[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: my isp is being told *i* am broadcasting spam?

On Sun, Apr 21, 2002 at 02:11:05AM -0400, Shawn McMahon wrote:
> A DMZ is still behind the firewall.  A DMZ is it's own little isolated
> corner where all traffic to the Internet goes through the firewall, and
> all traffic to the LAN goes through the firewall.  That way, if the
> server is cracked, it still can't get to anything except on the ports
> that are "trusted".

I just don't see how that gets you anything at all if only the "trusted"
ports have any services listening on them.  I have seen personally a
WinNT box, behind a firewall, with only port 80 visible to the world get
cracked.  Not only was it cracked, but it was then used as a launch pad
for an attack on another box that was also in the DMZ.  All that was
with only port 80 open.

Besides that, this has strayed very far from the statement that
originally started the conversation.  The original claim by David Smead
was that putting a host on the network is a recipe for certain disaster,
which I claim is utter nonsense.

Basically, my approach is to assume that all ports on all hosts are
visible to the world.  To me, this as a fundamental fact of networking.
With this in mind, construct a secure network infrastructure.  It can
certainly be done; I live in that world every day and have never felt a
desire to have a firewall in front of my network.

I realize there are other philosophies on network security, I just
happen to disagree with them.  8^)


| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

Attachment: pgpKUILpmvoHp.pgp
Description: PGP signature

Reply to: