RE: [logs] Re: Reliably detecting things like the SQL worm....

From: Rainer Gerhards (rgerhardsat_private)
Date: Tue Jan 28 2003 - 12:18:47 PST

  • Next message: Ogle Ron (Rennes): "RE: [logs] Re: Reliably detecting things like the SQL worm.... (p rotection for those "other" networks)"

    > Architecturally, I would contend that the ideal design of a 
    > network that connects to the Internet will not have random 
    > individual hosts making DNS requests to a public server on 
    > the opposide side of a firewall.  DNS requests should go 
    > through one's own forwarder/proxy/local DNS server/whatever 
    > so that only one or a limited number of entities are sending 
    > queries thru a firewall to the public Internet.
    > Those hosts allowed to make such queries should be limited in 
    > function to just that function, if possible.  We know 
    > historically that the code for many common DNS servers has 
    > had their share of security bugs, so said hosts should 
    > themselves be firewalled off, down to just the connections + 
    > directions required.  Again, might not be possible, but in 
    > any case said host should not be running services like SQL 
    > Server which have high bug potential and tend to be used for 
    > end-user data handling, and don't typically need connectivity 
    > to the public world.  It just doesn't make sense to put an 
    > app like that on the same system as a DNS server/proxy/whatever.
    I fully agree and this might be an additional cause of the problem. Look
    at Microsofts Small Business Server package - it is exactly promoting
    this. Put everthing on a single machine (even the firewall, I think ;))
    and be happy with it... 
    Rainer Gerhards
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Tue Jan 28 2003 - 12:26:27 PST