firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. benevolent SSL MITM (ArkanoiD)
2. Re: DNS Names for external services (Behm, Jeff)
3. Re: Firewall best practices (Jason Lewis)
4. Re: DNS Names for external services (John Morrison)
5. Re: DNS Names for external services (Kent Crispin)
6. Re: DNS Names for external services (orca Puget)
7. Re: Firewall best practices (Marcus J. Ranum)
8. Re: DNS Names for external services (Marcus J. Ranum)
----------------------------------------------------------------------
Message: 1
Date: Thu, 15 Apr 2010 01:27:11 +0400
From: ArkanoiD <ark@eltex.net>
Subject: [fw-wiz] benevolent SSL MITM
To: firewall-wizards@listserv.cybertrust.com
Message-ID: <20100414212711.GA4276@eltex.net>
Content-Type: text/plain; charset=koi8-r
http://milliways.chance.ru/~ark/benevolent-ssl-mitm.pdf
i translated it to English finally (the original paper is almost half an year old :-( )
------------------------------
Message: 2
Date: Wed, 14 Apr 2010 10:30:15 -0500
From: "Behm, Jeff" <jbehm@burnsmcd.com>
Subject: Re: [fw-wiz] DNS Names for external services
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<7F611EB6D6C2064883F59190F87FFD620BF72A0130@BMCDMAIL01.burnsmcd.com>
Content-Type: text/plain; charset="us-ascii"
> Just curious, what is your opinions of the security vs. ease of use
> trade-offs on putting DNS entries in (vs. making people know/use an
> IP address) for services you expose to the Internet.
Thanks, group, for all the responses.
I'm glad this mailing list survives, even if in a lesser used capacity than in past years.
The insight here is invaluable.
Jeff
------------------------------
Message: 3
Date: Wed, 14 Apr 2010 09:10:36 -0400
From: Jason Lewis <jlewis@packetnexus.com>
Subject: Re: [fw-wiz] Firewall best practices
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<k2q554140e81004140610s30e957b2hba7b10a845a17d1a@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
While I believe the only allow what you need is a good rule, it's
impossible to enforce in a lot of scenarios. How many small
businesses have no firewall admins and do the configuration
themselves? Do you think they are going to spend the time examining
what ports should be open based on what their users are using? No,
they will open ports until it works. Last time I checked every
linksys router comes with allow all outbound by default. How many
people change that?
The point of my question was if you're forced into a position to open
everything, what ports *should* you always block and why. The
response below doesn't help that IT guy with no experience or time to
research everything.
For example, blocking SMB and NT RPC inbound and outbound should be a
high priority. Ports 135,137-139, 445. A lot of worms are propagated
via these ports and when you attempt to do DNS lookups, windows will
also try to connect outbound via SMB. I had hoped someone had already
put this info on the web somewhere, but I have yet to find it.
Marcus's thoughts on default permit are here:
http://www.ranum.com/security/computer_security/editorials/dumb/index.html
Again, I agree with the thoughts, but for a hardware vendor selling
to a home user or a SMB, it's never going to happen. The user wants
to buy a device, plug it in and have it work. They don't want to
spend time configuring things. That's reality, default deny is a
dream.
jas
On Tue, Apr 13, 2010 at 3:51 PM, Anton Chuvakin <anton@chuvakin.org> wrote:
> All,
>
>> This is easy.....
>> Block List: ? ? ? ? ? ? ALL
>> Allow List: ? ? ? ? ? ? Only what you need and can trust
>
> Can somebody dig into the list archives and see how many times this
> question was asked for the last...mmm...10 years? God, this is 2010,
> why do people still ask for a list of "baddy ports to block?"
>
> Marcus, please come out of hibernation and rant!!! Or - better - copy
> your rant from..mmm...1992? :-)
>
> --
> Dr. Anton Chuvakin
> Site: http://www.chuvakin.org
> Blog: http://www.securitywarrior.org
> LinkedIn: http://www.linkedin.com/in/chuvakin
> Consulting: http://www.securitywarriorconsulting.com
> Twitter: @anton_chuvakin
> Google Voice: +1-510-771-7106
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
------------------------------
Message: 4
Date: Wed, 14 Apr 2010 11:57:48 +0100
From: John Morrison <john.morrison101@googlemail.com>
Subject: Re: [fw-wiz] DNS Names for external services
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<o2nfd3b86ff1004140357s6393abd4t23ef7a62cbfcafba@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
I have to agree with the view that obfuscation/obscurity is not the
way to go. It increases the difficulty of use and, in this case,
provides very little benefit.
See
"Why Security-Through-Obscurity Won't Work"
(http://slashdot.org/features/980720/0819202.shtml)
"What is "security through obscurity""
(http://users.softlab.ntua.gr/~taver/security/secur3.html)
For a wider discussion see
"Secrecy, Security, and Obscurity"
(http://www.schneier.com/crypto-gram-0205.html)
On 13 April 2010 21:22, Jim Seymour <jseymour@linxnet.com> wrote:
>> From: "Behm, Jeff" <jbehm@burnsmcd.com>
>> To: Firewall Wizards Security Mailing List
>> ? ? ? <firewall-wizards@listserv.icsalabs.com>
>> Date: Tue, 13 Apr 2010 11:16:06 -0500
>> Subject: [fw-wiz] DNS Names for external services
>>
>> Just curious, what is your opinions of the security vs. ease of use
>> trade-offs on putting DNS entries in (vs. making people know/use an
>> IP address) for services you expose to the Internet.
> [snip]
>
> I believe there's nothing significant to be gained by such
> obfuscation.
>
> Regards,
> Jim
> --
> Note: My mail server employs *very* aggressive anti-spam
> filtering. ?If you reply to this email and your email is
> rejected, please accept my apologies and let me know via my
> web form at <http://jimsun.LinxNet.com/contact/scform.php>.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
------------------------------
Message: 5
Date: Wed, 14 Apr 2010 08:38:14 -0700 (PDT)
From: "Kent Crispin" <kent@songbird.com>
Subject: Re: [fw-wiz] DNS Names for external services
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<57291.75.25.158.242.1271259494.squirrel@ancient-warrior.net>
Content-Type: text/plain;charset=iso-8859-1
On Tue, April 13, 2010 12:36, Henri Salo wrote:
> Please use domain example.com in your examples. Domain
> companynamehere.com is registered.
$ ping example.com
PING example.com (192.0.32.10) 56(84) bytes of data.
64 bytes from www.example.com (192.0.32.10): icmp_seq=1 ttl=242 time=33.7 ms
64 bytes from www.example.com (192.0.32.10): icmp_seq=2 ttl=242 time=33.8 ms
:-)
------------------------------
Message: 6
Date: Tue, 13 Apr 2010 13:17:51 -0700
From: orca Puget <klrorca@hotmail.com>
Subject: Re: [fw-wiz] DNS Names for external services
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <COL109-W53AFEF5DCD8EBD1B233A27A5110@phx.gbl>
Content-Type: text/plain; charset="iso-8859-1"
DNS entries really don't matter much when it comes to security. A port scan will revel the port you have open to the internet and unless you changed them from the standard ports, a good guess is if 47,1723 (ptpp), 115 (l2tp), 500,4500,10000 (IPSEC) are open you are running the associated protocols. However were attacking you, I would look for something easier to attack than VPN anyway, like a IIS vulnerability on port 80.
If I were to attack you via DNS I would much rather try to poison your DNS cache and send your users to a web page of my design and hopefully gain access through I.E. vulnerability, get the user to download my Trojan, etc.
> From: jbehm@burnsmcd.com
> To: firewall-wizards@listserv.icsalabs.com
> Date: Tue, 13 Apr 2010 11:16:06 -0500
> Subject: [fw-wiz] DNS Names for external services
>
> Just curious, what is your opinions of the security vs. ease of use trade-offs on putting DNS entries in (vs. making people know/use an IP address) for services you expose to the Internet.
>
> For example,
>
> webmail.companynamehere.com for your webmail service
>
> www.companynamehere.com for your web site
>
> The two above are typically common and don't cause me much concern. What about this next one?
>
> vpn.companynamehere.com for your employees to access your company's VPN server
>
> It's this last one that really begs the question. Should I just as well use the name "attackmehere.companynamehere.com" rather than vpn.companynamehere.com. I searched around on the Internet, but couldn't really find pros and cons...
>
> Just looking for opinions. There are no "right" answers ;-)
>
> Jeff
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_________________________________________________________________
The New Busy is not the old busy. Search, chat and e-mail from your inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20100413/3ae21af6/attachment-0001.html>
------------------------------
Message: 7
Date: Wed, 14 Apr 2010 12:58:32 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Firewall best practices
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4BC60248.508@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Anton Chuvakin wrote:
> Marcus, please come out of hibernation and rant!!!
#include <mjr/theusual.h>
mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenablesecurity.com
------------------------------
Message: 8
Date: Wed, 14 Apr 2010 12:57:06 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] DNS Names for external services
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4BC601F2.50202@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> Just curious, what is your opinions of the security vs. ease of use
> trade-offs on putting DNS entries in (vs. making people know/use an
> IP address) for services you expose to the Internet.
I guess the question is "what are you trying to accomplish?"
If the premise is that it'll slow down a skilled attacker, I
think it's false, because once a penetration has been
accomplished you can map a network using netstat and tcpdup,
and dns names won't really make any difference in that
process.
mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenablesecurity.com
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 48, Issue 3
***********************************************
No comments:
Post a Comment