|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Browser Vulns
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa
pacbell.net)
Date: Fri Jul 23 2004 - 11:51:59 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Honestly, most folks in SBS land use the Standard version which is a
RRAS firewall [think Linksys] Those of us in "paranoid" SBSland use ISA
server ;-)
Thor wrote:
>SBS 2k3 "premium" comes with ISA2k, right? You can block whatever you want
>outbound with that guy! I'm just wondering what you mean by "In SBS Land
>... given that person is an authenticated user, the connection would go out
>the firewall just fine" in that context-- I'm guessing you dont' mean ISA
>firewall?
>
>T
>
>
>
>----- Original Message -----
>From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
><sbradcpapacbell.net>
>To: <larobinsbellatlantic.net>
>Cc: "'Kirk Foutts'" <kfouttsorenickcompanies.com>; "'James Riden'"
><j.ridenmassey.ac.nz>; <focus-mssecurityfocus.com>
>Sent: Thursday, July 22, 2004 6:56 PM
>Subject: Re: Browser Vulns
>
>
>
>
>>Not all firewalls are alike and not all do "outbound" egress filtering.
>>.... 'course one could argue it shouldn't be called a firewall... but
>>nevertheless not all are packet inspecting firewalls.
>>
>>Granted I think we can assume that one is talking about a true "business
>>class" firewall and not the Fry's specials, but even in SBSland we get
>>requests for blocking external webemail, and the notorious IM which,
>>given that person is an authenticated user, the connection would go out
>>the firewall just fine.
>>
>>Susan
>>
>>Laura A. Robinson wrote:
>>
>>
>>
>>>
>>>
>>>
>>>>...
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>>If you can, block by default and allow what you want.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>How? This sounds like a great plan but...
>>>>
>>>>
>>>>
>>>>
>>>It is standard for nearly any firewall. Block all, open what you need
>>>opened.
>>>
>>>
>>>
>>>
>>>>>>>That goes for outbound ports as well; if you have a DNS server and
>>>>>>>you
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>know it >>>only needs to connect/send to dest port 53, why
>>>>not ban it from connecting to >>>any other ports?
>>>>
>>>>
>>>>How can this be done?
>>>>
>>>>
>>>>
>>>>
>>>With a firewall.
>>>
>>>(I'm guessing y'all don't have a firewall?)
>>>
>>>Laura
>>>
>>>
>>>
>>>
>>>
>>>
>>--
>>http://www.sbslinks.com/really.htm
>>
>>
>>
>>--------------------------------------------------------------------------
>>
>>
>-
>
>
>>--------------------------------------------------------------------------
>>
>>
>-
>
>
>>
>>
>>
>
>
>
>
--
http://www.sbslinks.com/really.htm
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]