[LINK] Security: from a different direction

[Adam Todd]

At 17:56 14/12/2004 +1100, rchirgwin at ozemail.com.au wrote:
>Craig Sanders wrote:
>>On Tue, Dec 14, 2004 at 07:17:28AM +1100, rchirgwin at ozemail.com.au wrote:
>>>>>What happens to an unprotected machine on the Internet after 20 
>>>>>minutes is of no relevance to a protected machine.
>>>>>
>>
>>wrong.

No, not true at all.  Totally incorrect.

>>1. even "protected" machines can be brought down by a DDoS attack from
>>unprotected machines.  or be unable to reach a site because that site (or 
>>one of the routers in the path) is under DDoS attack.\

If a router or interface before the protected machine is brought down due 
to DoS attack, that does not mean the protected machine is affected.

Further, if you have a machine that can't go "Oh wow, that IP address or 
range of IP addresses or series of packets from 1-500 IP addresses seems to 
be unusual, so I'll block their inbound traffic and sit and wait" then you 
need to reconsider your configuration and protocols.

My web server throttles users who exceed certain limits, either accesses 
within a time period, or volume of download or number of pages or number of 
minutes.

My Firewall blocks anything that hits more than 4 times with the same 
packets on the same ports, or consecutive ports - especially as it KNOWS 
that I have very FEW consecutive ports active and in no case do I have four 
consecutive ports active.

That does NOT bring any of my protected machines "down" due to DoS.

My workstations continue to operate irrespective of the status of the 
Internet and any bandwidth attacks.

>OK. Amendment: someone else's infection doesn't change MY security status. 
>It changes my accessibility status.

Or your ability to access the Internet which is not as important as being 
able to send a fax or write a letter or update your invoicing program.

If your machine was rebooting every 5 minutes due to inbound attacks, then 
you have an insecure unprotected system.  (It does happen with lots of 
windows systems.)

>>2. there is no such thing as a "protected machine".  there is only a machine
>>that is protected against the security holes you currently know about.
>That's equally true of all OSs.

Totally agree.  I'd already said that.

>>>>>So here's the security setup I have; pick holes.

Is it worth it?  What, as a hacker, will I gain accessing your 
system?  Other than possibly a spoof address for some relay our bouncing of 
packets, but then I have to go to the inordinate effort of cleaning logs 
and ensuring I'm not being monitored on a promiscuous interface.  Not to 
mention that many Unix systems are "personalied" and have different 
configuarations and software on them.

I'd rather go a Windows machine that has none of these concepts and lots of 
easy to crack holes that take no more effort than a script.  Few have 
personalisation of paths and applications and most are common.

>>yes, it's a very good security setup.  it's probably proof against most
>>known attacks and many currently-unknown ones too.
>>
>>now wait until there's a new worm or virus that can only be fixed with 
>>Service Pack 10 from Microsoft.  and SP10, like SP2 breaks some existing
>>applications....strangely, it only breaks mozilla firefox and 
>>thunderbird.  you will have a choice between closing the hole or running 
>>mozilla (until the mozilla people work around it, of course).

I'd suspect the mozilla people will have a fix within a few short period of 
time, far less time than the inconvenience of waiting for a Service Pack 
from Microsoft.

>I would only plead that in 17 years of owning computers, I have not 
>suffered a virus attack.

Have to agree there too.

A few trojans of recent days, but only one was active, the rest were 
disfunction due to system configuration, security and structure.

The good thing is, nothing got out.  No permitted path.

>>>>Don't forget that _if_ you get compromised the virus will have its own
>>>>email server so won't need T'bird.
>>>However, the virus/worm's mail server won't be allowed to use (say) Port 
>>>125, because that's only permitted to T'bird.
>>>
>><>
>>unless the virus checks for and disables ZoneAlarm or reconfigures it for
>>wide-open access.  many already check for and disable common anti-virus 
>>programs. if there aren't any that also disable personal firewall 
>>software yet, then it's only a matter of time.

But none check for port and IP routing paths and redirectors to work their 
way through a DMZ to the border and out.

Plus, only one server is allowed SMTP on my network, and that's my outbound 
SMTP server which is NOT my inbound SMTP server.

So good luck!

They can't even do an IRC connection because it's only allowed to internal 
IRC servers.

>But you have to fail the IQ test to activate the virus. Here, I'm not 
>talking about Joe Sixpack, who regularly fails the test. I'm saying that 
>if I can secure Windows, then "it can be done".

Again I agree with this statement.

>><>BTW, to make it worse, some *games* of all things will only run if you are
>>logged in as (or have the same privs as) Administrator. this encourages 
>>users to just run as Administrator so that they can be sure they can run the

I don't run or install any games :)

>I entirely agree. To make any application dependent on (a) admin privilege 
>and (b) unrestricted paths across the firewall is stupid. Culpable. It's 
>deliberate bad behaviour on the part of the writer. Fortunately, there are 
>things I can live without.

Me too :)