From: Jared Mauch <jared@puck.nether.net> Date: Tue, 5 Jan 2010 16:20:56 -0500
On Jan 5, 2010, at 3:58 PM, Brielle Bruns wrote:
It's all how you configure and tweak the firewall. Recommending people run servers without a firewall is bad advice - do you really want your Win2k3 server exposed, SMB, RPC, and all to the world?
Some people think that exposing any functionality by default such as that is a poor security practice :)
My biggest issue is that people think that Firewalls, AV, etc are a catch-all for any network/user/security badness. The real world is more complex than that.
Most people make poor security choices and this creates much larger issues.
"I thought the firewall would protect me". "I thought my IPS would protect me" "I thought my AV would protect me"
Most of these technologies create a truly false sense of security.
I'm once again reminded of many people who do technically "silly" things like block TCP/53, packets over 512 bytes, port 587, ssl imap ports, etc.
It's frustrating and sad because it's not an effective security strategy and frustrates grumpy old-school users as myself that used odi drivers w/ ka9q to multitask over our CSLIP networks.
I suspect at least part of this will soon get fixed due to DNSSEC. Blocking tcp/53 and packets over 512 bytes will cause user complaints and, after enough education, the problem will get fixed. I had a problem with a large US government site due to tcp/53 blocking and had no luck getting it fixed. The "Security Officer" informed me that tcp/53 was only ever needed for zone transfer and any other use was clear evidence of abuse. RFCs meant nothing to him. (I don't know if he knew what an RFC was.) Now that gov domains are mandated to be signed, seems like he learned that tcp/53 could be used for normal operations. "You can get more with a kind word and a two-by-four than you can with just a kind word." J. Michael Straczynski from Ceremonies of Light and Dark Babylon 5 -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751