Re: Why you have hardware firewalls

"Charles Newman" <charlesnewman1@comcast.nospam.net> wrote in message
news:UbadnV2lbPO_J4_eRVn-sA@comcast.com...
> X-No-Archive: Yes
>
> "Moe Trin" <ibuprofin@painkiller.example.tld> wrote in message
> news:slrnd5rar6.eei.ibuprofin@compton.phx.az.us...
> > In article <xyZ6e.1468$BS.807@tornado.ohiordc.rr.com>, Leythos wrote:
> >>On Tue, 12 Apr 2005 19:03:12 -0500, Moe Trin wrote:
> >
> >>> I found the owner, and mentioned his little problem. Sure enough, his
> >>> windoze toy server had been 0wn3d again.
> >>
> >>The problem doesn't have anything to do with a firewall or lack of one,
> >>it's got everything to do with properly setting up the OS/Services to
> >>handle a public connection.
> >
> > I know that - you know that - perhaps every competent professional knows
> > this - but these aren't professionals. The site is operated and
maintained
> > (yeah, right) by a 17 year old.
> >
> >>We've had a number of IIS servers directly on the public network for 6+
> >>months without a single compromise, but we also know what services to
> >>stop,
> >
> > Bingo. You can actually run the typical windoze server with all the
> > extraneous crap in it's default wide open state (not that I'd recommend
> > windoze, much less running the defaults) behind a very restrictive
> > firewall
> > without as much risk - but the better combination is the stripped system
> > running behind the firewall if you insist on a microsoft solution.
> > Netcraft
> > suggests there are better ways.
> >
> >>Then there is that ability of Windows to filter connections itself....
> >
> > I just used a passive tool to ID the system - it looks like the idiot is
> > running 98, but I can't tell which patch level.
> >
> >>I do agree, there is no reason for the US Based Pizza place, even Pizza
> >>Hut, to offer online ordering to people outside their country (even if
PH
> >>did offer pizza in Russia, they would not do it from a US based server).
> >
> > I know that smarter individuals have set up systems where the first page
> > wants your postal (ZIP) code, and uses that to try to identify the
nearest
> > retailer. Trying to use IP addresses to identify a location is
difficult.
> > The local cable/DSL is provided by Cox and QWorst, and there are about
50
> > local ISPs. But what about the "local" businesses? Looking up $WORK
says
> > New York, but a traceroute enters a blackhole in San Jose California,
and
> > we have subnets in Europe, Asia, and where I am in Arizona. One local
site
> > does indeed block $WORK as non-local, and the only way I can reach them
is
> > from a tunnel, or over the phone. So they loose our business.
>
>
> Well, blocking by IP addy can be circumvented
> with the huge number of open relays out there. I
> know this, becuase when Eurosport and the BBC
> both restricted their audio streams of the Olympics,
> last year, circumventing that was child's play. All

   One other note. Eurosport was a lot easier to
circumvent, becuase they only blocked users in
the United States, unlike the BBC, which restricted
their streams to certains ISPs in England. As long
as I echoed off any open relay outside the United
States, I was able to get the Eurosport audio
streams.
    Contary to what some people might think,. you
do NOT have to be a "script kiddie" to use an
open relay. There are websites where they have
done all the work for you in finding them. You
just pick one off the list, configure your browser,
media player, or whatever, and you are good to
go.
Received on Thu Sep 29 20:05:09 2005