| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] Code Red: What security specialist don't mention in war nings
I do not agree.
A correctly configured firewall is as compromisable as a router.
dropping in your firewall outbound connections from your servers is
enough.
Raul
"McCammon, Keith" <[email protected]>@lists.us.checkpoint.com
con fecha 02/08/2001 15:19:55
Enviado por: [email protected]
De "McCammon, Keith"
<[email protected]>
@lists.us.checkpoint.com
--------+ -----------------------------------------------------+
A
--------+ -----------------------------------------------------+
Copias
a
--------+ -----------------------------------------------------+
CCI
--------+ -----------------------------------------------------+
Fecha 02/08/2001 15:19
--------+ -----------------------------------------------------+
Tema RE: [FW1] Code Red: What security
specialist don't mention in war nings
--------+ -----------------------------------------------------+
Actually, to add to this discussion...
With the exception of servers providing UDP-based services, any
outbound
connection that is not established should be dropped at a the router
level.
This includes the relevant IP's bound to your firewall, which is
still a
host, and could still be compromised.
access-list 113 permit tcp host X.X.X.X eq 80 any established
access-list 113 permit tcp host X.X.X.X eq 443 any established
Better still:
ip inspect name watch_tcp tcp 360
ip inspect watch_tcp in
Keith
>-----Original Message-----
>From: Avishai Wool [mailto:[email protected]]
>Sent: Tuesday, July 31, 2001 10:58 PM
>To: Frank Knobbe
>Cc: [email protected]
>Subject: Re: [FW1] Code Red: What security specialist don't mention
in
>warnings
>
>
>
>Frank,
>
>> Web servers should only respond to incoming web requests.
>> Web servers do not need to
>> establish connections to the Internet. So if a web server is
behind a
>> stateful firewall, and the firewall rules allow incoming web
request
>> to the web server, but denies outgoing connections from the
>> web server to the
>> Internet, then the Code Red worm can be contained.
>
>This is absolutely right on. Furthermore, assuming that the
>web server is in a DMZ, the firewall rules should also block
>http access originating from the web server to any internal machine;
>that will block the worm from infecting any internal web servers.
>
>I would recommend that a web server:
>(*) should be in a DMZ, off a separate interface on the firewall),
>(*) should not be allowed to initiate ANY traffic to ANYWHERE
> (except maybe ping for troubleshooting)
>This should not affect its ability to serve pages, will help contain
>the Code Red worm, and will help protect your net.
>And this stance holds even if you are using
>a non-Microsoft web server: you may be vulnerable to the next worm
or
>hack that shows up.
>
>Avishai
>
>
>=====
>Avishai Wool, Ph.D., Chief Scientist & Co-Founder, Lumeta Corp.
>220 Davidson Ave, 4th Floor, Somerset, NJ 08873, USA
>Email: [email protected] Web: http://research.lumeta.com/yash/
>Phone:Cell:Fax:> ** Want to audit or debug your firewall's policy? **
>Lumeta Firewall Analyzer: http://www.lumeta.com/firewall.html
>
>__________________________________________________
>Do You Yahoo!?
>Make international calls for as low as $.04/minute with Yahoo!
>Messenger
>http://phonecard.yahoo.com/
>
>
>===============================================================
>=================
> To unsubscribe from this mailing list, please see the
>instructions at
> http://www.checkpoint.com/services/mailing.html
>===============================================================
>=================
>
================================================================================
To unsubscribe from this mailing list, please see the
instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
