ICMP is evil. To that I would add under... Security misconceptions
On Wed, Feb 15, 2012 at 4:52 PM, Rich Kulawiec <rsk@gsp.org> wrote: 0. Security is just common sense. a. More draconian/more complicated policies/practices automatically result in a good secure, usable environment. i. For secure results, require users to set a 25-character complex password with 1-day expire. ii. For best results, get a checklist containing every possible "security measure" that can be implemented, and implement them in no particular order. iii. For best results, ask a committee of accomplished bureaucrats.... b. For best results, leave all settings at their default values. i. A security focused analysis is not required to design a secure system/network. ii. If each device is secure, the overall system is automatically secure. c. Just install Product $X, Product $Y. Everything will be fine. d. If that doesn't work, and we still get a security breach, adding Product $Z will definitely make it secure forever, without log checking and security reviews. e. A simple automated scan can detect all possible security issues. 1. Script kiddies don't want access to my router, because they can't run malware i. Routers always encrypt passwords in memory; the *s displayed when you look at the password field in the webui prove it; no worries throwing out old equipment. ii. It's okay to re-use the admin password for a POP3 account, no security risk there. 2. If your organization partitions its internal network from the internet with a firewall.... a. The network will be invincible to attack. or i. Private addressing ensures a LAN secure against outside attack. ii. SSL certificates don't matter, just click Continue. b. Sources of possible abuse/intrusion will always be on the outside. [or] i. The perimeter firewall makes the LAN safe against packet sniffers ii. Use of Ethernet switches instead of hubs make the LAN completely safe against packet sniffers. iii. Managing local LAN devices (such as routers) using telnet or plain HTTP is safe and secure (because of i or ii). iv. Plain e-mail is an excellent file transfer protocol -- it's also a secure way to transfer large files into or out of a Firewall-secured LAN, since e-mail is private. v. External USB drives are a safe, secure, convenient way to bring data into or out of the partitioned network. Antivirus will thwart any attempt to transfer malicious files of any type. vi. FTP is a safe way to bring data into or out of a secure network, and the data is safe against interception because a password is required to connect. c. The one perimeter firewall will protect the network against internal attacks, and even outsiders gaining access to open wifi. i. WEP or open access with MAC address filtering is pretty secure. ii. MAC address filtering on the core router will make sure unauthorized devices plugged in cannot possibly gain access to the LAN. iii. MAC address filtering on the DHCP server will make sure unauthorized devices plugged in cannot possibly gain access to the LAN. d. No need to worry about having a DMZ or separate network, for hosting internet services behind a firewall. i. If traffic is only allowed to port 80, shell access cannot be obtained by exploit, even if the PHP scripts have bugs, because port 23 is required for shell access. ii. If traffic from the internet is alllowed to pass to one host through a firewall, any possible security risk is limited to exclusively that one host.
Firewalls will solve our security issues. Antivirus will solve our security issues. ...
$MAGIC_PRODUCT will solve our security issues. For many different values of $MAGIC_PRODUCT -- -JH