Firewalls: Re: What are the security risk in opening some UDP ports

Firewalls
(June 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: What are the security risk in opening some UDP ports
From:	Adam Shostack <adam @ bwh . harvard . edu>
Date:	Tue, 21 Jun 94 15:25:00 EDT
To:	loi @ gov . on . ca (Ian Lo)
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	<9406211728 . AA05152 @ govonca . gov . on . ca>; from "Ian Lo" at Jun 21, 94 1:28 pm

Ian Lo wrote:

| Can anyone tell me what are the security risks and how vulnerable in
| opening up the following UDP ports to outside network. i.e. allow
| outside network to access directly the inside network via the following
| UDP ports:

	As a general rule, its preferable to use a proxy server,
rather than allowing the packet through directly.  This allows some
logging, possibly some action to be taken on the firewall.

| UDP ports      services
| 42              name service
| 53              domain

	Some people like to hide their internal names.  Often, the
information will leak anyway.  It may or may not be worth it.  Cheack
the archives for discussion.

| 70              gopher

	Gopherd has had problems in the past. (8lgm 4)  You should
decide if you need to run a sever, since gopher guest accounts could
be used to get regualr shell access.

| 80              www

	Mosaic had a major problem based on its extensive use of the
system() call.  It allowed rude WWW servers to run arbitrary commands
on your machine when your Mosaic client conncected to them.  I don't
trust the Mosiac source, it was written by a 22 year old.  (Not to say
that 22 year olds can't write secure software, simply most don't have
the experience, mindset & skill to know what the attacks are likely to
be, know that preventing them is a really good idea, and then be able
to code things well enough that the attacks are actually blocked.)

| 119             nntp

	I'd build a proxy of some type.  INN was attacked, and
probably will be again.

| 123             ntp

	Do you really need it?  Can you sync your clocks some other way?

| 191             propspero
| 210             wais

	Again, all of these services are a matter of 'Do we need this
enough for the risk we're taking?'  Some are more dangerous than
others.  Services where the daemons run as root on your machine are
probably a greater risk than those services that do not.  Check out
Cheswick & Bellovian "repelling the wily hacker" for a discussion of
how to construct a good firewall policy.

Adam


-- 
Adam Shostack 				       adam @
 bwh .
 harvard .
 edu

Politics.  From the greek "poly," meaning many, and ticks, a small,
annoying bloodsucker.

References:

What are the security risk in opening some UDP ports
From: loi @ gov . on . ca (Ian Lo)

Indexed By Date	Previous:	Re: What are the security risk in opening some UDP ports From: "Mark R. Ludwig" <Mark-Ludwig @ uai . com>
Indexed By Date	Next:	Re: firewall consultants From: Daniel R Ehrlich <ehrlich @ cse . psu . edu>
Indexed By Thread	Previous:	Re: What are the security risk in opening some UDP ports From: Paul Crossman <pcrossma @ avid . com>
Indexed By Thread	Next:	Re: What are the security risk in opening some UDP ports From: quent . johnson @ intellistor . com (Quentin Johnson)