Firewall Wizards mailing list archives

Re: mitigating the lack of a firewall

From: mholser () Adobe COM (Malcolm Holser)
Date: Wed, 16 Feb 2000 14:11:46 -0800 (PST)

...and DoS attacks are harder to stop than "noraml" firewall sort
of stuff, as you must distinguish between legitimate requests and
spurious ones.  It might not be possible to have an open door to
the public and not be susceptible to DoS "flood" attacks, even on
an otherwise very secure site.  To protect against flood DoS, you 
have to be able to ignore the bogus requests, generally by recognizing
a signature in it.  This latest flood was not able to be blocked
by looking at the source address, as the floods came from good
sites, although I think this one was blockable by looking at the 
contents of the packets (I think they may have been ICMP packets
in the recent case).

If this is all correct, you might answer the second part of the
original post, and say something about the differences in security
needs between "unauthorized access" and DoS.

Malcolm Holser
Adobe Systems, Inc.

On Sat, 12 Feb 2000, Bruce H. Nearon wrote:

Suppose an Internet site does not have a firewall.  Can a securely
configured IIS 4.0 server running under securely configured NT 4.0
protect the site from unauthorized access and denial of service attacks?


What do you mean "site"?

If you're talking about a bunch of machines, certainly not.  Not without
making the NT machine something that constitutes a firewall.

Assuming you're talking about a web "site", then yes, depending on your
requirements.  If the web server software is as locked down as it can be,
then a firewall doesn't matter.  I know of no firewall that can stop new
unknown attacks against web servers, if you're allowing web access.

The "depends" part has to do with how you administer the server.  If
you're willing to walk media up to the console of the NT box to update
content, then you can rip out the workstation and server services, and
feel pretty good.  If you're going to try to use an MS filesharing, RPC,
DB access, etc...  then, IMNSHO, you better have a firewall.

                                      Ryan

Current thread:

mitigating the lack of a firewall Bruce H. Nearon (Feb 14)
- Re: mitigating the lack of a firewall R. DuFresne (Feb 15)
  - RE: mitigating the lack of a firewall Phil Cox (Feb 15)
- Re: mitigating the lack of a firewall Aaron D. Turner (Feb 15)
- Re: mitigating the lack of a firewall Ryan Russell (Feb 15)
- Message not available
  - Re: mitigating the lack of a firewall Marcus J. Ranum (Feb 15)
- <Possible follow-ups>
- RE: mitigating the lack of a firewall Starkey, Kyle (Feb 15)
- RE: mitigating the lack of a firewall David LeBlanc (Feb 16)
- Re: mitigating the lack of a firewall Malcolm Holser (Feb 17)
- RE: mitigating the lack of a firewall Burden, James (Feb 24)