Re: mitigating the lack of a firewall

From: Malcolm Holser (mholserat_private)
Date: Wed Feb 16 2000 - 14:11:46 PST

Next message: apotterat_private: "Re: Recent Attacks"

Previous message: Lance Spitzner: "RE: Recent Attacks"
Maybe in reply to: Bruce H. Nearon: "mitigating the lack of a firewall"
Next in thread: Burden, James: "RE: mitigating the lack of a firewall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

...and DoS attacks are harder to stop than "noraml" firewall sort
of stuff, as you must distinguish between legitimate requests and
spurious ones.  It might not be possible to have an open door to
the public and not be susceptible to DoS "flood" attacks, even on
an otherwise very secure site.  To protect against flood DoS, you 
have to be able to ignore the bogus requests, generally by recognizing
a signature in it.  This latest flood was not able to be blocked
by looking at the source address, as the floods came from good
sites, although I think this one was blockable by looking at the 
contents of the packets (I think they may have been ICMP packets
in the recent case).

If this is all correct, you might answer the second part of the
original post, and say something about the differences in security
needs between "unauthorized access" and DoS.

Malcolm Holser
Adobe Systems, Inc.

> On Sat, 12 Feb 2000, Bruce H. Nearon wrote:
> 
> > Suppose an Internet site does not have a firewall.  Can a securely
> > configured IIS 4.0 server running under securely configured NT 4.0
> > protect the site from unauthorized access and denial of service attacks?
> > 
> 
> What do you mean "site"?
> 
> If you're talking about a bunch of machines, certainly not.  Not without
> making the NT machine something that constitutes a firewall.
> 
> Assuming you're talking about a web "site", then yes, depending on your
> requirements.  If the web server software is as locked down as it can be,
> then a firewall doesn't matter.  I know of no firewall that can stop new
> unknown attacks against web servers, if you're allowing web access.
> 
> The "depends" part has to do with how you administer the server.  If
> you're willing to walk media up to the console of the NT box to update
> content, then you can rip out the workstation and server services, and
> feel pretty good.  If you're going to try to use an MS filesharing, RPC,
> DB access, etc...  then, IMNSHO, you better have a firewall.
> 
> 					Ryan
> 
>

Next message: apotterat_private: "Re: Recent Attacks"
Previous message: Lance Spitzner: "RE: Recent Attacks"
Maybe in reply to: Bruce H. Nearon: "mitigating the lack of a firewall"
Next in thread: Burden, James: "RE: mitigating the lack of a firewall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:04:19 PDT