[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: My machine was hacked - possibly via sshd?

On Mon, 28 Mar 2005, Noah Meyerhans wrote:

> It should be noted that it is entirely possible, even on today's
> internet, to run a large network completely exposed to the internet.  It
> always makes me sad when I hear people talking as though you simply
> *must* have a firewall, or else you're endangering yourself, your users,

I would say this is true up to a point but it does have some caveats:

- It presumes an admin is diligently keeping up to date with patches.  In 
  a perfect world this would always be true.

- It presumes the vendor(s) are providing patches in a timely manner.

- It presumes that no misconfigurations exist.  Plenty of 
  misconfigurations occur when they should not and the firewall may be the 
  only thing that stops in intrusion in this case.

- It tends to violate the principal of "Security in depth".  Stay fully 
  patched and have a firewall (and IDS) as well.

- It ignores the advantages of rate limiting capabilities built into many 
  firewalls (such as iptables).

- It ignores the fact that being able to probe a network may be useful for 
  a future attack.

I do agree that admins should always consider why they are doing 
something, like putting in a firewall, rather than just blindly doing it.

> and the internet community as a whole.  You can run with "default allow"
> policy, and do it safely.  Firewalls cause two major problems.  First of
> all, they lead to a false sense of security.  They create a "soft

IMHO user/admin education is the key here.

> underbelly" with a hard shell.  If you can get through the shell, who

I do agree.  Internal firewalls may be needed, or other measures.  I won't 
go into this topic, as it is quite open ended.

> due to strict firewall policies.  These users, or the developers of

The work of a modern admin is very much a balance between functionality 
and security.

> their software, invariably will find some way to get their traffic
> through.  Witness all the stuff that gets tunneled over HTTP or ssh

Yep, that annoys me, and I do recognise the core problem.  Very often they 
are just trying to do their job when they tunnel data like that too. 
Wonderful isn't it.

IMHO it comes down to intelligently assessing the needs of the 
organisation.  Too few admins are doing that today (IMHO).


Robert Brockway B.Sc.
Senior Technical Consultant, OpenTrend Solutions Ltd.
Phone: 416-669-3073 Email: rbrockway@opentrend.net http://www.opentrend.net
OpenTrend Solutions: Reliable, secure solutions to real world problems.
Contributing Member of Software in the Public Interest (http://www.spi-inc.org)

Reply to: