Sun Microsystems Solaris hole opening way for hackers

CNet News.com ^ | January 15, 2002, 5:30 p.m. PT | Robert Lemos

[Bush2000]

1. Any kind of firewall will protect you from all hacks.

I didn't say all hacks. You did. Neither are your precious Linux boxes invulnerable to all attacks. What I said was that you're welcome to try. But be prepared to be frustrated.

2. Any kind of firewall is itself completely secure.

I didn't say that, either.

3. Any kind of firewall stops virus or worm-bearing email.

Well, seeing as I don't even open that port, that's not even an issue.

4. Any kind of firewall will stop a man-in-the-middle attack against your data session.

That's a moot point. Nobody can prevent that kind of attack.

[Knitebane]

But be prepared to be frustrated.

And the average script kiddly likely will be frustrated. It's not like your running Windows on it.

Well, seeing as I don't even open that port, that's not even an issue.

Gee, your online life must be very dull if you don't ever use email. In case you hadn't been keeping up with world events, most people who got ILOVEYOU didn't have that port open either. A firewall also won't stop a rogue website from trying to execute dangerous code on your computer. I think that I can safely presume that you visit websites, no?

For what it's worth, I don't use Linux for a firewall. I use OpenBSD. And for the past four years, it has indeed been invulnerable to attacks.

I also secure all of my externally accessible boxen, turn off all uneccesary services, use and monitor an intrusion detection system, keep off-line backups of all of my configurations and logs, and do regular audits to ensure that no one has snuck in without me knowing about it. I refer you to my previous post about the difference between feeling secure because you have X and Y ports closed and actually being secure because you treat security as an ongoing process.

You still haven't answered the question as to why you aren't using your vaunted, "most secure Windows ever," Windows XP as your firewall.

And now we not only wonder about that, we wonder about why you won't answer the question as well.

[Bush2000]

Gee, your online life must be very dull if you don't ever use email. In case you hadn't been keeping up with world events, most people who got ILOVEYOU didn't have that port open either.

I don't allow my servers to host or retrieve POP/SMTP email -- only Web mail.

A firewall also won't stop a rogue website from trying to execute dangerous code on your computer. I think that I can safely presume that you visit websites, no?

Besides using packet filtering, I've written a number of custom ISAPI filters to deal with incoming port 80 requests (the only outward facing port). I sniff HTTP content and throw away dangerous stuff.

For what it's worth, I don't use Linux for a firewall. I use OpenBSD. And for the past four years, it has indeed been invulnerable to attacks.

I've heard good things about OpenBSD.

I also secure all of my externally accessible boxen, turn off all uneccesary services, use and monitor an intrusion detection system, keep off-line backups of all of my configurations and logs, and do regular audits to ensure that no one has snuck in without me knowing about it. I refer you to my previous post about the difference between feeling secure because you have X and Y ports closed and actually being secure because you treat security as an ongoing process.

Those are all good things. But there's no need to be testy. I do take security seriously. And I'm paranoid about it.

You still haven't answered the question as to why you aren't using your vaunted, "most secure Windows ever," Windows XP as your firewall.

First, XP Server hasn't been released. Second, even if it were, I haven't had time to evaluate it.

[Knitebane]

As long as you only use web mail and you can entirely trust the webmail servers that you access, you should be ok. But the part about throwing away dangerous HTTP traffic is naive. New attacks come out daily. You'll spend half your life making filters. And how, exactly, do you filter HTTPS traffic? How about DNS?

The blatant inability of content filters to keep up with "inappropriate" sites show that that path is a dead end. It's much better to stop using web browsers, email clients and operating systems that have repeatedly shown to be untrustworthy, default to doing dangerous things and can't be fixed by the end user or purchasing company.

I'm not picking on you in particular. Your attitude (and many other people) toward security is what keeps my paychecks rolling in.

I get regular calls from people who have been hacked needing someone to help them clean up the mess. Invariably they demand to know how they can be hacked when they've bought $30,000 worth of firewall. They point out the fact that only absolutely necessary traffic is allowed in.

I just shrug. They probably didn't consider that the really good hackers know that certain services like HTTP and DNS are necessary. And they plan their attacks accordingly.

They refuse to encrypt their B2B connections because of the cost, they allow users inside to use telnet and allow them to contact webmail servers over HTTP instead of HTTPS. They refuse to set up internal DNS servers that can't be hijacked. And it ends up costing them.

When I give preventative advice, it is almost never followed. I make sure to list the possible dangers of not implementing my advice.

When they get the bill for my clean-up services I gently point out that it would have been a lot cheaper to secure themselves than clean up the mess. And then I get paid again when I secure their network.

And then when I come back six months later and no one has been even looking at the log files, I point it out, go home and wait for them to get hacked again.

Microsoft has recently announced that they are going to take security seriously. No, really. They mean it this time. *snicker*

I sure hope not. I need the business.

Knitebane