Frank Tanner III
pctech at mybellybutton.com
Fri May 23 10:47:24 CDT 2003
Any truely publicly accessable box. I.E. Any machine that is accessable from outside of your firewall, even through port forwarding. --- Jim DeMarco <Jdemarco at hshhp.org> wrote: > Just to clarify, I'm just running a dev box with no > public access or server but using IIS to hit local > pages/databases. > > >>Or your public servers would be behind the > firewall<< > By public server are you referring to any machine > running a web server? Or a truly public accessible > web? > > Thanks, > > Jim DeMarco > > > > -----Original Message----- > From: Frank Tanner III > [mailto:pctech at mybellybutton.com] > Sent: Friday, May 23, 2003 11:20 AM > To: accessd at databaseadvisors.com > Subject: RE: [AccessD] OT: DSL/IIS/Viruses > > > The IIS "viruses" are specifically why I run Apache > for my web server. There are viruses for it, but > they're ALOT less common. > > Actually, a wireless LAN can be just as safe as a > wired one, if you take the time to do it properly. > > Yes, the "software" firewalls that are commercially > available are much more problematic than they're > worth. PLUS you have the added hassle of there > still > being holes in the underlying OS that they're > running > on. Any firewall is only as secure as the OS that > runs it. Whether it be Windows, Linux, BSD, OS/2, > whatever. The "hardwires" and wireless routers that > have a built-in firewall are perfectly fine for MOST > people. However, they do not support DMZs. > Therefore > they're not advisable to use to run your public > servers. You'd be stuck with one of two choices. > Your public servers would be outside the firewall > and > extremely vulnerable to everything that came down > the > pipe. Or your public servers would be behind the > firewall, so you'd open up the holes for that > possible > attack, as well as your LAN would be wide open to > anyone that can exploit the server itself once > they're > one it. Once they have an open access behind your > firewall, they own your LAN, just as if you didn't > have one. > > --- John Frederick <j.frederick at att.net> wrote: > > 1. Concerning the wireless vs. wired lan, I > > wouldn't expect wireless to be > > any safer. > > 2. The IIS viruses are a different breed from the > > email viruses. I assume > > I got my IIS ones from these programs that are > > constantly searching for web > > servers. During the time I was on-line getting my > > email or browsing, I > > looked like a wide-open web server. > > 3. A firewall doesn't have to be a big project. > > I'm told that there are > > low cost lan routers that include a firewall > > function. You connect the DSL > > modem through that function. I can testify that > the > > software firewalls on > > each machine interfere with many of the programs > > that otherwise operate > > across your lan. > > > > -----Original Message----- > > From: accessd-bounces at databaseadvisors.com > > [mailto:accessd-bounces at databaseadvisors.com]On > > Behalf Of Jim DeMarco > > Sent: Friday, May 23, 2003 9:45 AM > > To: accessd at databaseadvisors.com > > Subject: RE: [AccessD] OT: DSL/IIS/Viruses > > > > > > What about running it on another machine on my > > (wireless) network that's not > > directly connected to my DSL modem but has > Internet > > access via that > > connection? Is that any safer? > > > > Jim DeMarco > > > > > > -----Original Message----- > > From: Frank Tanner III > > [mailto:pctech at mybellybutton.com] > > Sent: Friday, May 23, 2003 9:29 AM > > To: accessd at databaseadvisors.com > > Subject: RE: [AccessD] OT: DSL/IIS/Viruses > > > > > > Personally, I wouldn't run ANY public accessable > > services on my LAN. There is a MUCH safer way to > do > > it, but it isn't super cheap. > > > > I have a custom built firewall, which I run at > home. > > The "public" side of it connects directly to my > > Internet connection, in this case a 1Mbit VDSL > > connection. Then I have a "private" side, which > > connects to my LAN, and has my strict firewall > > rules. > > Only what I want gets in and out. Lastly, I have > a > > "DMZ". This is where I place my publicly > accessable > > machines. It is still firewalled, but not as > > stringently as the LAN side, since the public > needs > > to > > hit it. Even in this DMZ I only let through the > > ports > > I absolutely need to. Such as 80 & 443 for Web, > 25 > > & > > 110 for e-mail, etc. My LAN is also firewalled > from > > my DMZ in this configuration except for what's > > absolutely needed. > > > > In this confugiration, unless I specifically open > an > > e-mail with a virus attached, or something silly > > like > > that, I'm about as safe as one can get from "the > big > > bad Internet". The worst that can happen is that > > there is an exploit for one of my publicly > > accessable > > boxes and they get compromised. My LAN is still > > safe. > > > > As a side note, my firewall, web server, and > e-mail > > server are all running Linix or FreeBSD. This > makes > > them less succeptable to all of the more common > > attacks that the "script kiddies" like to use. > > About > > 80% of the attacks and defacements on publicly > > accessable servers are done by "script kiddies". > An > > added benifit is that IIS specific exploits have > no > > affect other than to fill my logs, which archive > and > > rotate off daily. > > > > Is this a bit excessive, since I don't run a > > business > > out of my home? Yeah, it is. But there's no such > > thing as too much security. > > > > --- John Frederick <j.frederick at att.net> wrote: > > > Yes, it is necessary. When I started doing .asp > > on > > > the same machine I used > > > to dial-up to get email, I got, over some period > > of > > > time, about a dozen > > > different viruses, some of which propagated > > through > > > my lan to other > > > machines. If you can't block the access from > the > > > net to your machines, you > > > need to either use a firewall or disconnect the > > pws > > > machine from the lan. > > > > > > P.S.: If you put firewalls, such as Norton or > > McAfee > > > on your machines, you > > > can ask to be warned and have a change to say ok > > or > > > no when a program tries > > > to access another machine or the net. You'll be > > > amazed about how many > > > Microsoft and other vendow programs do so for no > > > reason related to your > > > current operation in progress. If you're not > > > already paranoid, that will > > > make you so. > === message truncated ===