Robert Graham's SQL Slammer analysis (was Re: [linux-elitists] MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!)

Rick Moen rick@linuxmafia.com
Fri Jan 31 22:59:15 PST 2003


Quoting Larry M. Augustin (lma@lmaugustin.com):

> Port 80 is turning into a big problem.  I've had tis conversation with
> several chief security officers.  Everyone is now building software
> that pushes stuff through port 80, mostly because that port is
> generally open.  i.e. opening up a port has become such a big deal
> that everyone wants to use port 80.  But with multiple services now
> being offered through port 80, all people have done is make ports
> useless, and make the problem harder by hiding it under port 80.

This is why I lean towards the viewpoint articulated by (I believe) Nick
Moffitt:  Just don't expose to the network services whose security
you don't have reasonable confidence in.  "Locking down ports" becomes
superfluous:  A service is either reachable and thus presumed a
potential point of remote attack, or not accessible remotely at all.

When I run database engines, they _don't_ (a la MSDE) default to being
network-reachable from anywhere but localhost.  The only network-reachable 
daemons I run are ones I'm willing to stay on top of.  Border filtering,
you guys say?  Why should my host trust _even_ nearby machines and the
local LAN?  

Yes, I know that defence in depth from border filtering is theoretically 
beneficial, but there's a reason all of those people are driven to use
things like httptunnel to get traffic past brainless firewall policies.
Better off without it, on the whole.

-- 
Cheers,           "I don't like country music, but I don't mean to denigrate
Rick Moen         those who do.  And, for the people who like country music,
rick@linuxmafia.com         denigrate means 'put down'."      -- Bob Newhart



More information about the linux-elitists mailing list