how about the basics? [was: Re: Blocking port 53]
gadi at tehila.gov.il
Mon Mar 28 12:58:21 UTC 2005
John Levine wrote:
> I thought everyone ran an ssh server on port 443 by now. It's
> the easiest way to get through these overbearing firewalls.
Agreed. As we all know, applications running on web servers are the
easiest way to get into an organization. Run as many routers and
firewalls as you like, people will just cut through them.
Some easy questions are;
- How easy is it to break in, applicatively? [secure code &
architecture, pen-test, etc. and not just when the site goes
- What do you do to protect the application? [application filtering on
some level - not many good solutions, sniffer/resets,
inline/drop, reverse proxies, etc.]
- Once through the application, what do you do to protect the server?
[hardening, ports, services, FW]
- DB security? What's that?
- Once on the server, what do you do to make sure the machine cannot get
to the rest of your network? Is your solution local or network based?
That's an ancient beaten to death issue that people just piss all over.
Web applications today are simply the door into your organization and
This is all costy, but you could do some of these things without any
additional costs above an hour or two of your time.
I state the obvious again: protect your web servers!
Try and make sure only HTTP/SSL communication goes through ports 80/443,
respectively. Most worth-while corporate firewalls today support this
type of application filtering.
It won't help you with spyware like (imo) Kazaa (or legit software) that
goes over HTTP, but you get my point.
Aside to a nice way to circumvent firewalls to go and IRC or use private
mail servers, we also lately see many botnet C&C's using these ports.
It may only be half relevant to nanog, and for that I apologize, but I
take the chance to remind people of how important this all is on *ANY*
More information about the NANOG