Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

how about the basics? [was: Re: Blocking port 53]

  • From: Gadi Evron
  • Date: Mon Mar 28 07:59:06 2005

John Levine wrote:
I thought everyone ran an ssh server on port 443 by now.  It's
the easiest way to get through these overbearing firewalls.
Inbound:
--------
Agreed. As we all know, applications running on web servers are the easiest way to get into an organization. Run as many routers and firewalls as you like, people will just cut through them.

Some easy questions are;
- How easy is it to break in, applicatively? [secure code &
architecture, pen-test, etc. and not just when the site goes
live]
- What do you do to protect the application? [application filtering on
some level - not many good solutions, sniffer/resets,
inline/drop, reverse proxies, etc.]
- Once through the application, what do you do to protect the server?
[hardening, ports, services, FW]
- DB security? What's that?
- Once on the server, what do you do to make sure the machine cannot get to the rest of your network? Is your solution local or network based?
[PFW? VLAN?]

That's an ancient beaten to death issue that people just piss all over. Web applications today are simply the door into your organization and your network.

This is all costy, but you could do some of these things without any additional costs above an hour or two of your time.

I state the obvious again: protect your web servers!

Outbound:
---------
Try and make sure only HTTP/SSL communication goes through ports 80/443, respectively. Most worth-while corporate firewalls today support this type of application filtering.

It won't help you with spyware like (imo) Kazaa (or legit software) that goes over HTTP, but you get my point.

Aside to a nice way to circumvent firewalls to go and IRC or use private mail servers, we also lately see many botnet C&C's using these ports.

It may only be half relevant to nanog, and for that I apologize, but I take the chance to remind people of how important this all is on *ANY* opportunity.

Gadi.




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.