firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. DNS Names for external services (Behm, Jeff)
2. Re: Blocking Teamviewer (John Morrison)
3. Re: Firewall best practices (R. DuFresne)
4. Re: Blocking Teamviewer (Flemming Laugaard)
5. Re: DNS Names for external services (Paul D. Robertson)
6. Re: DNS Names for external services (Paul Melson)
7. Re: Firewall best practices (Anton Chuvakin)
8. Re: DNS Names for external services (Carson Gaspar)
----------------------------------------------------------------------
Message: 1
Date: Tue, 13 Apr 2010 11:16:06 -0500
From: "Behm, Jeff" <jbehm@burnsmcd.com>
Subject: [fw-wiz] DNS Names for external services
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<7F611EB6D6C2064883F59190F87FFD620BF721A18B@BMCDMAIL01.burnsmcd.com>
Content-Type: text/plain; charset="us-ascii"
Just curious, what is your opinions of the security vs. ease of use trade-offs on putting DNS entries in (vs. making people know/use an IP address) for services you expose to the Internet.
For example,
webmail.companynamehere.com for your webmail service
www.companynamehere.com for your web site
The two above are typically common and don't cause me much concern. What about this next one?
vpn.companynamehere.com for your employees to access your company's VPN server
It's this last one that really begs the question. Should I just as well use the name "attackmehere.companynamehere.com" rather than vpn.companynamehere.com. I searched around on the Internet, but couldn't really find pros and cons...
Just looking for opinions. There are no "right" answers ;-)
Jeff
------------------------------
Message: 2
Date: Tue, 30 Mar 2010 16:24:59 +0100
From: John Morrison <john.morrison101@googlemail.com>
Subject: Re: [fw-wiz] Blocking Teamviewer
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<fd3b86ff1003300824o643a0cbcwee64239d1c1902ff@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Siju,
You will require a firewall with deep packet inspection or a
signature-based IDS/IPS. TeamViewer uses ports 80 and 443 (http and
hhtps), but does not use the http protocol. To block it you can either
block any non-http traffic on port 80 (and non-https on 443) or use a
firewall/IDS/IPS that has a signature for TeamViewer.
An example, of the latter is CheckPoint. On their site they give
examples for various revisons of their product using the SmartDefense
feature. The TeamViewer product is a specific item you can select. For
VPN-1 NGX R65 & R62 it says:
1. In the SmartDefense tab, click Application Intelligence > Remote
Control Applications > TeamViewer.
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: TeamViewer
Attack Information: TeamViewer application connection attempt [over
HTTP] detected
I don't know if you could use something like snort instead to analyse
the traffic, build a custom signature and then block all traffic that
matches the signature.
On 19 March 2010 18:35, Siju George <sgeorge.ml@gmail.com> wrote:
> Hi,
>
> How Do you block this Trojan ;-)
>
> http://www.teamviewer.com/solutions/remoteaccess.aspx
>
> Thanks
>
> --Siju
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
------------------------------
Message: 3
Date: Wed, 31 Mar 2010 21:31:48 -0400 (EDT)
From: "R. DuFresne" <dufresne@sysinfo.com>
Subject: Re: [fw-wiz] Firewall best practices
To: Andre Lima <andreflima@gmail.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <Pine.LNX.4.64.1003312130330.7117@darkstar.sysinfo.com>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
That is all good, but, the current trend tends to be for
established/related from the inside to be allowed, thus there can be
reasons to have blocks in place, to close off problematic ports even from
the inside.
Thanks,
Ron DuFresne
On Sun, 21 Mar 2010, Andre Lima wrote:
> Hi jas,
>
> Actually, it's not about the ports to block, but the ports to allow. That's
> assuming you're using a drop/deny all policy, which frankly you should.
> But even with the deny all policy, there should be a few basic packets you
> should drop:
> 1. (if you're using iptables) drop invalid state packets
> 2. make sure you restrict ICMP trafic and never allow echo requests to get in
> (avoiding smurf attacks) or any broadcast traffic for that matter.
> 3. don't allow IP packets with options to get in. these are usually used by
> hackers to make spoofed packets go back to them (ip header length must be 5!)
> 4. mitigate spoofing or LAND DoS attacks by denying inside traffic with
> source IP adresses from private networks (192.168.0.0/16, etc)
> 5. (this is usually default modern OS behaviour but) make sure you mitigate
> TCP syn flood attacks with (usually OS supported) TCP cookies.
> This should be the least the firewall should do.
>
>
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
These things happened. They were glorious and they changed the world...,
and then we fucked up the endgame. --Charlie Wilson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFLs/eIst+vzJSwZikRAs3NAJ0ePtno48ExA0z0sgzM4VYGFyeRnwCgkeLd
h4Vsdhu7qjpphXyZvx6AodE=
=a8ku
-----END PGP SIGNATURE-----
------------------------------
Message: 4
Date: Fri, 26 Mar 2010 21:43:17 +0100
From: Flemming Laugaard <flemming@laugaard.dk>
Subject: Re: [fw-wiz] Blocking Teamviewer
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4BAD1C65.4030504@laugaard.dk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
I found this IDS rules for detection:
tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DynGate TeamViewer";
flow:from_client,from_server,established; content:"DynGate";
pcre:"/din.aspx ?s="; pcre:"&client=DynGate&p="; depth:12; sid:6661; rev:1;)
If you use Active Directory, you could block teamviewer.exe through a
Group policy.
--
Kind regards
Flemming Laugaard
------------------------------
Message: 5
Date: Tue, 13 Apr 2010 15:19:09 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] DNS Names for external services
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.1004131516310.11865-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Tue, 13 Apr 2010, Behm, Jeff wrote:
> Just curious, what is your opinions of the security vs. ease of use trade-offs on putting DNS entries in (vs. making people know/use an IP address) for services you expose to the Internet.
I've said this for years, but it bears repeating: Obsucrity reduces the
incidence of attack, not the success rate.
>
> For example,
>
> webmail.companynamehere.com for your webmail service
>
> www.companynamehere.com for your web site
>
> The two above are typically common and don't cause me much concern. What about this next one?
>
> vpn.companynamehere.com for your employees to access your company's VPN server
>
> It's this last one that really begs the question. Should I just as well use the name "attackmehere.companynamehere.com" rather than vpn.companynamehere.com. I searched around on the Internet, but couldn't really find pros and cons...
>
> Just looking for opinions. There are no "right" answers ;-)
>
What's a bigger burden, your support costs or your security costs? If
your VPN is attackable, because of weak userid-passwords or other flaws,
it'll be attacked sooner or later- if you've done your job, then flaws
won't be exploitable and the name doesn't matter- if you've done a poor
implementation or selection job, then all you're doing by hiding is
postponing the inevitable.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/
------------------------------
Message: 6
Date: Tue, 13 Apr 2010 22:27:32 -0400
From: Paul Melson <pmelson@gmail.com>
Subject: Re: [fw-wiz] DNS Names for external services
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<q2k40ecb01f1004131927ra908e506h79db8c75ce3f9a75@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Tue, Apr 13, 2010 at 12:16 PM, Behm, Jeff <jbehm@burnsmcd.com> wrote:
> Just curious, what is your opinions of the security vs. ease of use trade-offs on putting DNS entries in (vs. making people
> know/use an IP address) for services you expose to the Internet.
You mean the security trade-off whereby we protect ourselves from
hackers that are too lazy to scan with nmap -sV but not too lazy to
use scandns? It's a ridiculous corner case that's not worth
accounting for.
On the other hand, using DNS names instead of IP addresses for
Internet-facing services makes them more easily portable. For some
services it can make load balancing and failover very simple and
cheap. If any of your use cases is helped by naming Internet
services, then do so. It's that simple.
> Just looking for opinions. There are no "right" answers ;-)
Yeah, I'm going to respectfully disagree with you there. :-)
PaulM
------------------------------
Message: 7
Date: Tue, 13 Apr 2010 12:51:19 -0700
From: Anton Chuvakin <anton@chuvakin.org>
Subject: Re: [fw-wiz] Firewall best practices
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<v2ub2591e2e1004131251odcdee44fh198af6150c2d51c4@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
All,
> This is easy.....
> Block List: ? ? ? ? ? ? ALL
> Allow List: ? ? ? ? ? ? Only what you need and can trust
Can somebody dig into the list archives and see how many times this
question was asked for the last...mmm...10 years? God, this is 2010,
why do people still ask for a list of "baddy ports to block?"
Marcus, please come out of hibernation and rant!!! Or - better - copy
your rant from..mmm...1992? :-)
--
Dr. Anton Chuvakin
Site: http://www.chuvakin.org
Blog: http://www.securitywarrior.org
LinkedIn: http://www.linkedin.com/in/chuvakin
Consulting: http://www.securitywarriorconsulting.com
Twitter: @anton_chuvakin
Google Voice: +1-510-771-7106
------------------------------
Message: 8
Date: Tue, 13 Apr 2010 12:39:44 -0700
From: Carson Gaspar <carson@taltos.org>
Subject: Re: [fw-wiz] DNS Names for external services
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4BC4C880.1090805@taltos.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Paul D. Robertson wrote:
> On Tue, 13 Apr 2010, Behm, Jeff wrote:
>> vpn.companynamehere.com for your employees to access your company's
>> VPN server
>>
>> It's this last one that really begs the question. Should I just as
>> well use the name "attackmehere.companynamehere.com" rather than
>> vpn.companynamehere.com. I searched around on the Internet, but
>> couldn't really find pros and cons...
>
> What's a bigger burden, your support costs or your security costs?
> If your VPN is attackable, because of weak userid-passwords or other
> flaws, it'll be attacked sooner or later- if you've done your job,
> then flaws won't be exploitable and the name doesn't matter- if
> you've done a poor implementation or selection job, then all you're
> doing by hiding is postponing the inevitable.
The cost trade-off I'd look at is the cost of user support at an
"obscure" name (probably very low if you configure things for them) vs.
the cost of incident monitoring. You'll probably have fewer ankle biters
hitting the obscure name. Depending on how much effort you spend
investigating failed intrusion attempts, that may or may not be enough
of a cost savings to make an obscure name worthwhile.
I agree that there is near zero security difference.
--
Carson
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 48, Issue 1
***********************************************
No comments:
Post a Comment