On Fri, Feb 28, 2003 at 09:13:06AM +1300, Jeremy Brooking wrote: > On Fri, 2003-02-28 at 08:27, Blaine Kahle wrote: > > Oh come on. Let's assume you're paranoid and are filtering outbound > > traffic as well, a somewhat rare practice. I manage to get my software > > rare? well yes I suppose it is when you install a 'Packetfilter' like > zonealarm and call it a 'Firewall'
Are you addressing this to me, or to the public in general? I am not Joe Home User; I thought I made that clear already. > But every firewall ive ever administered has either used statefull > inspection and/or filtered outgoing traffic. Stateful inspection is not outbound filtering. > > installed on one of your "inside" machines. It connects to port 80 of a > > computer I control on the "outside". Your firewall allows inside > > computers to connect to port 80 on remote machines, because preventing > > your boss from surfing the web doesn't fly well with him. However, I'm > > not running a web server on port 80, I'm running one end of a simple TCP > > tunnel program, the inside computer acting as the other end. I now have > > the ability to execute arbitrary commands/software inside your network. > > And that's just one of the obvious attack methods. > > > > And then we are back to a dmz again. Throw in a cache, problem solved. Again? A DMZ was not mentioned at all, nor was a proxy or a cache. Please stop introducing new elements into the debate. The situation was machine->firewall->world. There are lots of ways to improve this, yes, but I'm not going to iterate through all of them in an attempt to make myself look knoweldgeable. We were discussing "why having a range of open ports with no listeners is bad when you have malicious software running behind your firewall." > > > Just because you've got one compromised system doesn't mean the cracker > > > owns everything. Secure in layers and catch them before they get too far. > > > > Of course not. I didn't think I needed to explain all the details to > > the experts. > > > > > Allowing incoming ports that don't always have listeners is bad practice. > > > > I didn't say it was a good thing. I said it was a moot point in the case > > of malicious software already installed, and I've further explained > > that. > > Then we have another issue... An admin that doesnt have his machine > tripwired? Tripwire is a specific product, or rather a line of products. How does the trojaning of a file apply to what we're discussing? New code can be introduced without replacing existing files, or are you proposing that an alarm should be thrown up every time a new file is created on a system? Nancy better not save that word document, lest she get a visit from the Friendly Admin! :) A better product to detect the attack I described would be a network IDS. Hopefully, it'd recognize executable code, or match some other "malicious" signature on the packets passing through. If all the insider program needs is instructions on what attack to perform, then things get tougher, as it's hard for an IDS to detect something like "function 01" on the wire as being malicious. > > This discussion is now rather off-topic for the hlds_linux list, so I > > encourage anyone wishing to discuss firewall best-practices to email > > off-list. > > Oh you mean like 99% of the traffic on this list? Just because others do it, doesn't make it right. With that, I end my participation in this thread, which is rapidly deteriorating into masked flames. -- Blaine Kahle [EMAIL PROTECTED] 0x178AA0E0 _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
