RE: how we will program in the future

Regarding MSblast and other things of that ilk, they can also get on the
network through a home PC/laptop that acquired the infection while at
home and spread it to the corp. network once it was connected by either
bringing it to the office or by VPN.  Basically bypassing the firewall.
In a corporate office, the VPN gateway may have another firewall layer
to go through and still provide some protection but branch offices
rarely go to that expense.

I would add that some of the Microsoft buffer overflow faults only need
port 80 to work.  The trojan is passed through a port 80 request and the
unprotected/flawed IIS box ends up executing the code.  The executed
code uses port 80 to talk to the mother ship.  As such, an IIS install
that is not properly patched is still more 'dangerous' than most other
web servers.

-----Original Message-----
From: Adam Lang [mailto:aalang@xxxxxxxxxxxxxxxxxxxx] 
Sent: Monday, November 10, 2003 1:59 PM
To: Midrange Systems Technical Discussion
Subject: Re: how we will program in the future


Ok, here is a short tutorial on internet security.

The servers that need to be accessed directly by the public are NEVER
directly on the public line.  You have the public ip line go into a
firewall that blocks all incoming traffic.  You have your server behind
the firewall. Then, depending on the services you are offering, you only
open those specific ports on the firewall to that specific server.  This
way you can specifically comepnsate for the traffic you expect.

When MSblast brougth down everyone a coupel months ago, it is because a
lot of boneheaded network admins had port 135 eitehr open on their
firewall or no firewall at all.  There is never a legitimate reaosn for
that traffic to coem in formt eh public.

As David said, if you are jsut offering web pages, only port 80 should
be allowed, ebcause there is no reaosn for soemthign else.  That way, fo
there is somethign insecure, you eliminate the method to attack it.