Wolfgang, you sound pretty stupid to me. I don't give a damn. If somebody is stupid enough to use it just because I say so, I can't do anything.
My idea is not to encourage somebody. It's just a piece of information. I am a sysadmin myself and I know the implications of using this. That's why I have the disclaimer in the paper.
I agree that the majority of compromised systems and spam relays have Dynamic IPs. However, that is not the same thing as saying, the majority of Dynamic IP systems send spam, or are open relays. Two different statements. That's why I don't agree with blanket blocking of Dynamic IPs. As a side note, this is the first time you mentioned Dynamic IPs. Up to now we were talking about "residential" IPs. Do you consider the terms synonymous?
Disagree. But that's okay.
You could stop even more if you blocked even more. I don't see that as surprising. You do this after making a conscious decision to accept more "false positive" losses. Again, your choice, but not for everyone.
Well, not saying that you don't have a clue, only that this analogy doesn't prove that you do. After all, it's easy to avoid having a compromised customer, just block everything. Doesn't mean it was a smart solution for that particular customer just because he wasn't hacked.
I have had this responsibility as an admin and eventually as a manager of an IT group in a major Aerospace Corp. But, as a manager, I had much more responsibility than this. I also had responsibility to ensure company business could be successfully conducted and that my engineers had the tools and connectivity they needed to be successful and make our company successful. I had to do risk analysis on most every major configuration decision. And that is the KEY. Risk analysis. You have to weigh the potential risk (including potential loss if something goes wrong) with the potential impact on operations (often spelled reduced income). There are some cases where this kind of security is necessary, I know. And if it means throwing some of the babies out with the bathwater, it can be justified, sometimes. I used to see this all the time in the realm of "National Security". However, to think that all (or most) systems would benefit by using security measures this tight is ludicrous to me.
Not to be argumentative. I understand that different folks have different philosophies. I think we are both entitled to our own, no problem :)
-Frank
Only if you're not capable of looking.
What a dufus answer - all you have to do if find the maintainer of the RBL and ask them.
Seems to me you've just described the folks who *use* it...
Just another of the blanket assumptions you make that are total nonsense in a real world filled with people who are *not* all from the same cookie cutter.
"Without a single false reject"... that you notice (with your eyes closed and your ears plugged).
There *is* a need and a market for the service you are providing. But suggesting that is appropriate for all markets is a bit much.
Strictly speaking, you are correct, a Dynamic IP does not mean the host is a spammer, but, in general, the overwhelming majority of compromised systems and spam relays are systems on Dynamic IP's and that comprises the majority of Residential users of ISP.
You only hear people say it's "pissing in the wind" if they don't know how easy it is to do, if they don't really care, if they don't understand security and the world.
As a simple example, I have 4 companies that do no business outside the USA, being that, we include more than 100 foreign subnets in a permanent block list (some are /24 some are /16 some are /8), but you would be amazed at how much chatter and probes for exploits that it stops dead.
We also block access to anything that probes 445 for 20 minutes and several other ports. Since we've not had a compromised customer in all these years I'm reasonably sure that we have more than just a clue about how to do this. It's only as hard is you want to make it, and it's very easy to implement.
You missed the intent - you block SMTP and other types of connections, like SSH and HTTP, to the residential networks (outbound, not inbound) so that people can't reach their HOME networks from the office. There have yet to be any valid business reasons for someone to check their personal web server at their house, or their personal email at their home or ISP during business hours....
As for spam, we have more than a dozen filters on most of the clients email servers, match lists, RBL's, etc... We catch over 85% and reject it before the client sees it, without a single false reject. Of the remaining 15%, 73% is spam and we catch about 80% of that with match lists and other methods, and rest if good email. Since we record all rejects and markings as spam, we've not seen one false positive in more than 2 years..
When you starting having the responsibility for protecting networks and systems "Blanket IP block blocking seems insane to me" will start making sense to you too.
Leythos, you must kidding yourself by repeating this 'improperly setup firewall' thing. If it's that uncommon, then why the hell you are worried about people using this technique to break something. Just forget it dude. Let others worry about it.
Saying that it will work doesn't mean encouraging :) My disclaimer says it all clearly.
Well, this can be one we disagree on. To me, there is a lot of middle ground between secure and not secure.
-Frank
Leythos, tell you something. I didn't want to waste my time by replying to your non-sense, but for your enlightenment, I have to say it. I don't agree with your sense of security at all. You are talking crap in whole thread. You are one of them who can run a company by just allowing your employees to access google.com and having your employees request you for the access to every other site. Obviously, it's a more secure setup but highly ineffecient one.
This is not what security is about. I would have appreciated if you would have come out with an option to use an intelligent proxy which will detect sessions lasting longer than a certain period of time. Or, a firewall between proxy and your network to send alarm if some connection to proxy is lasting too long.
But you are talking about the crap ideas like blocking the ip ranges and etc. It may work for your company but doesn't work for most of them. Some companies believe in freedom to their employees and let them 'browse' internet after blocking some offending websites. It doesn't work other way.
Ok, so you mean to say that "I know there is whole in my boat, but don't tell me. It sacres you know". I know, this information can create problems for some companies, but that's true for all security advisories. I don't know what do you think about them.
Man! All in all, bickering aside, this has been a very good thread. In it you will find a lot of good info, some technical, some philosophical, some efficiency oriented, but lots of good info. This thread is a very good example, IMHO, about how there is no such thing as a "one-size-fits-all" solution and it underscores the need to do a careful analysis of business and customer requirements, before blindly applying a cookie-cutter generic solution.
Additionally, by observing the controversy in this thread amongst IT professionals, it will give you some idea about why it can be so difficult to interface with other networks. Each network "owner" has their own ideas about security and network policies. I have spent a good portion of my time in IT negotiating a consensus amongst network owner to allow some form of connectivity.
Anyway, interesting stuff I think :)
-Frank
I hate to say this, but your statement doesn't make any sense - you say you are "not to encourage", but you provide the instructions on how to do it on improperly setup firewalls, and you defend it saying it will work, but you are not 'encouraging' anyone to do it.
If you don't want people to do it, then take down the document and let your actions show that you don't want to encourage it - if you are just playing around and really want people to do it, then leave the document available for all.
If I leave a loaded cannon in out in front of my house, I'm not "encouraging" anyone, but the law sees it as an "attractive" type thing where I'm actually encouraging someone to use it.
For the most part, residential and dynamic are the same. Even if you've had the same Dynamic IP for 2 years, it's still dynamic. There are, and I know, some business services that some of the lamer ISP's provide to businesses where they don't get a static IP, but, they also don't expect those same businesses to have inbound traffic - or the business doesn't understand enough to get a static IP. So, in general, unless it's a static IP, I consider it to be residential in nature.
No, we block a lot more, just not that I've posted here. We start with the approach of allow nothing in or out and then permit only that which is needed for business purposes - and there are different rules/permissions for different types/sets of users.
But why would you allow everything until it causes a problem and then take action to block it - the best protection is to block everything that isn't needed. You can't possibly believe that allow all until compromised and then create rule makes any sense.
I was responsible for the security of 23 offices in two countries with more than 2000 employees and many road warriors before I started this company, we never had a single compromise and yet were able to do all our work, everyone that was selected could work remotely, etc... If you don't see security as helping 99% of the installations out there, then you don't belong in the field/business.
I've never seen a properly designed solution degrade business functions, and in most cases it only improves business functions/productivity. I have seen many zealous CIO's lock things down to the point of people not being able to do their work, but those CIO's are usually the ones that don't understand security, don't understand human nature, don't understand the business units needs.
There is really only one true way to look at security, anything less is a compromise and places the network(s) at risk. It doesn't take a lot to secure a large company or a small office, the methods and ideals are the same, there is no compromise, the only difference is the size/capacity.
You keep having your "opinion" and I will too, I'm fine with it, I was just hoping to see you understand that there are no grey areas in security, only secure and not-secure, and we get a lot of new customers because of the companies/techs/designers/architects that don't understand that idea.
Big difference between people that understand/know and people that don't.
Not really, if it's company business then it doesn't belong on the personal email system of some ISP. Sure, you can suggest that you might have had a reason, but the simple fact is that your business contacts should not be emailing you at home about business and if your company email server is working there is no business reason to allow employees to access home email directly. In all the companies I've worked for, setup, designed, we never found a valid reason to allow employees access to non-business email/ftp/ssh/video/etc...
I already said we see the reject list and check it. Why do you have such a hard time with the idea that someone can actually make things work - is it because you cant?
I never suggested that it was for all markets, but, if a business really looked at what it "needs" to provide in Internet access to employees, many that don't have any restrictions would find that they don't need to provide ANY access to most of their employees - and when you do take it away, within about 4 weeks you start seeing the productivity numbers increase by a very measurable level.
I don't think you're lame enough to suggest that I think that ALL business can do that, but, in my experience all over the US with all types of businesses, there is little need to offer FULL/Unfiltered access to the Internet, and I've not seen any business need to provide personal email access to employees anywhere - unless the business unit is not properly setup.
When I see people post crap about how to subvert company firewalls, it just ticks me off. What it really means is that some moron is just waning to screw-off on company time, utilize company resources they don't deserve, and possibly compromise the company network due to their unsecured home computer they are accessing.
In a strict sense, using the company network for unauthorized reasons could be considered theft of company property - as they pay for the Internet connection and the use it not permitted. Same for when the lamer connects to his home computer and a improperly protected network gets a virus that causes days of labour in cleaning it - that could be seen as sabotage or other malicious action and should be fired for it.
I wish that improperly configured firewalls were uncommon, but, the simple fact is that many firewalls are not properly setup to support only what the business needs. Then there are the devices called Firewalls that are really just fancy NAT routers that people insist are firewalls or that the CFO/CEO is told is a firewall, and they have no real outbound protection.
You're wrong - if I provide a means for someone action that we're certain some lamer will take, where they were unable to do it before I provided the means, then it's clearly encouraging them and highly unethical for any reason. You can't possibly tell anyone here that you fully expect that your information won't be used to subvert company policy or company security.
Answer me this - if you think it's crap, then how did all those workers get their jobs done before they had google and access to their personal computers at home on company time?
Do you really think that the vast majority of business have a true business need to let employees browse the web at their own leisure and discretion without any control in place?
How about the company that has no "inefficiencies" to getting their work done on a secured network - do you really think a network can't be secured properly and still provide all the "Business" functions that are needed?
You've got to be a kid or a very young adult to think that most businesses need to provide internet access to the employees in order for them to do their work on a normal level.
What makes you think our firewalls don't have proxy services? What makes you think that we don't monitor sessions, don't kill sessions that we don't find a business need for. What makes you think there is any reason to have an Open tunnel to someone's home after business hours when they are not using the provided tunnel method and are not on the access list?
Freedom has nothing to do with allowing internet access. You are paid to do work, not surf (unless that's your job description), you are not paid to call home, to contact your personal computer or any non-business system, you are not paid to slack-off all day. What you advocate is nothing different than making personal long distance calls on the company phone system without permission and without reimbursing the company for the cost of the call.
If the company you work for does not provide you with any internet access at all, and has no business reason to do so, your freedom is not imposed upon, not hindered, not limited in any manner. The company does not owe you a job, does not owe you internet access, does not owe you personal time, does not owe you anything other than wages and benefits (if benefits were part of your agreement) and a safe environment to work in as long as you provide labour as agreed.
Nope, there is no hole in our boat, and I'm not asking you to tell me anything about something like you have presented - most security professionals have long been aware of things like this and have proper security measures against them. What you are doing is providing the end- user, the employee, the idiot that would even think it was ethical, a means to do something that's clearly unethical, wrong, and may get them fired at the same time, and calling it just a technical description of how something might be done.
Most security advisories come out in public and expose a hole, and they often give the OS/Firewall vendors prior notice to get a patch out before the notice hits the general public. Many notices also include links to the vendors site where a fix can be found.
Your information is not a notice, not a alert, it's a how-to for back dooring access for those that didn't already know how to do it. Looks like a big difference to me - and it sure looks like you know you are wrong and unethical in the way you try to defend it.
Yep, it's always good to "discuss" the ideals and methods and levels of security as seen from different angles.
Like you, I've had to "deal" with IT groups that wanted full access to our network just to access our data in a SQL or Oracle server - and all they really needed is a view or an export on a nightly basis. I had one company tell us they needed SA access for their application to run properly (and it was just a reporting tool)! I've also seen vendors that are partners that can't setup their appliances and other firewalls to work with anything except their own vendors solution - like a business partner that needs access via port xyz to IP a.b.c.d in your network, but, they want an open connection instead of a VPN with IP/Port to IP/Port restrictions.
What we find most times is that it's not a technology barrier, it's a willingness (really it's experience and understanding) of the external IT source to do more than the minimum needed.
He're a good example of what I consider standard security measures:
1) User at office wants to work from home, want's to be able to access things as though they were at the office. 2) User has their own unmanaged PC at home, and is considered compromised by us until proven otherwise. 3) User is behind a NAT device - thank god.We would give them a cheap PC, setup in our shop, with our security measures, and basically locked down so that they can only logon to a desktop with a PPTP Connection icon and a Remote Desktop Icon.
When the user gets on this computer they boot up, not auto VPN connection, they click the PPTP Icon, enter a user/password that is NOT part of the Windows network and start the login process.
The firewall appliance acts as a PPTP termination point and each user is setup by the admin with a different user/password than the users domain account (windows). Each user has a specific rule that only allows Remote Desktop 3389 from their PPTP session to their specific workstation (or to the terminal server if the company has one).
If they authenticate with the firewall properly they double click the RD icon and are presented with a user/password prompt again - this one for the domain and it lets them into their Workstation at their desk (or the TS in their department).
The RD is setup to not map COM/LPT ports and does not permit file sharing - the only port that is mapped through is 3389, so they can't map a connection to anything else.
All sessions are terminated by the firewall after 4 hours or after 20 minutes of inactivity.
We use to do this with VNC and Remote Administrator, but have given in to RD. We never allow RD access in/out without going through the VPN. If they want email, they do it through OWA or through RD and the Outlook on their workstation.
This is a normal method for small and larger companies, even a small company can afford a cheap firewall that permits PPTP endpoint mapping to it. Some cheap firewalls also have their own IPSec clients. We don't use NAT boxes for businesses.
Well, I can partly agree. Some people might have a legitimate need to log on to their home computers to get work done. They might have a piece of software they are more comfortable with, and accessing it on their home machines avoids potential liabilities for having unlicsened software on there computers. Windows Remote Desktop acts as as no more than a "dumb terminal" to ones home machine. The admins on the client side can disable file transfers and still allow Remote Desktop to still be used. You are simply running and executing software on your home machine. Your programs and files would all be there, and nothing would be transferred to the company network. I dont see anything wrong with that. Remote Desktop, with file transfer disabled by network admins, is a secure way to be able to contact your home computer and use it for your work, without compromising the company network.
So, are you saying that you NEED to have the last word?
-Frank
So it seems for you - are you saying that you can't take the time to lookup RBL and ISP Dynamic Address lists?
Are you saying that we have to hold your hand instead of you doing anything to look it up?
There has been more than enough information in this thread for any reasonable person to figure it out.
RD can be configured so that no file transfer can take place, so you could actually safely allow them to RD to their home machines. Just make sure that an adminstrator level user has disabled any file transfers on remote desktop, and that should do it. Then they can go in/out without viruses going in or out.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.