Re: Cisco vulnerability and dangerous filtering techniques
That is a bit paranoid, but it could happen. I have not seen anybody do anything that intelligent in the past couple of years. Not to say that there arent people out there that couldn't do that but I think many have thought of using one exploit to expose another, DDoS is the closest I have seen on any of my honeypots. I have learned many things about what most people will try to get into a box from the honeypots, but that is a good point. Filtering or patching should take place on the edge and on the most critical spots on your network. Good Luck
I had a passing thought over the weekend regarding Thursday's cisco vulnerability and the recent Microsoft holes.
The next worm taking advantage of the latest Windows' vulnerabilities is more or less inevitable. Someone somewhere has to be writing it. So why not include the cisco exploit in the worm payload?
Based on past history, there will be plenty of vulnerable Windows hosts to infect with the worm. I would also guess that there are lots of organizations and end-users that have cisco devices that haven't patched their IOS. Furthermore, I wonder how many people have applied filtering only at their border? But packets from an infected host inside the network wouldn't be stopped by filtering applied only to the external side.
Basically, if you're filtering access to your interface IP's rather than upgrading IOS, remember that the internet isn't the only source of danger to your network.
Adam Maloney Systems Administrator Sihope Communications
On Tue, 22 Jul 2003 14:58:22 -0000, jgraun@comcast.net said:
That is a bit paranoid, but it could happen. I have not seen anybody do anything that intelligent in the past couple of years. Not to say that there arent people out there that couldn't do that but I think many have thought of using one exploit to expose another, DDoS is the closest I have seen on any of my honeypots.
Not paranoid enough. :) Not only *could* it happen, it almost certainly *is* happening. Remember that in general, only the ankle-biter black hats get caught, just like the police catch mostly the stupid crooks. My co-worker Randy Marchany has been doing talks for *years* saying why firewalls by themselves don't work - he'll ask the audience how many run firewalls, and a lot will raise their hands... then he'll ask if they pass port 25 and/or 80, and a lot of hands remain raised.. then he'll ask if *anybody* behind the firewall is running an unpatched Outlook or IE... and a lot of hands remain raised, with very worried looks as the implications sink in....
participants (2)
-
jgraun@comcast.net
-
Valdis.Kletnieks@vt.edu