Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: RE: Vulnerability Response (was: BGP TCP RST Attacks)

RE: Vulnerability Response (was: BGP TCP RST Attacks)

From: Ames, Neil <NAmes_at_anteon.com>
Date: Wed, 2 Jun 2004 12:24:20 -0400

Ron,
   You hit one of my peeves. Some very large organizations have this mindset--that you can't have host-based firewalls or low-end appliances doing firewalling of islands of servers--because they want to be able to scan everything and control everything from their desktops. ("Red is grey and yellow white, and *they* decide which is right and which is an illusion..."--if I may [mis-]quote Moody Blues lyrics) I don't beat my head against the wall anymore. I just watch them scramble every once in a while when the chewy middle goes bad for obvious and preventable reasons.
 
 
--Fritz

        -----Original Message-----
        From: R. DuFresne [mailto:dufresne_at_sysinfo.com]
        Sent: Tue 6/1/2004 8:05 PM
        To: M. Dodge Mumford
        Cc: Paul D. Robertson; Ben Nagy; 'Marcus J. Ranum'; firewall-wizards_at_honor.icsalabs.com
        Subject: Re: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)
        
        

        On Tue, 1 Jun 2004, M. Dodge Mumford wrote:
        
> Paul D. Robertson said:
> > If it can't be attacked, then arguably, it doesn't need to be fixed.
>
> That sentiment surprises me a bit. It appears to me to violate the concept
> of defense in depth. Blocking the exploit path to a vulnerability may
> mitigate the risk greatly, but the vulnerability still remains. In your
> instance, the exploit path would involve attacking your host operating
> system that's performing the firewalling.
>
> I would think the point of mitigating the risk is to buy you time to fix the
> vulnerability. That "time to fix" may be "until Longhorn is released." Which
> assumes that Longhorn (or, broadly, version++) will fix the vulnerability.
>
        
        blocking the exploit path should be viewed in the context of "defense in
        depth", and a person has to avoid tunnel vision;
        
        At my present place of employment one of the CISSP's had tunnel vision to
        the affect that in scanning systems for potential sploitable services, he
        had the impression that if he could not touch a service with his scanner
        that in and of itself was an issue; nevermind that our unix toolsets used
        a number of apps to provide "defense in depth" and thus his scanner was
        'running' into them and they were doing their job, blocking his scans to
        those services. Was this a problem? Only in his eyes....
        
        
        Thanks,
        
        Ron DuFresne
        --
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                admin & senior security consultant: sysinfo.com
                                http://sysinfo.com
        
        "Cutting the space budget really restores my faith in humanity. It
        eliminates dreams, goals, and ideals and lets us get straight to the
        business of hate, debauchery, and self-annihilation."
                        -- Johnny Hart
        
        testing, only testing, and damn good at it too!
        
        _______________________________________________
        firewall-wizards mailing list
        firewall-wizards_at_honor.icsalabs.com
        http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
        

~*e,ڭ&j)b b~*e,ڭ!z+ihrƥioj)fjb?~*e,
Received on Jun 02 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos