how about the basics? [was: Re: Blocking port 53]

Mon Mar 28 12:58:21 UTC 2005

John Levine wrote:
> I thought everyone ran an ssh server on port 443 by now.  It's
> the easiest way to get through these overbearing firewalls.

Inbound:
--------
Agreed. As we all know, applications running on web servers are the 
easiest way to get into an organization. Run as many routers and 
firewalls as you like, people will just cut through them.

Some easy questions are;
- How easy is it to break in, applicatively? [secure code &
	architecture, pen-test, etc. and not just when the site goes
	live]
- What do you do to protect the application? [application filtering on
	some level - not many good solutions, sniffer/resets,
	inline/drop, reverse proxies, etc.]
- Once through the application, what do you do to protect the server?
	[hardening, ports, services, FW]
- DB security? What's that?
- Once on the server, what do you do to make sure the machine cannot get 
to the rest of your network? Is your solution local or network based?
	[PFW? VLAN?]

That's an ancient beaten to death issue that people just piss all over. 
Web applications today are simply the door into your organization and 
your network.

This is all costy, but you could do some of these things without any 
additional costs above an hour or two of your time.

I state the obvious again: protect your web servers!

Outbound:
---------
Try and make sure only HTTP/SSL communication goes through ports 80/443, 
respectively. Most worth-while corporate firewalls today support this 
type of application filtering.

It won't help you with spyware like (imo) Kazaa (or legit software) that 
goes over HTTP, but you get my point.

Aside to a nice way to circumvent firewalls to go and IRC or use private 
mail servers, we also lately see many botnet C&C's using these ports.

It may only be half relevant to nanog, and for that I apologize, but I 
take the chance to remind people of how important this all is on *ANY* 
opportunity.

	Gadi.