discussion of this type. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
Whereas hardcore pornography (@Cal) is? On Wed, May 11, 2011 at 11:29 AM, Dobbins, Roland rdobb...@arbor.netwrote: On May 11, 2011, at 4:22 PM, phocean wrote: So why going private? Because full-disclosure isn't the best forum for a lengthy discussion of this type. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
Well, but this doesn't seem to be a problem when it comes to lunatic errands of Andrew or Call's porn, so why would it bother to talk about security? I want to read how you justify that stateful hardware is useless to check sessions of TCP and upper protocols. Of course, it doesn't protect from all kind of attacks and you cited some of these cases, but there are plenty of cases where it is useful. On Wed, 11 May 2011 09:29:24 +, Dobbins, Roland wrote: On May 11, 2011, at 4:22 PM, phocean wrote: So why going private? Because full-disclosure isn't the best forum for a lengthy discussion of this type. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
You were faster than me! :) On Wed, 11 May 2011 11:38:23 +0200, Christian Sciberras wrote: Whereas hardcore pornography (@Cal) is? On Wed, May 11, 2011 at 11:29 AM, Dobbins, Roland rdobb...@arbor.netwrote: On May 11, 2011, at 4:22 PM, phocean wrote: So why going private? Because full-disclosure isn't the best forum for a lengthy discussion of this type. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On May 11, 2011, at 4:52 PM, phocean wrote: I want to read how you justify that stateful hardware is useless to check sessions of TCP and upper protocols. In front of servers, where there is no state to inspect. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
I would also love to follow the discussion phocean skrev 2011-05-11 11:22: It doesn't sound good to me and maybe other people here. I am interested too even if I have followed it passively so far. So why going private? On Wed, 11 May 2011 00:35:41 +, Dobbins, Roland wrote: On May 11, 2011, at 7:18 AM, Thor (Hammer of God) wrote: Let's take it offline - you can share back with the group if you feel it valuable. Sounds good to me, thanks much! --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
Wrong. Passive FTP is the first example that comes to my mind where inspection (based on statefulness) is needed. Also, if you filter (and you should) both inbound and outbound traffic, how do you allow legitimate responses to the server? In many cases and network designs, statefulness also allows to build slightly shorter and more efficient filtering rules. This way, a step toward simplicity is often a step toward security. On Wed, 11 May 2011 09:54:59 +, Dobbins, Roland wrote: On May 11, 2011, at 4:52 PM, phocean wrote: I want to read how you justify that stateful hardware is useless to check sessions of TCP and upper protocols. In front of servers, where there is no state to inspect. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On May 11, 2011, at 6:05 PM, phocean wrote: Passive FTP is the first example that comes to my mind where inspection (based on statefulness) is needed. I really don't want to continue this on full-disclosure, but there's still no material security value to stateful inspection in front of servers, with either active or passive ftp. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
If you say so, then it must be true. On Wed, 11 May 2011 11:33:37 +, Dobbins, Roland wrote: On May 11, 2011, at 6:05 PM, phocean wrote: Passive FTP is the first example that comes to my mind where inspection (based on statefulness) is needed. I really don't want to continue this on full-disclosure, but there's still no material security value to stateful inspection in front of servers, with either active or passive ftp. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
I can't speak for everyone, but I certainly find this discussion far more interesting and useful to security than quite a few others on here. So feel free to keep it public. I'm not about to wade in too deeply, but I thought I'd summarize and add a few notes. -- STATEFUL (session-based filter) Pros - can provide other filtering services during inspection (depends on device feature set) - won't have to constantly fight battles (against admins, vendors, clients, auditors, managers, outsiders) to explain why you don't have a firewall - handles ephemeral ports, dynamic connections, and matches returning traffic well Cons - more DDoS susceptible - another piece of hardware so another point of failure - won't add much when you're already accepting * into IP x on port n -- ACLs (packet-based filter) Pros - with pure ACLs, will always be faster - as such it can scale with traffic better - excellent when you're just blanket stopping all traffic except * to x on port n Cons - poor filter for ephermeral port needs, or dynamic connections - susceptible to protocol anamolies used in attacks (includes covert channels) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
Thanks this useful sum-up for the discussion. I have a few comments though: - DDoS : anyway, a firewall isn't more susceptible to DoS than the server it protects. If you look at the hardware performance of modern firewalls, if an attacker has the ability to DoS it, then only a considerable server farm that very few companies can afford will be able to sustain it. So I think this can't be counted as a negative point, even if in theory it has less performance than stateless. - SPoF : there are clusters (active/active or active/passive) for firewalls as well as for server. - stateless scales badly on large networks, because it requires much more complex and lengthy rules if you are serious with security. Another advantage of stateful is that there is a first sanity check of the sessions on a specialized hardware rather than on a generic TCP/IP stack of a bloated server OS. For instance, the network stack of Windows is probably much more prone to bug/crash due to poor handling of crafted packets than a dedicated firewall (Checkpoint, Cisco, Fortinet...) may be. On Wed, 11 May 2011 09:22:33 -0500, Michael Krymson wrote: I can't speak for everyone, but I certainly find this discussion far more interesting and useful to security than quite a few others on here. So feel free to keep it public. I'm not about to wade in too deeply, but I thought I'd summarize and add a few notes. -- STATEFUL (session-based filter) Pros - can provide other filtering services during inspection (depends on device feature set) - won't have to constantly fight battles (against admins, vendors, clients, auditors, managers, outsiders) to explain why you don't have a firewall - handles ephemeral ports, dynamic connections, and matches returning traffic well Cons - more DDoS susceptible - another piece of hardware so another point of failure - won't add much when you're already accepting * into IP x on port n -- ACLs (packet-based filter) Pros - with pure ACLs, will always be faster - as such it can scale with traffic better - excellent when you're just blanket stopping all traffic except * to x on port n Cons - poor filter for ephermeral port needs, or dynamic connections - susceptible to protocol anamolies used in attacks (includes covert channels) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On May 11, 2011, at 10:03 PM, phocean wrote: - DDoS : anyway, a firewall isn't more susceptible to DoS than the server it protects. If you look at the hardware performance of modern firewalls, if an attacker has the ability to DoS it, then only a considerable server farm that very few companies can afford will be able to sustain it. My operational experience, including that acquired during my tenure working for the world's largest manufacturer of firewalls by units shipped, contradicts this statement. - stateless scales badly on large networks, because it requires much more complex and lengthy rules if you are serious with security. This is a) untrue and b) a near non-sequitur. In general state is much more harmful on larger networks than on smaller ones; and there's no correlation at all between the size of a network and the complexity of network access policies. Another advantage of stateful is that there is a first sanity check of the sessions on a specialized hardware rather than on a generic TCP/IP stack of a bloated server OS. Marketing aside, those 'sanity checks' take place in software, not in hardware; and they actually constitute a greatly broadened attack surface (look at the multiple vulnerability notices/patch notices for any commercial stateful firewall you can name, as well as for open-source stateful firewall packages). For instance, the network stack of Windows is probably much more prone to bug/crash due to poor handling of crafted packets than a dedicated firewall (Checkpoint, Cisco, Fortinet...) may be. Sadly, this is also not borne out by experience. Quite the opposite, actually. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
Le mercredi 11 mai 2011 à 16:49 +, Dobbins, Roland a écrit : On May 11, 2011, at 10:03 PM, phocean wrote: - DDoS : anyway, a firewall isn't more susceptible to DoS than the server it protects. If you look at the hardware performance of modern firewalls, if an attacker has the ability to DoS it, then only a considerable server farm that very few companies can afford will be able to sustain it. My operational experience, including that acquired during my tenure working for the world's largest manufacturer of firewalls by units shipped, contradicts this statement. Can you develop? I still don't see how the hell the typical web server will handle as much traffic as one of these Checkpoint, Cisco or whatever monsters. - stateless scales badly on large networks, because it requires much more complex and lengthy rules if you are serious with security. This is a) untrue and b) a near non-sequitur. In general state is much more harmful on larger networks than on smaller ones; and there's no correlation at all between the size of a network and the complexity of network access policies. I was talking about complexity correlation between using stateful or stateless. Maybe it does not make any difference on a frontal firewall with a few servers behind. But on a large network with inter-vlan filtering, it matters a lot. Believe me, this one is based on my operational experience. Another advantage of stateful is that there is a first sanity check of the sessions on a specialized hardware rather than on a generic TCP/IP stack of a bloated server OS. Marketing aside, those 'sanity checks' take place in software, not in hardware; and they actually constitute a greatly broadened attack surface (look at the multiple vulnerability notices/patch notices for any commercial stateful firewall you can name, as well as for open-source stateful firewall packages). I still trust more the network stack of a Linux/BSD/IOS dedicated box than the one of a Windows Server. And it means a crafted packet has to go through mixed devices. For instance, the network stack of Windows is probably much more prone to bug/crash due to poor handling of crafted packets than a dedicated firewall (Checkpoint, Cisco, Fortinet...) may be. Sadly, this is also not borne out by experience. Quite the opposite, actually. Well maybe. I have no certitude on this point, but if you have facts, it's welcome. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On May 12, 2011, at 12:09 AM, phocean wrote: I still don't see how the hell the typical web server will handle as much traffic as one of these Checkpoint, Cisco or whatever monsters. That's the dread secret - they aren't really 'monsters'. But on a large network with inter-vlan filtering, it matters a lot. Believe me, this one is based on my operational experience. Size complexity, complexity size. They are orthogonal concepts. Small networks can be complex, large networks can be simple. I still trust more the network stack of a Linux/BSD/IOS dedicated box than the one of a Windows Server. Sure - but that has nothing to do with the 'sanity checks' and 'inspectors', which are custom-coded. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
Quoting phocean 0...@phocean.net: Can you develop? I still don't see how the hell the typical web server will handle as much traffic as one of these Checkpoint, Cisco or whatever monsters. I agree, it just leverage the load to another dedicated hardware, thus your web server will work better without that role. (and I add that on private IOS like on sonicwall, it make it hard to hit with a 0day vuln) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
Le mercredi 11 mai 2011 à 17:15 +, Dobbins, Roland a écrit : On May 12, 2011, at 12:09 AM, phocean wrote: I still don't see how the hell the typical web server will handle as much traffic as one of these Checkpoint, Cisco or whatever monsters. That's the dread secret - they aren't really 'monsters'. When I look at the specs of high end machines of most makers, they are and they outmatch most of x64 servers. Do you mean they lie? I don't mean to defend them, I really don't care, but can you develop? But on a large network with inter-vlan filtering, it matters a lot. Believe me, this one is based on my operational experience. Size complexity, complexity size. They are orthogonal concepts. Small networks can be complex, large networks can be simple. Ok. First English is not my mother language, so I try to be precise but that not always easy :) Second, I am talking about rules sizes, not network sizes, and by complexity, I wanted to address the ease of administration. You will certainly agree that the more rules there are, the most risks there are of human mistake. Reducing rules by something like 70% in an improvment and an advantage that stateful can have. I still trust more the network stack of a Linux/BSD/IOS dedicated box than the one of a Windows Server. Sure - but that has nothing to do with the 'sanity checks' and 'inspectors', which are custom-coded. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On May 12, 2011, at 12:20 AM, phil wrote: (and I add that on private IOS like on sonicwall, it make it hard to hit with a 0day vuln) Everyone/everything has vulnerabilities of one sort or another: https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=8232 --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On May 12, 2011, at 12:31 AM, phocean wrote: When I look at the specs of high end machines of most makers, they are and they outmatch most of x64 servers. http://urbanairship.com/blog/2010/09/29/linux-kernel-tuning-for-c500k/ --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
Quoting Dobbins, Roland rdobb...@arbor.net: On May 12, 2011, at 12:20 AM, phil wrote: (and I add that on private IOS like on sonicwall, it make it hard to hit with a 0day vuln) Everyone/everything has vulnerabilities of one sort or another: https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=8232 I agree, but the rate of disclosure is much less than for windows or linux OS. Secondly, if you read correctly that vuln, it only affect the web interface, by default it's not open on the WAN side from any sonicwall IOS... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
He says, 34 emails later. :| On Wed, May 11, 2011 at 10:29 AM, Dobbins, Roland rdobb...@arbor.netwrote: On May 11, 2011, at 4:22 PM, phocean wrote: So why going private? Because full-disclosure isn't the best forum for a lengthy discussion of this type. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
God damn it. lol. On Wed, May 11, 2011 at 10:53 AM, phocean 0...@phocean.net wrote: You were faster than me! :) On Wed, 11 May 2011 11:38:23 +0200, Christian Sciberras wrote: Whereas hardcore pornography (@Cal) is? On Wed, May 11, 2011 at 11:29 AM, Dobbins, Roland rdobb...@arbor.netwrote: On May 11, 2011, at 4:22 PM, phocean wrote: So why going private? Because full-disclosure isn't the best forum for a lengthy discussion of this type. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
I'm happy yo make it public, I was just being respectful of the membership. This wouldn't be the first time that someone got pissed off at a technical discussion on FD while other crap goes un-noticed. Sent from my Windows Phone From: Cal Leeming Sent: Wednesday, May 11, 2011 11:58 AM To: phocean Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Sony: No firewall and no patches God damn it. lol. On Wed, May 11, 2011 at 10:53 AM, phocean 0...@phocean.netmailto:0...@phocean.net wrote: You were faster than me! :) On Wed, 11 May 2011 11:38:23 +0200, Christian Sciberras wrote: Whereas hardcore pornography (@Cal) is? On Wed, May 11, 2011 at 11:29 AM, Dobbins, Roland rdobb...@arbor.netmailto:rdobb...@arbor.netwrote: On May 11, 2011, at 4:22 PM, phocean wrote: So why going private? Because full-disclosure isn't the best forum for a lengthy discussion of this type. --- Roland Dobbins rdobb...@arbor.netmailto:rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
Le mercredi 11 mai 2011 à 17:40 +, Dobbins, Roland a écrit : On May 12, 2011, at 12:31 AM, phocean wrote: When I look at the specs of high end machines of most makers, they are and they outmatch most of x64 servers. http://urbanairship.com/blog/2010/09/29/linux-kernel-tuning-for-c500k/ Nice but not very precise : nature of packets, fragmentation, sessions, bandwidth, etc. Anyway, most appliances run a version of Linux or some BSD, so there is potentially not much difference with an appliance. To go back to my point: an application server (IIS, Apache) cannot sustain as many connections as a firewall (of course in a sane and standard environment). So you cannot tell that a firewall will increase the risk of DoS. From what I have seen so far as arguments, I think the discussion is over. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On Wed, May 11, 2011 at 04:49:13PM +, Dobbins, Roland spake thusly: My operational experience, including that acquired during my tenure working for the world's largest manufacturer of firewalls by units shipped, contradicts this statement. Netgear? Or perhaps Linksys? That doesn't inspire much confidence. :) -- Tracy Reed pgplGxvSfZfNz.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On May 12, 2011, at 3:49 AM, phocean wrote: To go back to my point: an application server (IIS, Apache) cannot sustain as many connections as a firewall (of course in a sane and standard environment). Sorry, but my operational experience is quite the opposite. And one generally deploys clusters of servers, in any kind of even semi-important site. So you cannot tell that a firewall will increase the risk of DoS. I can and do tell you that. I further tell you that enforcing network access policies for servers in stateless ACLs instantiated in ASIC-based routers and layer-3 switches is the way to go. I tell you this based upon my direct experience working for the largest manufacturer of firewalls in the world, and on my day-to-day operational experience with people calling up and screaming that 'the data center is down' and the proximate cause being a stateful firewall which gave up the ghost to trivial amounts of traffic. For example, I've seen 80kpps of SYN-flood take down a stateful firewall rated for 2.5gb/sec. From what I have seen so far as arguments, I think the discussion is over. The folks cited on pp. 41 - 42 of the survey in question have reached a different conclusion: http://www.eweek.com/index2.php?option=contenttask=viewid=66503pop=1hide_ads=1page=0hide_js=1catid=45 --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
Most security certifications are a mockery of entire industry. On Mon, May 9, 2011 at 7:33 PM, Ivan . ivan...@gmail.com wrote: I guess that makes a mockery of the PCI DSS framework! On Tue, May 10, 2011 at 9:03 AM, Thor (Hammer of God) t...@hammerofgod.com wrote: Maybe they should call that You don't have to patch genius! Lol http://www.eweek.com/c/a/Security/Sony-Networks-Lacked-Firewall-Ran-Obsolete-Software-Testimony-103450/ Sent from my Windows Phone ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- http://www.goldwatches.com -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On Tue, May 10, 2011 at 02:49:05AM +, Thor (Hammer of God) spake thusly: I agree - You can chalk that one up to the auditors. There was mention of that in the article, and I too would be interested in what auditing firm signed off on that one. Things can change after the audit so don't be too fast to crucify the auditors. What was running during the audit may not be what was running when the intrusion happened. PCI Compliance is very much a point-in-time sort of thing. Not only that, but there may have never been an audit. Sony is probably comprised of a number of level 2 merchants. Not one giant Sony Corporation Level 1 which would invoke an audit. It might even be smart for them to try to arrange it that way as audits can be very expensive for an infrastructure as large as theirs. We're talking hundreds of thousands of dollars. If they are not a Level 1 merchant their system administrators and maybe internal Sony auditors probably self-assessed and filled out SAQ-C or D on their own. That works on the honor system. Although I hear the economic consequences can be severe if you lie on the SAQ and it is found out after a compromise. So there is no guarantee that there was ever an outside PCI audit. Each payment card brand generally requires more than 6 million transactions of their brand annually to be considered Level 1 and require on-site audits with that brand. Visa has around 44%, MasterCard 31%, Amex 20%, and Discover 5% of the payment card market. So if Sony's payment card market share follows the industry average they would have to do at least 6M Visa, 4.2M MasterCard, 2.7M Amex, and .7M Discover. For a grand total of 13.6M transactions annually to be likely to have hit Level 1 status with Visa. Sony says 77M user accounts have been compromised. It is hard to extrapolate how many credit card transactions that might be though. PSN has been operating for 4.5 years. 77M records over 4.5 years is 17M records per year. And that is if everyone does one transaction per year and buys the 1year subscription for $4/month. A lot of people probably buy the 3 month or maybe there is a month to month option in which case the number of transactions would be a lot higher. And I have no data on subscribers who drop off and don't renew which would make it less. So...it seems plausible that they could have been a Level 1 merchant, especially by the fourth year when presumably their user base is at its peak so far. We'll just have to wait for more details to know for sure. -- Tracy Reed pgpIYx6YQpmwz.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On Tue, May 10, 2011 at 05:07:39AM +, Dobbins, Roland spake thusly: Stateful firewalls have no place in front of servers, where every incoming request is unsolicited, and therefore there is no state to inspect in the first place. The PCI SSC requires a stateful firewall in front of servers processing credit card data. Not only to block inbound access to any ports or services accidentally exposed but the outbound policy must also be default deny to make it more difficult to exfiltrate stolen data. If you have traffic going out to a high numbered port and you are not keeping state how do you know if that is a reply packet to an existing inbound connection or if it is an unauthorized outbound connection? Of course, the network should be properly segmented so that only the servers processing payment data are in-scope. You may be right about not putting a stateful firewall in front of the gaming servers (in Sony's case). Where stateful firewalls in front of Web servers are incorrectly mandated by various regulatory frameworks, making use of mod_security or its equivalent on the Web servers themselves ensures compliance without creating a DDoS chokepoint. If you don't have a stateful firewall blocking outbound connections why would the traffic even have to go through mod_security? -- Tracy Reed pgp36dgrgMFoy.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
doesn't it also mandate the encryption of CC info? requirement 4 Encrypting and Storing Credit Card Data plenty of reports that the data was not encrypted, and also plenty that say it was. On Tue, May 10, 2011 at 4:40 PM, Tracy Reed tr...@ultraviolet.org wrote: On Tue, May 10, 2011 at 05:07:39AM +, Dobbins, Roland spake thusly: Stateful firewalls have no place in front of servers, where every incoming request is unsolicited, and therefore there is no state to inspect in the first place. The PCI SSC requires a stateful firewall in front of servers processing credit card data. Not only to block inbound access to any ports or services accidentally exposed but the outbound policy must also be default deny to make it more difficult to exfiltrate stolen data. If you have traffic going out to a high numbered port and you are not keeping state how do you know if that is a reply packet to an existing inbound connection or if it is an unauthorized outbound connection? Of course, the network should be properly segmented so that only the servers processing payment data are in-scope. You may be right about not putting a stateful firewall in front of the gaming servers (in Sony's case). Where stateful firewalls in front of Web servers are incorrectly mandated by various regulatory frameworks, making use of mod_security or its equivalent on the Web servers themselves ensures compliance without creating a DDoS chokepoint. If you don't have a stateful firewall blocking outbound connections why would the traffic even have to go through mod_security? -- Tracy Reed ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On May 10, 2011, at 1:40 PM, Tracy Reed wrote: If you have traffic going out to a high numbered port and you are not keeping state how do you know if that is a reply packet to an existing inbound connection or if it is an unauthorized outbound connection? You use stateless ACLs to filter outbound traffic as well, only allowing traffic originating from required well-known ports to ephemeral high ports. This is a basic network access policy Best Current Practice (BCP). 'Client-side' traffic originating from the server, such as DNS lookups and so forth, should be channeled through a completely different NIC on a completely different, isolated segment with proxies and so forth. And all management access should take place via an OOB/DCN management network, on yet another NIC/segment. And mod_security will pass PCI DSS audits just fine. As PayPal's head of opsec was quoted recently, PCI DSS is too vague in many places, and is overly-specific in others. It should be re-factored to an outcomes-based model, IMHO. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On May 10, 2011, Dobbins, Roland rdobb...@arbor.net wrote: On May 10, 2011, at 1:40 PM, Tracy Reed wrote: If you have traffic going out to a high numbered port and you are not keeping state how do you know if that is a reply packet to an existing inbound connection or if it is an unauthorized outbound connection? You use stateless ACLs to filter outbound traffic as well, only allowing traffic originating from required well-known ports to ephemeral high ports. The stateless ACLs would not prevent ACK tunneling (http://ntsecurity.nu/papers/acktunneling/). Although your infrastructure would be stronger against DDoS attacks, your environment would be more susceptible to covert channels and backdoors. If the organization security concern is mainly availability, I could agree in deploying a packet filter to protect external servers. However, if an external intrusion or sensitive data leakage would cause more damage to the organization's business or reputation, I would not recommend it. Additionally, the organization may have different DMZ's or external networks with different security levels. Regards, Bruno Cesar M. de Souza ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On 10 May 2011 15:07, Dobbins, Roland rdobb...@arbor.net wrote: On May 10, 2011, at 6:03 AM, Thor (Hammer of God) wrote: Maybe they should call that You don't have to patch genius! Stateful firewalls have no place in front of servers, where every incoming request is unsolicited, and therefore there is no state to inspect in the first place. Stateful firewalls in front of servers merely serve as DDoS chokepoints due to the large amount of unnecessary state they instantiate. This statement is only true for unauthenticated services which are not dealing with financial information. Would you suggest a bank not protect their internet banking service with a firewall because a DDoS might take the service off line? Or would you tell them to use a firewall in conjunction with a specific upstream device which may even be installed installed at the ISP end of the link to deal with DDoS? As Tracy mentioned having a stateful firewall is useful to block outgoing traffic, using an ACL just doesn't cut it, if an attacker initiates a connection dest port higher than 2048 (to some other server the attacker controls) and source port of 80 that will pass through an ACL without issues, this would not be so on a stateful firewall. mod_security might be good practice to use in a layered approach... but if you're running old versions of apache (like sony were) then it's not hard for an attacker to control the memory space used by mod_security and allow all packets, if the webserver is owned, then it's owned, no controls implemented on that server can be trusted or relied on. Pete ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On Tue, 10 May 2011 16:48:45 +1000, Ivan . said: plenty of reports that the data was not encrypted, and also plenty that say it was. Probably double-rot-13 encrypted for added security. Works especially well on credit card numbers. ;) pgpCp3RwJJDfX.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
Maybe they should call that You don't have to patch genius! Lol http://www.eweek.com/c/a/Security/Sony-Networks-Lacked-Firewall-Ran-Obsolete-Software-Testimony-103450/ I could understand if this would happend to a script kid without knowledge of security but when it did happened to sony with 100M users. Pathetic. Luckily I was not user of their network. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On May 10, 2011, at 4:42 PM, Pete Smith wrote: if an attacker initiates a connection dest port higher than 2048 (to some other server the attacker controls) and source port of 80 that will pass through an ACL without issues, this would not be so on a stateful firewall. If the attacker's in a position to generate an outbound connection sourced from a well-known port (which presumably is supposed to have an httpd attached to it), there's nothing a stateful firewall can do to improve matters. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On May 10, 2011, at 8:53 PM, Bruno Cesar Moreira de Souza wrote: The stateless ACLs would not prevent ACK tunneling (http://ntsecurity.nu/papers/acktunneling/). Again, if an attacker's already in a position to do that, the game is already over. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On May 10, 2011, at 4:42 PM, Pete Smith wrote: if an attacker initiates a connection dest port higher than 2048 (to some other server the attacker controls) and source port of 80 that will pass through an ACL without issues, this would not be so on a stateful firewall. If the attacker's in a position to generate an outbound connection sourced from a well-known port (which presumably is supposed to have an httpd attached to it), there's nothing a stateful firewall can do to improve matters. You can if you require authentication, which I do even here at the HoG labs. Well, except for rules specifically created for other devices such as, ironically, my PS3. :) Mike Kaeo's presentation is interesting, and certainly has merit where it applies - but saying stateful firewalls have no place in front of servers is far too generic of a statement. There are any number of topological deployment scenarios where firewalls certainly provide security in depth and added security, irrespective of what Mr. Kaeo's opinion on the matter is. If one can design a secure access model using router ACLs then right on, but that doesn't mean that other models don't work. I'm unclear as what you mean by no state to inspect in the first place in regard to firewalls in front of servers - my TMG box most certainly inspects state when I access assets via the firewall. I think I know what you really meant by that statement, but can you explain your point a bit more? I want to make sure I'm not missing something. t ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On May 10, 2011, at 10:45 PM, Thor (Hammer of God) wrote: There are any number of topological deployment scenarios where firewalls certainly provide security in depth and added security, irrespective of what Mr. Kaeo's opinion on the matter is. The only one I can think of is between a middleware server and a front-end server or a middleware server and a back-end server; and even then, if an attacker has successfully compromised the middleware server, the tame's already over. Certainly not in front of servers routinely connected to by client machines. That isn't just Merike's opinion, btw - it's a well-known BCP in the global opsec community (as distinct from the infosec community). Her preso simply codifies what folks who perform Internet opsec for a living already know. If one can design a secure access model using router ACLs then right on, but that doesn't mean that other models don't work. It means they're unnecessary, and instantiating an unnecessary stateful DDoS chokepoint in front of a server is a net security loss, not a gain. I'm unclear as what you mean by no state to inspect in the first place in regard to firewalls in front of servers - my TMG box most certainly inspects state when I access assets via the firewall. How does inserting a stateful firewall in front of a Web server help, given the stateless nature of HTTP and the fact that all incoming connections to the server are unsolicited? Same for a DNS server. There is no state for the firewall to inspect in order to determine whether to pass/fail those packets, stateless ACLs in hardware-based routers/layer-3 switches are the way to go. All the talk of exfiltration via a covert channel is irrelevant, given that a) when the httpd on the server stops responding, that's a big giveaway that there's a problem, and b) that if the attacker is in control of a remote host to which he wishes to exfiltrate data, he can simply initiate an inbound connection and then generate the appropriate outbound responses, since he's effectively in charge of both ends of the connection, and c) there're far easier and less visible/onerous ways to exfiltrate data, anyways. There are no stateful firewalls emplaced in front of the extremely popular servers/services accessed by gazillions of Internet users on a daily basis - at least, the ones that stay up, heh. And every time I get a call from someone screaming 'the IDC and everything in it is down', it's because there's an unnecessary stateful firewall fronting the whole thing, and it's trivially easy for an attacker with even a very small botnet to take down said stateful firewall with programmatically-generated attack traffic which will conform to all the firewall rules and 'inspectors' and whatnot, but which will fill up the firewall state-tables, crowd out legitimate traffic, and eventually cause said firewall to fall over. Stateful firewalls make perfect sense in front of endpoint networks comprised of client machines which shouldn't receive unsolicited connections across some defined policy boundary. They make no sense in front of servers, but folks have been conditioned to think that firewalls are some kind of universal security panacea. Which is especially ironic in the context of this thread, given that Sony have publicly stated that their servers were in fact exploited by traffic which passed straight through their stateful firewalls. ; --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
--- On May 10, 2011, Dobbins, Roland rdobb...@arbor.net wrote: On May 10, 2011, at 8:53 PM, Bruno Cesar Moreira de Souza wrote: The stateless ACLs would not prevent ACK tunneling (http://ntsecurity.nu/papers/acktunneling/). Again, if an attacker's already in a position to do that, the game is already over. The game is over for this compromised server. However, the attacker possibly wants to attack other servers in the network and then compromise sensitive database servers. If the compromised server is not behind a stateful firewll, it will be easier to create a tunnel to access unauthorised ports (such as database network services) and attack other servers. In the worst case, the attacker may be able to penetrate the internal network through this tunnel. It would be possible to create a covert channel through a stateful firewall? Yes, but if the firewall is well configured, you increase the complexity of the attack and there is more chance the attack will be detected. Additionally, using a covert channel, the attacker can create a backdoor to keep his access. Even if the exploited vulnerability is fixed in a short time, the attacker will still be able to easily control the compromised server. And perhaps his access will keep unnoticed for a long time. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
--- On May 10, 2011, Dobbins, Roland rdobb...@arbor.net escreveu: On May 10, 2011, at 10:56 PM, Bruno Cesar Moreira de Souza wrote: If the compromised server is not behind a stateful firewall, it will be easier to create a tunnel to access unauthorised ports (such as database network services) and attack other servers. That's untrue if even the most basic BCPs for crafting and enforcing network access policies have been followed. Plus, the moment the httpd stops working, that should ring alarm bells via even the most basic NMS/OSS monitoring. How would you block an ACK tunnel using only a packet filter? (http://ntsecurity.nu/papers/acktunneling/) You don't need to stop the httpd service to create this kind of tunnel, as the packets from the attacker would just be ignored by the httpd service, but could be intercepted by the malicious code executed on the compromised server (using the same approach employed by network sniffers). Even if the exploited vulnerability is fixed in a short time, the attacker will still be able to easily control the compromised server. Not if it's taken offline and scrubbed down to the bare metal, as should be routine after a compromise. This is true IF the compromise was detected. I'm talking about the common case when the compromise is not detected, but after some time the vulnerability is fixed (for example, through patching). If the attacker installed a backdoor in the compromised server, which uses a convert channel through your packet filter, then you may not detect the problem for a long time. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
How does inserting a stateful firewall in front of a Web server help, given the stateless nature of HTTP and the fact that all incoming connections to the server are unsolicited? Same for a DNS server. There is no state for the firewall to inspect in order to determine whether to pass/fail those packets, stateless ACLs in hardware-based routers/layer-3 switches are the way to go. HTTP may be stateless, but the TCP connection isn't. The purpose for my firewall in front of my web server is that if you get on the box, or can somehow try to initiate an external connection (e.g. SQL injection), you will not be able to do so. My web server will only respond with return HTTP traffic if the session has already been initiated. You can't make any outbound connections from it no matter what your source port is. How is a simple ACL allowing anything from 80 outbound secure? All the talk of exfiltration via a covert channel is irrelevant, given that a) when the httpd on the server stops responding, that's a big giveaway that there's a problem, and b) that if the attacker is in control of a remote host to which he wishes to exfiltrate data, he can simply initiate an inbound connection and then generate the appropriate outbound responses, since he's effectively in charge of both ends of the connection, and c) there're far easier and less visible/onerous ways to exfiltrate data, anyways. Which is why we have security in depth. The old there are 10 ways to do it anyway so why bother argument just don't hold water for me. My above response could easily obviate 5 of those ways, so there is value add. Your stance of irrelevant and unnecessary and other superlative postures is far too heavy handed in my opinion - and just because ops likes something doesn't mean it has anything to do with security. I'm not sure who you are talking to, but no one in my org ever considers a firewall a security panacea, nor any single technology for that matter. There are no stateful firewalls emplaced in front of the extremely popular servers/services accessed by gazillions of Internet users on a daily basis - at least, the ones that stay up, heh. And every time I get a call from someone screaming 'the IDC and everything in it is down', it's because there's an unnecessary stateful firewall fronting the whole thing, and it's trivially easy for an attacker with even a very small botnet to take down said stateful firewall with programmatically-generated attack traffic which will conform to all the firewall rules and 'inspectors' and whatnot, but which will fill up the firewall state-tables, crowd out legitimate traffic, and eventually cause said firewall to fall over. Of course there are firewalls in front of some of these services, and if it is trivial for someone with a small bot to take down the firewall, then someone is not doing their job. Stateful firewalls make perfect sense in front of endpoint networks comprised of client machines which shouldn't receive unsolicited connections across some defined policy boundary. They make no sense in front of servers, but folks have been conditioned to think that firewalls are some kind of universal security panacea. Which is especially ironic in the context of this thread, given that Sony have publicly stated that their servers were in fact exploited by traffic which passed straight through their stateful firewalls. The fact that someone was able to navigate through firewalls speaks to the configuration, not the technology. Sony actually said they didn't have firewalls, and only had ACLs, so you're point is lost there, I think. t ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On May 11, 2011, at 4:01 AM, Thor (Hammer of God) wrote: HTTP may be stateless, but the TCP connection isn't. The purpose for my firewall in front of my web server is that if you get on the box, or can somehow try to initiate an external connection (e.g. SQL injection), you will not be able to do so. Again, if I'm an attacker and I've already pwn3d your box, this is a trivial issue. But let's pretend it isn't. Since I've pwn3d your box, I can quite easily initiate an inbound connection to your box from some other outside box which is outside and is under my control, which will conform to your inverted state-check, and thus I have my connection, and can exfiltrate data. How is a simple ACL allowing anything from 80 outbound secure? Given the above, the question is, how is it insecure? Especially since it removes the DDoS state-table vector? The old there are 10 ways to do it anyway so why bother argument just don't hold water for me. It should in a scenario in which the cost/benefit ratio is so clearly weighted towards the cost side, with so little on the benefit side. My above response could easily obviate 5 of those ways, so there is value add. Look, if you have stateless ACLs only allowing access to your box via destination ports TCP/80 and TCP/443 and denying everything else, and stateless ACLs which only permit outbound traffic sourced from TCP/80 and TCP/443 to ephemeral ports, then the only way someone is going to be able to access your box from the outside in the first place is via those selfsame TCP/80 and TCP/443 ports. Which means that your stateful outbound checking is for nought, since the attacker is going to be able to initiate a session which passes your firewall policy rules and the inverted state check, anyways, or he isn't going to be able to access your box at all. As far as a sidewise compromise or a compromise from 'inside' (assuming there is an 'inside'; public-facing servers ought not to be conflated with workstation access LANs and the like at all), again, if you have appropriate functional separation and network access policies in place, plus you're monitoring all of it using appropriate visibility technologies, that isn't an issue, either. So, all this stateful checking you're doing on outbound traffic from your Web server doesn't actually benefit you one iota, and it makes it trivially easy to exhaust the state-tables in your firewall. If you don't believe me, take a tool like Siege or Tsung and set it up to hammer your server through the stateful firewall with lots and lots of unique connections. Of course there are firewalls in front of some of these services, and if it is trivial for someone with a small bot to take down the firewall, then someone is not doing their job. It's because of the nature of stateful firewalls. Yes, S/RTBH or flowspec or IDMS can and are used to protect said stateful firewalls and everything behind them from DDoS, but those stateful firewalls shouldn't be there in the first place. The fact that someone was able to navigate through firewalls speaks to the configuration, not the technology. Sony actually said they didn't have firewalls, and only had ACLs, so you're point is lost there, I think. http://gamer.blorge.com/2011/05/01/sony-press-conference-compensation-details-and-psn-to-resume-this-week/ --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On May 11, 2011, at 12:52 AM, Bruno Cesar Moreira de Souza wrote: How would you block an ACK tunnel using only a packet filter? (http://ntsecurity.nu/papers/acktunneling/) You don't need to stop the httpd service to create this kind of tunnel, as the packets from the attacker would just be ignored by the httpd service, but could be intercepted by the malicious code executed on the compromised server (using the same approach employed by network sniffers). See my previous response to Thor. I don't intend to keep this thread going forever in the face of incomprehension, but this focus on corner-case exfiltration techniques which are easily obviated by OS and service/app BCPs and appropriate monitoring, to the point of instantiating unnecessary and harmful state in front of servers which makes it trivial to take them down, demonstrates that in general, the infosec community pretty much completely ignores the availability leg of the confidentiality-integrity-availability triad. Which is disappointing, given that availability is in fact the most important leg of that triad. But, I guess if availability is nil, one has achieved perfect confidentiality and integrity, since the applications and services and data are completely inaccessible, so perhaps that's a big win for confidentiality and integrity, after all. ; --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
I'll reply in kind combining threads, but sans insulting statements like in the face of incomprehension. You make grand assumptions about what you can do, and what is trivial as if you think all vulnerabilities automatically give you administrative access or something. You thinking that just because you owned my web server, it is trivial to bypass outbound rule enforcement - this is not only assumptive, but incorrect. Most attacks or breached do not, in fact, result in that level of access. You apparently live and work in a world of absolutes where you assume you can send traffic to my web server and just alter the response as you see fit. You've also apparently had a *very* different incident response history than I have. But, at Arbor, I would also expect that you in a world very different than most and interact with a much different traffic model. My experience is quite different, and I have personally seen too many instances to count where the use of firewalls has, without question, been what has saved a company. But I'm glad it works for you, which is really what this conversation is about: what actually works for people. Feel free to argue all you wish about how firewalls are ineffective and a waste, but I have empirical evidence that shows otherwise. I'm glad your ops experience serves you, but I would never count on ACLs alone to secure my infrastructure, particularly when it requires one to have wide open outbound ACLs. And actually, I would do both (and normally do in production networks). So, to wrap up my input in this regard, people should use what works for them assuming they know what problems they are trying to solve and how they are solving them. But just because people don't automatically embrace your opts processes doesn't mean we can't comprehend it. It's really not rocket science you know... -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of Dobbins, Roland Sent: Tuesday, May 10, 2011 4:33 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Sony: No firewall and no patches On May 11, 2011, at 12:52 AM, Bruno Cesar Moreira de Souza wrote: How would you block an ACK tunnel using only a packet filter? (http://ntsecurity.nu/papers/acktunneling/) You don't need to stop the httpd service to create this kind of tunnel, as the packets from the attacker would just be ignored by the httpd service, but could be intercepted by the malicious code executed on the compromised server (using the same approach employed by network sniffers). See my previous response to Thor. I don't intend to keep this thread going forever in the face of incomprehension, but this focus on corner-case exfiltration techniques which are easily obviated by OS and service/app BCPs and appropriate monitoring, to the point of instantiating unnecessary and harmful state in front of servers which makes it trivial to take them down, demonstrates that in general, the infosec community pretty much completely ignores the availability leg of the confidentiality-integrity- availability triad. Which is disappointing, given that availability is in fact the most important leg of that triad. But, I guess if availability is nil, one has achieved perfect confidentiality and integrity, since the applications and services and data are completely inaccessible, so perhaps that's a big win for confidentiality and integrity, after all. ; --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On May 11, 2011, at 6:51 AM, Thor (Hammer of God) wrote: My experience is quite different, and I have personally seen too many instances to count where the use of firewalls has, without question, been what has saved a company. I would be extremely interested to learn details of how a stateful firewall in front of a server saved a company, when stateless ACLs in hardware-based network infrastructure devices would've led to failure. Seriously, if you don't mind outlining the scenario, I think it would be very instructive. So, to wrap up my input in this regard, people should use what works for them assuming they know what problems they are trying to solve and how they are solving them. If an attacker is already in a position to issue commands and induce your box to do things, he *already has his covert channel over which he can exfiltrate data*. So the outbound stateful checking of server response traffic is moot, and simply constitutes a stateful DDoS chokepoint which makes it trivial for an attacker to take down the server in question by filling up the state-tables of said firewall with well-formed, programatically-generated traffic. That's my point, in a nutshell. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
Ill throw this into the mixer while on topic of FWs The TCP Split Handshake: Practical Effects on Modern Network Equipment http://nmap.org/misc/split-handshake.pdf On Wed, May 11, 2011 at 10:18 AM, Thor (Hammer of God) t...@hammerofgod.com wrote: I would be extremely interested to learn details of how a stateful firewall in front of a server saved a company, when stateless ACLs in hardware-based network infrastructure devices would've led to failure. Seriously, if you don't mind outlining the scenario, I think it would be very instructive. I'd be happy to - I too would like to dive a bit deeper into what your points are as I find them interesting as well. Let's take it offline - you can share back with the group if you feel it valuable. t ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On May 11, 2011, at 7:18 AM, Thor (Hammer of God) wrote: Let's take it offline - you can share back with the group if you feel it valuable. Sounds good to me, thanks much! --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
I congratulate all those that made a good pawn (pwn?) out of Anonymous, urging the group into a vendetta attack in the name of George Hotz; while the upper echelon collected the bounty; loads of user information. Must be the social engineering effort of the century considering the size of the outcome as well as suckering a different kind of victim into it. Of course, on the other side of the Fail scale there is Sony, but the media will do the job of an appropriate critique - so I won't even bother. On Tue, May 10, 2011 at 1:33 AM, Ivan . ivan...@gmail.com wrote: I guess that makes a mockery of the PCI DSS framework! On Tue, May 10, 2011 at 9:03 AM, Thor (Hammer of God) t...@hammerofgod.com wrote: Maybe they should call that You don't have to patch genius! Lol http://www.eweek.com/c/a/Security/Sony-Networks-Lacked-Firewall-Ran-Obsolete-Software-Testimony-103450/ Sent from my Windows Phone ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On Mon, May 9, 2011 at 7:03 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Maybe they should call that You don't have to patch genius! Lol http://www.eweek.com/c/a/Security/Sony-Networks-Lacked-Firewall-Ran-Obsolete-Software-Testimony-103450/ Maybe they *DID* call him. https://www.infosecisland.com/blogview/10813-Getting-Off-the-Patch.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On Tue, May 10, 2011 at 09:33:23AM +1000, Ivan . spake thusly: I guess that makes a mockery of the PCI DSS framework! Not at all. PCI DSS does not guarantee security. And if they didn't have a firewall and were running outdated software they weren't compliant anyway. -- Tracy Reed pgp7fWhMJ9F7L.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
Thor (Hammer of God) wrote: Maybe they should call that You don't have to patch genius! Lol http://www.eweek.com/c/a/Security/Sony-Networks-Lacked-Firewall-Ran-Obsolete-Software-Testimony-103450/ Or, to paraphrase Sony BMG's (then) Global Digital Business President Thomas Hesse*: Most people, I think, don't even know what patch management, threat assessment or a firewall is, so why should _we_ care about them? This group of companies clearly has DNA to prevent them from learning. Maybe a good reaming by the legal system this time will finally penetrate their corporately-ignorant ways? (And yes, somewhat ironically, I am sending this from a Sony laptop...) * http://www.npr.org/templates/story/story.php?storyId=4989260 -- the quote is from around 1:56 in the audio. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
On May 10, 2011, at 6:03 AM, Thor (Hammer of God) wrote: Maybe they should call that You don't have to patch genius! Stateful firewalls have no place in front of servers, where every incoming request is unsolicited, and therefore there is no state to inspect in the first place. Stateful firewalls in front of servers merely serve as DDoS chokepoints due to the large amount of unnecessary state they instantiate. Instead, network access policies for servers should be implemented utilizing stateless ACLs on hardware-based routers and/or layer-3 switches capable of handling mpps of traffic. Keeping OSes and apps/services up-to-date with patches and configured securely is extremely important, of course; and network access policies should be implemented per the above. But blindly sticking stateful firewalls in places where there's no state to inspect and where they actually do more harm than good in terms of actual security posture isn't a solution. Where stateful firewalls in front of Web servers are incorrectly mandated by various regulatory frameworks, making use of mod_security or its equivalent on the Web servers themselves ensures compliance without creating a DDoS chokepoint. See http://www.nanog.org/meetings/nanog48/presentations/Monday/Kaeo_FilterTrend_ISPSec_N48.pdf and http://www.eweek.com/index2.php?option=contenttask=viewid=66503pop=1hide_ads=1page=0hide_js=1catid=45 for more details on this particular sub-topic. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
