|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Firewall RISKS
Andrew Gilbert (agilbert
axent.com)
Thu, 3 Jun 1999 11:45:07 -0400
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: John McDermott: "Re: Interesting DNS Traffic -Reply"
- Previous message: Einar EINARSSON: "Re: Interesting DNS Traffic -Reply -Reply"
- Next in thread: MIKE SHAW: "Re: Firewall RISKS"
Let's outlaw brakes in cars and any type of device, application or policy
which limits access in any way to computer systems connected to public
networks.
What a cool place that would be....
-----Original Message-----
From: Robert Graham <robert_david_grahamyahoo.com>
To: firewall-wizardsnfr.net <firewall-wizardsnfr.net>
Date: Thursday, June 03, 1999 10:19 AM
Subject: Firewall RISKS
>I just posted this e-mail to the RISKS list, but I thought I'd copy it
>here, too.
>-------
>
>In the past couple months, hundreds (if not thousands) of web sites
>using Allaire's ColdFusion have been hacked (their web pages have been
>defaced). When interviewed by the press, one site administrator said,
>"We are installing a firewall so that this won't happen again".
>
>However, firewalls do not protect against this particular hack.
>
>Explanation: Firewall technology is based on "port filters". The
>average web server has many ports open for a variety of reasons, but
>needs only port 80 in order to serve web pages. However, ColdFusion
>runs as part of the web server reachable at port 80. QED, placing a
>firewall in front of web server provides no protection against the
>ColdFusion hack.
>
>Firewalls do not "prevent" hacks, as most people believe. They simply
>reduce RISKS by reducing the number of ports or IP addresses that may
>be exposed inadvertently on the Internet. The remaining ports (such as
>e-mail, web, and FTP servers) can often be hacked.
>
>In practice, firewalls probably increase RISKS overall. Consider a
>study of Berlin taxi drivers who were given anti-lock breaks: the taxi
>drivers started driving more aggressively, and had more accidents.
>Therefore, the study concluded that anti-lock actually INCREASES RISKS.
>What is really going on is that firewalls/ABS only decrease RISKS if
>behavior is left unchanged, but the added security encourages RISKy
>behavior.
>
>The ColdFusion bug was not really Allaire's fault -- the bug was in a
>sample script that Allaire recommends be removed from a production web
>server. Almost every web-site creation package like ColdFusion has the
>same problem, including Microsoft's ASP scripting, FrontPage web
>hosting, and sample CGI programs. Administrators feel safe behind
>firewalls and do not diligently check their web servers for these
>problems. For the most part, crackers who intend to deface web pages or
>steal credit card information from web servers do not care about
>firewalls that might protect the target servers.
>
>Robert Graham
>http://www.networkice.com/advice
>
>
>
>_________________________________________________________
>Do You Yahoo!?
>Get your free yahoo.com address at http://mail.yahoo.com
>
- Next message: John McDermott: "Re: Interesting DNS Traffic -Reply"
- Previous message: Einar EINARSSON: "Re: Interesting DNS Traffic -Reply -Reply"
- Next in thread: MIKE SHAW: "Re: Firewall RISKS"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:59 CDT