Re: Why you have hardware firewalls

X-No-Archive: Yes

"Moe Trin" <ibuprofin@painkiller.example.tld> wrote in message
news:slrnd5rar6.eei.ibuprofin@compton.phx.az.us...
> In article <xyZ6e.1468$BS.807@tornado.ohiordc.rr.com>, Leythos wrote:
>>On Tue, 12 Apr 2005 19:03:12 -0500, Moe Trin wrote:
>
>>> I found the owner, and mentioned his little problem. Sure enough, his
>>> windoze toy server had been 0wn3d again.
>>
>>The problem doesn't have anything to do with a firewall or lack of one,
>>it's got everything to do with properly setting up the OS/Services to
>>handle a public connection.
>
> I know that - you know that - perhaps every competent professional knows
> this - but these aren't professionals. The site is operated and maintained
> (yeah, right) by a 17 year old.
>
>>We've had a number of IIS servers directly on the public network for 6+
>>months without a single compromise, but we also know what services to
>>stop,
>
> Bingo. You can actually run the typical windoze server with all the
> extraneous crap in it's default wide open state (not that I'd recommend
> windoze, much less running the defaults) behind a very restrictive
> firewall
> without as much risk - but the better combination is the stripped system
> running behind the firewall if you insist on a microsoft solution.
> Netcraft
> suggests there are better ways.
>
>>Then there is that ability of Windows to filter connections itself....
>
> I just used a passive tool to ID the system - it looks like the idiot is
> running 98, but I can't tell which patch level.
>
>>I do agree, there is no reason for the US Based Pizza place, even Pizza
>>Hut, to offer online ordering to people outside their country (even if PH
>>did offer pizza in Russia, they would not do it from a US based server).
>
> I know that smarter individuals have set up systems where the first page
> wants your postal (ZIP) code, and uses that to try to identify the nearest
> retailer. Trying to use IP addresses to identify a location is difficult.
> The local cable/DSL is provided by Cox and QWorst, and there are about 50
> local ISPs. But what about the "local" businesses? Looking up $WORK says
> New York, but a traceroute enters a blackhole in San Jose California, and
> we have subnets in Europe, Asia, and where I am in Arizona. One local site
> does indeed block $WORK as non-local, and the only way I can reach them is
> from a tunnel, or over the phone. So they loose our business.

   Well, blocking by IP addy can be circumvented
with the huge number of open relays out there. I
know this, becuase when Eurosport and the BBC
both restricted their audio streams of the Olympics,
last year, circumventing that was child's play. All
I had to was look up on sites like StayInvisible,
or Proxy4Free, and find an open relay in the area
where Eurosport and the BBC allowed connections
from, configure RealPlayer(Eurosport), or Windows
Media(BBC) to use that relay, and then connect.
It would look to BBC and Eurosport servers like
I was in Europe, and they never knew the difference.
Before the IOC would let them transmit any audio
or video they had to do this, but the IOC is
obviously clueless on how easily such filters can
be circumvented. The rules only apply to audio
and video, however. They do not apply to
web-pages updated every minute or so that
provided live results/commentary, or IRC chat
rooms that do the same.
    This is why I would not recommend blocking by
IP addy, because someone who can use Google,
or any search engine, can find lists of open relays,
and find a relay that will bypass your filtering by
IP addy.
Received on Thu Sep 29 20:05:08 2005