Robert Graham's SQL Slammer analysis (was Re: [linux-elitists] MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!)
Karsten M. Self
Fri Jan 31 19:28:56 PST 2003
on Fri, Jan 31, 2003 at 06:14:47PM -0800, Larry M. Augustin (firstname.lastname@example.org) wrote:
> > Quoting Karsten M. Self (email@example.com):
> > > Makes many of the same points as I do. Though he doesn't address the
> > > "what if it happens on :80, :22, :25" problem.
> Port 80 is turning into a big problem. I've had tis conversation with
> several chief security officers. Everyone is now building software
> that pushes stuff through port 80, mostly because that port is
> generally open. i.e. opening up a port has become such a big deal
> that everyone wants to use port 80. But with multiple services now
> being offered through port 80, all people have done is make ports
> useless, and make the problem harder by hiding it under port 80. When
> one of these applications makes any attempt at security, they do
> something inside XML so you need an XML parser to enforce security.
> There are a lot of companies out there now trying to build "port 80
> firewalls" - boxes that parse everything going past port 80, and
> attempt to do something intelligent, including add security.
> It's strange to think that the practice of being judicious in locking
> down ports has created an even worse problem because developers are
> now using port 80 to go around the firewall.
This is a situation that some of us have forseen for quite some time. I
first becmae aware of it a couple of years ago interviewing with a
security firm who was having trouble doing vulnerability assessments,
and phoning home, from within corporate networks, due to firewall
policies blocking useful ports.
There's an apocryphal story of a consultant who created an
implementation of NFS over SMTP to demonstrate that regardless of
arbitrary restrictions, if data were allowed in and out of the system,
a given protocol could be implemented. Latency was high, but on
sufficiently large transfers, throughput was pretty good. This is
supposed to have been done by Marcus Ranum.
I can't find the source of this, but a reference:
There's some oblique discussion here:
It's a typical case of grade inflation or indicator abuse. As more and
more ports are blocked based on the context they represent, the context
itself is warped.
Security remains a moving target. Future schemes will have to adapt to
Karsten M. Self <firstname.lastname@example.org> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Moderator, Free Software Law Discussion mailing list:
More information about the linux-elitists