A firewall won't stop this one

Discussion in 'Computer Security' started by NetUser, Nov 1, 2003.

  1. True. But restricting access only to systems that require access is
    better than leaving it open to all systems, correct?
    No argument there, but a system with tiny restricting access to mem,
    disk, and processes is more secure than a system without any
    restrictions to mem, disk, and processes.
    How familiar are you with Tiny?
    Yeah, I wasn't thinking of making the designs open but was stuck on
    thinking about the finished product.
    By restricting access to the NFS server. If my file server and a
    secretary's system are on the same net and he/she should not have access
    to the file server there is no need to allow her machine to even see the
    open ports.
    The port restriction changes it. Take this example, two systems on the
    same hub, one is the NFS server and one is a general box that does not
    need access to that NFS server. Portmapper has a new exploit and the
    NFS box has not yet been patched. In your model if I'm in control of
    that system that doesn't need access, because it can access that NFS
    port, I can compromise the NFS server from that box. In my design, I
    don't allow that box to even see the open NFS ports, you cannot
    compromise the NFS server from that box. That is more secure than your
    design.
    My point is not unwanted service, my point is wanted services, but not
    wanting every single host on that network segment to have access to
    those wanted services. It's another layer of security and it is better
    than without it for the example I gave above. I'm not arguing that it
    is the end all of security, nor even that it is totally 100% secure,
    just that it is a level of access control that does not exist without
    that port filtering and as such it's better to restrict running services
    only to machines that need it than to leave it open to every unsecured
    machine on the Net.

    /steve
     
    Stephen K. Gielda, Nov 7, 2003
    #61
    1. Advertisements

  2. NetUser

    Volker Birk Guest

    That feature has every NFS server I saw. You do not need filtering
    software for that.

    But authentication by network address is a very bad idea at all.
    Spoofing is very easy.
    I cannot see how tiny restricts that - I only can see snake oil.
    Can you help?
    Not very. Could you help? But I'm familiar with shatter attacks ;-)
    How does Tiny help against shatter attacks? Does it change the code
    for handling WM_TIMER and all the other messages with callbacks?
    Does it change the scheduler code and memory management code in the
    kernel for controlling processes and memory? How does it do that?
    By testing what? Hint: NFS servers are checking IP addresses already.
    You mean, close the ports for her, or what are you meaning by "see the
    open ports"?
    I do not understand what you're meaning with "cannot see". Are you meaning
    that when I'm scanning the NFS-Server, and finding NFS port closed, I
    perhaps will not try to attack the NFS service on that machine because
    I don't know if there is one for other machines?

    But if I'm the attacker, sorry, I will of course sniff all traffic on
    that hub. And I will detect NFS traffic, also for what machines that
    traffic is done, and that will be my method to open that box.

    Why port scanning if you can sniff all traffic?
    OK, for services which do not have those features, host based filtering
    can be a good idea, as I stated already. But then better use filtering
    in your kernel (for Windows: "IPsec"), and better forget "Personal
    Firewall" Software. I cannot see any reason why I should use it.

    VB.
     
    Volker Birk, Nov 7, 2003
    #62
    1. Advertisements

  3. This is exactly what I've been saying, if you agree then why the hell
    are you arguing it? It adds a layer of security that did not exist
    without it. Argue away again, claim it's less secure with it than
    without it again, circle around again, I'm done.

    /steve
     
    Stephen K. Gielda, Nov 7, 2003
    #63
  4. NetUser

    Volker Birk Guest

    I did not argue that point.

    VB.
     
    Volker Birk, Nov 7, 2003
    #64
  5. NetUser

    Volker Birk Guest

    BTW: I stated that in <bofq5n$l13$01$-online.com> already.

    VB.
     
    Volker Birk, Nov 7, 2003
    #65
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.