Not my potato
-
The best sys. admins are
controlfreaks.Q: Can you open/allow imap, smtp, snmp, 10050, and 10051 from the web server DMZ to the office for internal use only?.
Little bit later
A: Opened the ports you listed except for 10k ones, I've never heard of those... have a great weekend.
The simple solution is for the developers ( including me ) to demand access to the firewall, but the lead developer accurately pointed out "No, let IT handle the firewall, when shit breaks we've got someone else to blame... It's not our potato."
-
You asked him to open up weird ports with no explanation, he rejected your request. That's exactly what my group would do (we're security). If you gave a good reason for it, then we'd consider/allow it.
-
@rbowes said:
You asked him to open up weird ports with no explanation, he rejected your request. That's exactly what my group would do (we're security). If you gave a good reason for it, then we'd consider/allow it.
Notice the request DID say for internal use only, so maybe taking some initiative and actually asking "what do you need this for?" to fill in the gaps wouldn't hurt.
-
@rbowes said:
You asked him to open up weird ports with no explanation, he rejected your request. That's exactly what my group would do (we're security). If you gave a good reason for it, then we'd consider/allow it.
Concur. Even worse security is to have the standard ports (SMTP and such ) opened. Makes it easier for script kiddies as soon as one of the DMZ hosts is 0wned ....
-
@cklam said:
Concur. Even worse security is to have the standard ports (SMTP and such ) opened. Makes it easier for script kiddies as soon as one of the DMZ hosts is 0wned ....
Which is why you would secure the DMZ hosts. How else would you send mail internally if the ports weren't opened for it?
-
@morbiuswilters said:
@cklam said:
Concur. Even worse security is to have the standard ports (SMTP and such ) opened. Makes it easier for script kiddies as soon as one of the DMZ hosts is 0wned ....
Which is why you would secure the DMZ hosts. How else would you send mail internally if the ports weren't opened for it?
Print it on a dot-matrix printer using endless "green-bar" paper, automatically run the paper over a wooden table whilst photographing each page, download the pictures from the cam to a "gateway server" in realtime where OCR is run over each page and the OCR results are reassembled to e-mail sent on the internal e-mail system.
Seriously, they should have e-mail (and other appliction) gateways in the DMZ (which are of course secured) in order to minimize the number of holes that have to be poked into the firewall. And standard port numbers on principle should not be used. Most attackers are ignorant and this very simple measure defeats quite a large percentage of them (in my humble experience) .... one case where human ignorance is an advantage
-
@cklam said:
Seriously, they should have e-mail (and other appliction) gateways in the DMZ (which are of course secured) in order to minimize the number of holes that have to be poked into the firewall.
Minimize the number of holes that have to be poked in the firewall? You don't understand what a DMZ is, do you? The external firewall should only have the needed ports opened. This will not reduce the number of open ports in the firewall.
@cklam said:
And standard port numbers on principle should not be used. Most attackers are ignorant and this very simple measure defeats quite a large percentage of them (in my humble experience) .... one case where human ignorance is an advantage
This is known as "security through obscurity". It adds no security and just makes compatiblity harder since services are running on non-standard ports. Don't waste your time on this security theater nonsense, people. It just gives you a false sense of security and distracts you from real methods to secure your networks and machines.
-
@cklam said:
Most attackers are ignorant and this very simple measure defeats quite a large percentage of them (in my humble experience)
You've never seen a attacker using nmap? Sounds like a nice rock you work under.
-
@rbowes said:
You asked him to open up weird ports with no explanation, he rejected your request. That's exactly what my group would do (we're security). If you gave a good reason for it, then we'd consider/allow it.
So when you get a request you don't understand, you simply reject it out of hand instead of soliciting more information?
I get "bug reports" all the time that take the format of "The [something] isn't working." I can just imagine how well things would turn out if I started immediately closing the cases, noting "Never heard of that issue, bye!"
Yeah, I'm annoyed when people ask me to do something without giving me enough information on what it is they want me to do and/or why. It's particularly infuriating with people who've been through the process dozens of times already and ought to know better - and likely do know better but are just being lazy. Nevertheless, it's incredibly unprofessional to simply ignore the requests or perfunctorily reject them. How much harder is it to reply that you need more information, and to specify what that is?
-
@Aaron said:
So when you get a request you don't understand, you simply reject it out of hand instead of soliciting more information?
I agree he could have been more verbose in his reply, but the request could have also been more verbose. Sounds to me like both people might have been racing for the weekend.
I don't see how he 'reject[ed] it out of hand'. I read it as "I opened the ones I could immediately allow. You are going to need to convince me to open the other ones though.".
Sounds about right to me.
-
@bstorer said:
@cklam said:
Most attackers are ignorant and this very simple measure defeats quite a large percentage of them (in my humble experience)
You've never seen a attacker using nmap? Sounds like a nice rock you work under.I have.
Most of my attackers only come through the wel-known ports. Remarkble, really.
I have no explanation, really. I assume it must have something to do with ignorance, though.
-
@cklam said:
I assume it must have something to do with ignorance, though.
Funny. That's what I thought about your post advising them to not open 'well known ports'.
-
@morbiuswilters said:
Seconded. In fact, I find it amusing how many script kiddies pound on tcp/22 all the time. The only thing they're achieving is a bunch of entries in my LDAP's access log.@cklam said:
And standard port numbers on principle should not be used. Most attackers are ignorant and this very simple measure defeats quite a large percentage of them (in my humble experience) .... one case where human ignorance is an advantage
This is known as "security through obscurity". It adds no security and just makes compatiblity harder since services are running on non-standard ports. Don't waste your time on this security theater nonsense, people. It just gives you a false sense of security and distracts you from real methods to secure your networks and machines.
I did redirect weird ports once, but that is because BIS doesn't let me connect to ports < 1024, so I had to set up a > 1024 for ssh. Mind you, its a "cannon-fodder" box, not the real server. ;)
-
@danixdefcon5 said:
I did redirect weird ports once, but that is because BIS doesn't let me connect to ports < 1024, so I had to set up a > 1024 for ssh. Mind you, its a "cannon-fodder" box, not the real server. ;)
Using non-standard ports is fine if you have to because your process doesn't have root privileges. However, it's usually a better idea in larger corporate networks to do port-mapping at the router or firewall so externally the ports still appear to be standard. This can actually be quite useful to restrict access to services by using different > 1024 ports, for example ports 2501, 2502 and 2503 for 3 different mail services within the company network that need to be individually locked-down. In that case, the point isn't to make it more secure by hiding the port but instead to make it easier to block and route traffic based on the enumerated destination ports.
