Re: [Full-disclosure] Sony: No firewall and no patches

["Dobbins, Roland" <rdobbins@xxxxxxxxx>]

On May 11, 2011, at 6:51 AM, Thor (Hammer of God) wrote:

My experience is quite different, and I have personally seen too many instances 
to count where the use of firewalls has, without question, been what has saved 
a company.

I would be extremely interested to learn details of how a stateful firewall in 
front of a server saved a company, when stateless ACLs in hardware-based 
network infrastructure devices would've led to failure.  Seriously, if you 
don't mind outlining the scenario, I think it would be very instructive.

> So, to wrap up my input in this regard, people should use what works for them 
> assuming they know what problems they are trying to solve and how they are 
> solving them.


If an attacker is already in a position to issue commands and induce your box 
to do things, he *already has his covert channel over which he can exfiltrate 
data*.  So the outbound stateful checking of server response traffic is moot, 
and simply constitutes a stateful DDoS chokepoint which makes it trivial for an 
attacker to take down the server in question by filling up the state-tables of 
said firewall with well-formed, programatically-generated traffic.

That's my point, in a nutshell.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins@xxxxxxxxx> // <http://www.arbornetworks.com>

                The basis of optimism is sheer terror.

                          -- Oscar Wilde

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/